The Digital Skeptic: Amateurs Are Taking Over, and Risking, Web Security

SAN FRANCISCO( TheStreet) -- Ben Wilson tries hard not to show it. But he's worried. Really worried.

"If somebody gets a hold of one these things, it's not just one site that gets taken out," said Wilson, the senior vice president and general counsel for DigiCert, a Lindon, Utah, Internet security firm, over a hip hotel burger lunch.

"It's, you know, hundreds. Thousands of sites. Heck, maybe more," Wilson said.

The "thing" Wilson is sweating is called a certificate authority -- or CA in geek speak. That's the hidden, but critical, Web security organ that enables parts of secure Web transactions when say, shopping at Amazon ( AMZN) or giving your tax ID to IRS.gov or buying and selling stock online at E*Trade ( ETFC).

"The volume CAs handle can be a major fraction of total Web traffic," said David Rockvam, senior vice president for certificate services at Entrust, a Dallas security firm. Entrust and DigiCert are among a half-dozen certificate authorities that control about 90% of the certificate authority market.

"Keeping them secure is critical," Rockvam said.

Wilson and Rockvam had invited me away from the crazy-busy RSA Conference, the computer security nerd Lollapalooza hosted by the security division of drive-maker EMC ( EMC). Here in the relative quiet, the two gave me the lowdown on the new dangers for CAs, away from the hordes gawking at big, sexy security companies such as VeriSign ( VRSN), ZixCorp, Symantec ( SYMC), StrikeForce Technologies ( SFOR) and dozens of well-funded start-ups.

What makes Wilson and Rockvam so jittery is how -- not unlike publishing, movies and financial services -- the barriers to entry to becoming a CA, albeit a small one, have dropped to the point where Wilson estimates there are 60 to several hundred active certificate authorities.

"And if you are your own CA, you can do whatever you want," Rockvam explained. "Until you are discovered."

That makes CAs awfully attractive targets.

Just last month, a Turkish CA called TurkTrust began issuing insecure digital security certificates to the point where major traffic hubs Google ( GOOG), Microsoft ( MSFT) and Mozilla refused to honor its Web transactions. The company publicly said its bogus certificates were a simple mistake. But it is far from the only example of a crumbling CA security infrastructure.

In 2011, the government of the Netherlands released a harrowing must-read account of the hacker takedown of a large Dutch certificate authority called DigiNotar. The frankly not terribly sophisticated attack effectively bankrupted the company and vaporized a $12.9 million investment by a firm called Vasco, which had bought DigiNotar earlier that year.

Not surprisingly, similar but bigger CAs such as DigiCert and Entrust have invested in ambitious cooperative security plans. But just like the rest of the wobbly Web, the race-to-the-bottom digital age economics makes law and order elusive.

"Certificate authorities were complex and lucrative at one point," Alberto Yepez, said managing director at Trident Capital, a major Silicon Valley security venture shop, when we later spoke at another nearby watering hole. "But now they're becoming commoditized."

The upside on Web risk
This all leads to an only-in-the-Internet-age investor upside: Considering that everyone from Facebook ( FB) to The New York Times to Burger King ( BKC) is mitigating embarrassing, value-affecting security lapses, the crumbling CA infrastructure actually offers a tantalizing lens into which firms take security seriously -- and which do not.

It turns out that the clues lie around in plain sight.

"It varies by browser, but any user can see on any page who the CA is for that page," Wilson told me. And with a bit of practice, he said, just about anybody can get a feel for the security posture of the company creating that Web page.

Wilson says the place to start to see who has security game is with a tool called the SSL Configuration Checker, based on an app from Redwood City, Calif.-based Qualys ( QLYS). Any firm's Web page scoring a B or lower has issues to answer for. If you want to humor your deeper, inner security nerd, here's a link to the uber-geek white paper on the topic.

"This is an industry that rewards due diligence," Wilson told me.

But he made it clear: Building a security model that evaluates the level of practical risk a Web company is managing, based on analysis of trusted third parties such as CAs, is a lot of work.

"You'll have to build your own tools," he said. "It's the Wild West out there."

The Wild West on an alien planet, more like it. But somebody has to settle it.

This commentary comes from an independent investor or market observer as part of TheStreet guest contributor program. The views expressed are those of the author and do not necessarily represent the views of TheStreet or its management.

More from Personal Finance

Video: Stop Using Student Loan Money to Buy Bitcoin

Video: Stop Using Student Loan Money to Buy Bitcoin

The Stock Market Isn't Rigged, Just Look At The Odds (VIDEO)

The Stock Market Isn't Rigged, Just Look At The Odds (VIDEO)

Are Starter Homes Still Worth It?

Are Starter Homes Still Worth It?

How to Wire Money Safely, Affordably and Quickly

How to Wire Money Safely, Affordably and Quickly

Should You Take a Mini-Retirement?

Should You Take a Mini-Retirement?