A new HTTPS Certificate Authority, Let’s Encrypt, allows the general populace to attain explicit trust for their websites and apps. In theory, the service makes the goal of a fully encrypted web more attainable and eliminates the price-prohibitive procedure of attaining an CA certificate. Recently, though, trojans and spyware signed with Let’s Encrypt certificates have begun to crop up. This means malware commonly flagged by antivirus programs can go unnoticed by Windows systems – and collect your personal info, including any login info you use to get into online wallets, and accounts used for 2FA on these wallets.
This exploit allows malware creators to package any old malware they have that gets recognized by network traffic irregularities, effectively re-enabling them by making them look safe to your computer. This is going to cause huge headaches in the future for internet security application developers – by making the current system open, they’ve essentially invalidated its usefulness.
So how can you protect yourself if you use Windows? The truth is, you can’t, short of buying your bitcoin face to face and becoming a hermit, that is. The current certificate trust system is integral to the way traditional websites and web apps implement security, and that’s not going to change in the near future.
This exploit extends to any system that doesn’t allow low-level security tweaks by the user (MAC OSX, Anddoid, etc.) Luckily, people using platforms like Linux and *BSD have more granular control of what cert authorities they trust, so what scanty malware there is for these systems will be recognized right away, and locked down by default. Installing a new OS just isn’t a practical short-term security solution, however. For now, If you use Windows, keep your money in local wallets as much as possible and use as many security measures outside of online accounts as possible; phone number 2FA and public key signing are good options.
This new exploit — revealed by open-sourcing the certificate system — is more an indictment of the current centralized trust system than anything else. It should give the security-minded Bitcoin user pause to know that thousands of oppressive regimes and companies in the business of shipping products with weakened security and backdoors are trust authorities in the current system. Further, the moment a service comes up that lets individuals easily sign their work as secure, it’s exploited by people looking to steal information and money from the people it’s supposed to serve.
These events make the case for trustless security and distributed systems that much stronger. All it takes is one exploit, and current internet security measures fall apart. Until a decentralized solution for package signing and web page encryption gains widespread acceptance, We’ll continue to see devastating zero-day exploits and security holes that put many users at risk, like the one discussed in this article. Until then Our only option is to stick to open-source software platforms and use applications that have their own implementation of trustless security. Sure, these are band-aid fixes for a massive systemic problem, but at least, they’re there for people that want to minimize exposure to the broken security systems we use today.
Need to express how centralized security has affected you personally? Discuss it in the comments below!
Images courtesy of wikimedia commons, microsoft.
1 Hova Villas Brighton & Hove
BN3 3DH United Kingdom
All rights reserved by Bitcoinist Ltd. | 2016.