The Changing Threat Model
Having identified what happened, the next step we must take is to re-evaluate our threat model.
Internet security is much harder than other areas because the Internet is constantly changing and user tolerance of security controls is very low. Unlike the military, we cannot order people to follow security procedures. Acceptability must be a top priority in the design of a civilian security control or it will not be used.
The SSL security mechanism used in browsers was originally designed to enable use of credit cards to buy goods from online merchants. While other applications and use cases were discussed, these were not allowed to drive requirements. Over fifteen years later, the Internet is now seen as the driving force behind a wave of popular revolts across North Africa and the Gulf. The use cases have changed and so we must revise our threat model.
In academic research the tendency is to be skeptical and suggest the least surprising cause. What matters here is not determining the actual perpetrator or the actual motive for the attack but the plausible perpetrators and the plausible motives. We do not know with certainty who the perpetrator was, it is highly unlikely that we will ever know. What matters to prevent the next attack is to identify the range of plausible perpetrators and plausible motives.
Circumstantial evidence suggests that the attack originated in Iran. The original certificate requests were received from an Iranian IP address and one certificate was installed on a server with an Iranian IP address. While the circumstances strongly suggest an Iranian connection we do not know if this is because the attacker was from Iran or because this is the conclusion the attacker intended us to make.
Circumstances also suggest that the motive of the attack was not financial. While there are certainly ways in which the attack could have resulted in a financial gain, it is hard to see how the perpetrator could have expected the attack to provide an easier, safer or more profitable return for their effort. The hard part of bank fraud is extracting money from the account. Stolen credit card numbers and bank account details are a glut on the market.
To make use of the fraudulently issued certificates, the perpetrator would have to have the ability to direct Internet users to their fake sites rather than the legitimate ones. This in turn requires control of the DNS infrastructure which requires government level resources to achieve on a large scale or for an extended period.
Taken together with other recent attacks against other targets, both reported and unreported it appears likely that this incident forms part of a pattern of attacks on Internet authentication infrastructure and that it is at least highly likely that the perpetrator(s) are highly sophisticated and government directed.
It is quite possible to explain one or another of the incidents seen as being the work of independent ‘hactivists’. But taken as a whole the pattern suggests otherwise. If we are going to successfully address this threat we must assume that our adversaries are nationally funded information engagement teams and that the resources they bear will be significant.
In order to successfully defeat such a threat however, we need to adopt a defense in depth approach. We must reinforce the Internet trust infrastructure but we must also reinforce the means by which applications interact with it. The underlying weakness exposed here is the fact that gaining a fraudulent server credential allows an attacker to obtain end user access credentials. We need to make it more difficult for an attacker to obtain a fraudulent server credential, but we also need to address the underlying weaknesses in the applications and services that use them.
Efforts to reinforce the Internet trust infrastructure were already underway before this particular attack was discovered and these will be explained in the next post. In the post following that I will look at measures to address the underlying cause.