) -- Ben Wilson tries hard not to show it. But he's worried. Really worried.
"If somebody gets a hold of one these things, it's not just one site that gets taken out," said Wilson, the senior vice president and general counsel for
, a Lindon, Utah, Internet security firm, over a hip hotel burger lunch.
"It's, you know, hundreds. Thousands of sites. Heck, maybe more," Wilson said.
The "thing" Wilson is sweating is called a certificate authority -- or CA in geek speak. That's the hidden, but critical, Web security organ that enables parts of secure Web transactions when say, shopping at
or giving your tax ID to IRS.gov or buying and selling stock online at
"The volume CAs handle can be a major fraction of total Web traffic," said David Rockvam, senior vice president for certificate services at
, a Dallas security firm. Entrust and DigiCert are among a half-dozen certificate authorities that control about 90% of the certificate authority market.
"Keeping them secure is critical," Rockvam said.
Wilson and Rockvam had invited me away from the crazy-busy RSA Conference, the computer security nerd Lollapalooza hosted by the security division of drive-maker
. Here in the relative quiet, the two gave me the lowdown on the new dangers for CAs, away from the hordes gawking at big, sexy security companies such as
and dozens of well-funded start-ups.
What makes Wilson and Rockvam so jittery is how -- not unlike publishing, movies and financial services -- the barriers to entry to becoming a CA, albeit a small one, have dropped to the point where Wilson estimates there are 60 to several hundred active certificate authorities.
"And if you are your own CA, you can do whatever you want," Rockvam explained. "Until you are discovered."
That makes CAs awfully attractive targets.
Just last month, a Turkish CA called
began issuing insecure digital security certificates to the point where major traffic hubs
refused to honor its Web transactions. The company publicly said its bogus certificates were a simple mistake. But it is far from the only example of a crumbling CA security infrastructure.