These hidden layers are in every machine, usually out of sight and long forgotten. But they can do amazing things with their access.
Encryption's weak link No. 8: Backdoors aplenty
Sometimes programmers make mistakes. They forget to check the size of an input, or they skip clearing the memory before releasing it. It could be anything. Eventually, someone finds the hole and starts exploiting it.
Some of the most forward-thinking companies release a steady stream of fixes that never seems to end, and they should be commended. But the relentless surge of security patches suggests there won't be an end anytime soon. By the time you've finished reading this, there are probably two new patches for you to install.
Any of these holes could compromise your encryption. It could patch the file and turn the algorithm into mush. Or it could leak the key through some other path. There's no end to the malice that can be caused by a backdoor.
Encryption's weak link No. 9: Bad random-number generators
Most of the hype around encryption focuses on the strength of the encryption algorithm, but this usually blips over the fact that the key-selection algorithm is just as important. Your encryption can be superstrong, but if the eavesdropper can guess the key, it won't matter.
This is important because many encryption routines need a trustworthy source of random numbers to help pick the key. Some attackers will simply substitute their own random-number generator and use it to undermine the key choice. The algorithm remains strong, but the keys are easy to guess by anyone who knows the way the random-number generator was compromised.
Encryption's weak link No. 10: Typos
One of the beauties of open source software is that it can uncover bugs -- maybe not all of the time but some of the time.
Apple's iOS, for instance, had an extra line in its code:
goto fail. Every time the code wanted to check a certificate to make sure it was accurate, the code would hit the
goto statement and skip it all. Oops.
Was it a mistake? Was it put there on purpose? We'll never know. But it sure took a long time for the wonderful "many eyes" of the open source community to find it.
Encryption's weak link No. 11: Certificates can be faked
Let's say you go to PeteMail.com with an encrypted email connection, and to be extra careful, you click through to check out the certificate. After a bit of scrutiny, you discover it says it was issued by the certificate authority Alpha to PeteMail.com and it's all legit. You're clear, right?
Wrong. What if PeteMail.com got its real SSL certificate from a different certificate authority -- say, Beta. The certificate from Alpha may also be real, but Alpha just made a certificate for PeteMail.com and gave it to the eavesdropper to make the connection easier to bug. Man-in-the-middle attacks are easier if the man in the middle can lie about his identity. There are hundreds of certificate authorities, and any one of them can issue certs for SSL.
This isn't a hypothetical worry. There are hundreds of certificate authorities around the world, and some are under the control of the local governments. Will they just create any old certificate for someone? Why don't you ask them?
- 11 sure signs you've been hacked
- 7 sneak attacks used by today's most devious hackers
- Safeguard your code: 17 security tips for developers
- Security through obscurity: How to cover your tracks online
- True tales of (mostly) white-hat hacking
- 14 dirty IT tricks, security pros edition
- 6 lessons learned about the scariest IT security threats
- IT's 9 biggest security threats
- 9 popular IT security practices that just don't work
- 10 crazy IT security tricks that actually work
- Malware Deep Dive Report
- Data Loss Prevention Deep Dive Report
- Insider Threat Deep Dive Report
- Malware IQ test: Round 1
- Malware IQ test: Round 2
- Malware IQ test: Round 3
This story, "11 reasons encryption is (almost) dead," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.