It seems all too often my friends are having their accounts hacked. I get emails from them trying to hawk iPads or Facebook messages about Lady Gaga. There are three problems I see here:
1. Users choose poor passwords. This was shown in the recent Gawker hacks and pretty much every other username/password database breach in computer history. Common fix: require complex passwords. Problem with the fix: Password1! Another problem is that users choose the same password for many sites. Once the password is compromised at one site, the same username and password can be used to gain access to other sites.
2. Users blindly click links in emails, Facebook posts, etc. Here, I would be interested in an organization that prohibited links from being transmitted in email. If someone tried to send an email with a link, it would be rejected and a notice would be sent to the original sender stating that links are not allowed. The emails should be phrased such as “Go to your normal [Bank Name] login by entering the address you always do in the URL bar.”
3. Users never check where they end up after clicking links. They usually end up at facebook.evilhacker.com and think they are at the real Facebook. Hey, the page looks the same. People should check the certificate of the website, but they don’t.
All of these problems can be fixed with one simple solution: certificates. Certificates have been around since the 1980s and are common in authenticating servers, but not users. Many SSH users love certificates because they allow them to log onto their systems without typing passwords. However, certificates are almost never an option for logging into websites. Let’s look at how certificates would solve the three problems above:
1. Certificates, by their nature, are complex. They are essentially unable to be hacked by a brute-force attack. Also, certificates are unique to the one website they are created for. No more password reuse.
2. and 3. Users could click whatever links they wanted, but the certificate would never reveal itself to any site except the genuine HTTPS site. Here, the certificate does the check that most users don’t do. If users go to a fake site, they may try to login, but will be unable to transfer a password to the attacker.
There are problems with certificates such as portability across computers, access from public computers and even compromise of the certificate itself, but I think having the option to use certificate-based authentication would greatly lessen the occurrence of these simple attacks. For now, however, the best defense is choosing an incredible complex password, not clicking links ever, and checking the certificates of the websites visited.
On a side note, the US Government is working on this as well, but I think it is in the best interest of everyone if private individuals and corporations create their own certificates.