Crowd Sourced Security or Who Watches the Watchmen

The New York Times wrote about secure web certificates yesterday and the final paragraph concerned me. Jonathan Nightingale from Mozilla Firefox was quoted as saying the current secure certificate system is “relatively secure”.

Yikes. Imagine if you got on a plane and you saw a crack in the wing and they said “well it’s relatively secure.” You wouldn’t get on that plane.

The article discusses the potential for the general misuse of security certificates because of the protracted business chain (e.g. Microsoft -> Verizon -> Certificate Company) and proliferation of the certificate entities. I wonder if we now need a separate organization to police the entire process? Who Watches the Watchmen?

The last statement from Mozilla is more intriguing though. Apparently e-commerce sites are utilizing a newer type of certificate that provides more advanced security. If an organization were to misuse this certificate, a “user with technical skills” (is that the politically correct term now?) would have to find the misuse.  It’s implied that the user would then have to draw attention to this organization which would lead to the revocation of that organization’s power.

Basically he’s suggesting our line of defense relies on crowd sourced vigilantism. I won’t get into the whole superhero parallel her (okay fine I will), but ultimately if the level of security is so low that we need to rely on a user intrepid enough to follow their secure data down a rabbit hole then we’re not that secure right? Then again, we’ve really been relying on crowd-sourced security for years…

How many times have you seen major bugs and exploits publicized on the web? From hundreds of Windows examples to even most recently on the iPhone and Android, there are exploits that are discovered by users trying to poke holes in security without malicious intent. Some of them have been smart enough to roll up into organizations that specialize in it (a Justice League if you may).  These users and groups don’t get a lot of recognition but I’m realizing that every time I see a story about a major bug or potential malicious exploit, there’s a person who discovered it who decided it was best we all knew.  To these crowd sourced heroes I say thanks for keeping an eye over things.