In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize: an opponent with enough determination and resources just might find a way to track their every move.It also calls into question the reliability of a basic system of trust that global Internet brands like Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site — to ensure, in effect, that Gmail is Gmail, and that the connection to the site is encrypted and difficult for an outsider to monitor.
This past week, an Iranian hacker managed to obtain fraudulent HTTPS certificates. Using these certificates (and passing them on to the Iranian government), the certificate holders were able to “snoop” on the supposedly secure internet activity of everyday users. The implications of such a hack on both the present and future of the internet, and potentially internet law, are manifold.
HTTPS certificates are what allow us to interact across the internet securely. When you buy something on Amazon, the page where you enter your credit card information goes from “http://” to “https://”, and, depending on your browser, a lock or key will appear to inform you that your online session is secure. HTTPS is meant to create a secure channel between a user and the server so that eavesdroppers and others cannot intercept or monitor the communication between these two sites. The fundamental element of this system is that the data exchange from user to server only travels on “secured” paths, hopping from secured node to secured node until the data reaches its destination. As long as each node has a trusted certificate, secured information can travel across it in the same way that travelers can transfer flights to their hearts’ content without having to pass through security again (subject to some exceptions).
HTTPS has been used as the essential building-block for security on the internet, and the compromise of HTTPS has sent shockwaves throughout the industry because of the implications it could have on internet security, cyber-snooping, and data breach. As confidential information is being moved into the cloud, HTTPS was the primary method of securing that information. While the system has hardly been permanently breached, and while this incident could provide notice on ways to fix the system, this serves as another example of hackers managing to stay one step ahead of security experts. Even as security mechanisms develop, companies will have to remain wary of putting confidential information online, and consumers will have to make sure that they update their browsers to have the most up-to-date security.