Goodbye, PKI!

I did my Friday lecture on PKI (Public Key Infrastructure) and digital certificates, and outlined how poor our core security is on the Internet. It is a terrible hot-potch of things that few people — even security professionals — actually understand. It was created at a time when the Internet was a good deal smaller, and created a structured model of root CAs (Certificate Authorities) and intermediary CAs. But it also supported self-signed certificates. If you are interested, here’s the content from the class [https://asecuritysite.com/esecurity/unit06].

Gather a whole lot of information security professionals, and they will often struggle to explain how the whole thing works. In the end, it’s a bit like gathering a whole lot of electrical engineers, and asking them how Ohm’s Law works, and then getting a garbled response. Would you trust an electrical engineer how couldn’t tell you exactly how current and voltage work?

Developers, too, often fail into traps of not properly signing their code and will leave the private key exposed to others. Certificates time-out. Simple passwords are used on the core certificates. Adversaries target the installation of root CA certificates, in order that their malicious software will be trusted. And so on …

So the story goes. You send me a secure email, and you take a hash of the email content, and then encrypt this with your private…