Official says government is helpless against fake security certifications

A White House official on Friday said fake secure websites created to steal money or personal information are a danger the government is powerless to control.

The comment from Andrew McLaughlin, White House deputy chief technology officer for Internet policy, came during a panel discussion on emerging threats to e-commerce and other online transactions hosted by Washington think tank the New America Foundation. Increasingly, all parties involved in online dealings rely on information from companies and countries with Internet policies that are beyond the federal government's jurisdiction. The participants include Internet users; websites, such as IRS.gov; browser providers, such as Google's Chrome; and certifying agents, such as VeriSign, which confirm that websites and people exchanging information are who they claim to be. These so-called certificate authorities sometimes erroneously or intentionally approve malicious websites.

"We are looking at a multijurisdictional, multistakeholder problem for which there is no governmental solution," said McLaughlin, a former Google executive. Addressing the situation depends on browsers, certificate authorities and transaction websites such as online banks that operate in different countries with varying regulations. Room for mischief is great when certificate authorities are subject to governmental regimes that are devious, repressive, or participating in an attack on foreign Internet infrastructures, he said.

"Because of the multijurisdictional and multistakeholder nature of the problem, government can't fix it and government shouldn't fix it," McLaughlin said. "You wouldn't want government to try to be your front line. We have a history of screwing things up."

Google software engineer Adam Langley, who participated in the discussion, said his company is more willing than other browser makers to be aggressive in deploying new technologies to thwart imposters or certificate errors.

But people frequently ignore browser safeguards. Langley said when a browser alert asks users a question or offers a warning about accessing a questionable site, they often close the message and proceed to finish their tasks or make their purchases.

Certificate authorities have no way of removing bad players who mistakenly or maliciously guarantee a website's authenticity. "We don't necessarily have the processes or policies in place that allow us to grade the CAs who are in that bottom 10 percent that we maybe want to chop off, so that's a challenge," said Scott Rea, a senior software architect at DigiCert, a certificate authority. But he disagreed with panelists who said the situation is a race to the bottom where the Internet is at risk of massive attacks by imposters.

Answers to the dilemma do exist, such as new secure domain name systems and digital identity standards, according to some experts on the panel.

Only in the last couple of years did the issue of false certificates become pressing -- and that was because research into the area increased, as did the number of technological protections, said Andy Steingruebl, a security manager for the online payment service PayPal.

Ari Schwartz, senior Internet policy adviser at the National Institute of Standards and Technology, disclosed the Homeland Security Department recently simulated certificate authority attack scenarios to test defense strategies.

"There has been a lot of talk about these kinds of attacks as real life examples of what could go terribly wrong if not taken care of and if we don't have solutions for [them]," said Schwartz, who recently joined the Obama administration after serving as an executive at the nonprofit Center for Democracy and Technology, a privacy group.