Most of us have come to enjoy the convenience of secure communications over the Internet, enabling us to feel comfortable that a broad range of commercial transactions, and remote access through virtual private networks (VPNs), as well as the transmission and retrieval of data from the Cloud, are secure – at least reasonably so. However, such communications may be less secure than people think. It has recently come to light that the processes used to authenticate the identity of the party (or organization) with whom one is communicating may actually be deeply flawed. In almost all cases, businesses and individuals alike unwittingly trust a large number of “certificate authorities” (so-called “CAs”) to essentially authenticate or vouch for the identity of the endpoints of secure communications over the Internet.
CAs hail from across the globe. Some are private entities while others are associated with, or operated by, governments – in some cases perhaps a government one may not wish to trust. Still other CAs may simply be incompetent. No matter which is the case, it is clear that these CAs have the power to facilitate man-in-the-middle wiretap exploits and “phishing” through imposter servers. Isn’t it time for general counsel and IT to work together to shore up the authentication processes, because Encryption is Not Enough…
If you aren’t sure your communications are secure, or if you simply don’t know enough to determine the right questions to ask, contact Steven B. Roosa directly, or the Rimon attorney with whom you regularly work.