That was the name of a paper delivered today at the 25th Annual Chaos Communication Congress in Berlin (summary, PDF). The geeky trope “considered harmful” doesn’t quite convey how serious this is; the equally geeky, equally tropey “be afraid, be very afraid” might’ve been a bit better.
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
Then again, “real” certs foster trust in criminal conspiracies pillars of the financial community; are spoofed certs going to, say, cost us $700 billion? If not, who cares?
Nice pic...
...but—contrary to current fad and fancy—infographics are never worth a thousand words. (On the latter, see also: “Against Tufte, (public) note 00001,” “Electric Kool-Aid; or, Against Tufte, [public] note 00002.”)
(risks)