Life without Certificate Authorities

by Chandler on March 29, 2010

Since it seems like I spent all of last week pronouncing that ZOMG!  SSL and Certificate Authorities is Teh Doomed!, I guess that this week I should consider the alternatives.  Fortunately, the Tor Project Blog, we learn what life is like without CA’s

Browse to a secure website, like https://torproject.org/. You should get the intentionally scary “This Connection is Untrusted” certificate error page. However, you should expect this error as there are no more CAs to valid against. Click “I Understand the Risks”. Click “Add Exception”. Firefox should retrieve the certificate. Click “View”. This is where it gets interesting.

How do you validate the certificate? It depends on the other end. For sites I worry about, like my bank or favorite shopping stores, I call support and ask for the SSL fingerprint and serial number. Sometimes the support person even knows what I’m talking about. I suspect they just open their browser, click on the lock icon and read me the information. Generally, it takes some work to get the information. Further, I’ll compare the cert received through Tor and through non-Tor ssh tunnels on disparate hosts. However, you only have to do this checking once per cert. Once you have it, Firefox stores it as an exception and, if the cert doesn’t change between visits, doesn’t interrupt you with the cert error page.

Even this brings a few caveats:

Does the list of certs in my browser open me up to unique fingerprinting in some way? Would I notice if a Packet Forensics device was used? Unless someone screwed up, I doubt it. And a seldom asked question is, have I ever caught ssl certs being faked or changed by a man-in-the-middle? Yes I have.

And there’s the rub.  Even without using the CA as a proxy for trust, a suitably privileged attacker could still MITM that traffic stream.  So even going it alone is not a panacea, it arguably reduces risk of a successful non-government attacker (i.e. fraudster) by someone who breaches the CA’s verification processes.

Right now, though, I think that for most people, CA’s suffer the same shortfalls which Churchill famous ascribed to Democracy:  “The worst form of online identity verification except for all those others that have been tried.”

Perhaps, as the challenges of PKI alternatives like the Web of Trust, demonstrate, Trust is an inherently un-scalable concept (online).  If that is the case, how do we align and partition risk appropriately and, even more importantly, how do we do it in a manner that the average Internet user will get right, even if they don’t comprehend it?

Updated to correct a typo and clarify another

9 comments

Does someone really expect the general public to call their bank to get the certificate serial number? Every year that it gets renewed? Even if they did, an attacker could man-in-the-middle the phone line and tell them the wrong serial number.

No, I think the trusted CA system is working quite well even if there are “theoretical problems”.

[Admin note: Robert links to a site called “sslshopper.com” which causes me to question if this comment should be treated as spam. I’ve decided not to, but to call attention to the appearance of interest.]

by Robert on March 29, 2010 at 3:30 pm. Reply #

Robert,

Despite your assertion, the CA system is not working “quite well.” I would grade it “reasonably well” at best. It has been breached repeatedly at the system/process level by researchers/academics, criminals, and now governments. Hence, my series of posts on the topic.

Even so, I don’t expect the general public to call their bank to get the certificate serial number–all of this implies a level of understanding that I don’t expect the general public to ever get to. That’s why I quoted Churchill.

Eventually, though, the CA system will suffer either a major breach/failure or a Class Break, and if there isn’t an alternative that’s better (or, at a minimum, not significantly worse) waiting in the wings, we’re all going to have a Serious Problem.

And finally, these are not theoretical problems–they are real problems. The impact simply hasn’t risen to the level where non-security people begin to bemoan it.

by Chandler Howell on March 29, 2010 at 4:36 pm. Reply #

Fair enough. I didn’t read your comments closely enough. I agree that there are problems with using CAs as part of a PKI. I’m interested to see what kind of better alternatives could be possible. For the moment, it appears to me that there are none.

I am curious about the claim that governments have now breached SSL. Is that based on Soghoian and Stamm’s paper? It was my understanding that they only discussed the possibility of a government coercing a CA into issuing a fake certificate. There isn’t any evidence that it has actually happened so it seems a bit premature to say that it is now occurring. Am I missing something in that area?

by Robert on March 30, 2010 at 2:58 am. Reply #

Hi Robert,

I’m glad you stopped back by and I’ll take you through my reasoning as I wrote what has turned into a series on SSL issues.

My concern about the Compelled Certificate Creation Attack was prompted not only by the attack–we have known MITM against SSL was possible in varying ways for some time. It’s been commercialized in products like BlueCoat with ICAP for years, but it made no effort to hide its presence if someone looked at the certificate.

The thing that concerned me was the article about Packet Forensics selling a product whose intended use is by law enforcement and was apparently intended to be used for covert intercept. Products like that don’t spring into existence on a whim–they typically come from the commercialization of an ad-hoc/hack method, which in this case would require a compelled certificate.

Combine that with the known mis-use here in the United States of National Security Letters against ISP’s, which forbid them from speaking about what is effectively coerced compliance, and you have a recipe for serious abuse of the populace–and this is in the United States, where we still like to think that we have a tiny bit of freedom or privacy.

The worst security incidents tend to happen when people make bad assumptions. In this case, I’m merely highlighting the potential bad assumptions that a person counting on encryption (in this case SSL) might make, since in the case of a dissident in a repressive regime, that mistake could be fatal.

by Chandler Howell on March 30, 2010 at 1:05 pm. Reply #

Thanks for your reply, Chandler. I agree that the existence of the Packet Forensics product is disconcerting, but I still feel like it is a weak argument to claim that governments have now breached SSL just because there is a known commercial product that gets them halfway there.

As you mentioned, the underlying methods of a MITM have been available for governments to use since the SSL protocol was created, yet we haven’t seen any evidence that a government has executed such an attack or even created a fake certificate. Until there is evidence that a CA has issued a fake certificate to a government agency, we can only claim what we’ve been able to claim for years: it is *possible* for anyone to execute an SSL MITM attack if they are able to somehow get a fake, CA-signed certificate.

I do think that this possibility is an important reason for someone to “watch the watchers” by requiring standard validation guidelines, CA audits, and possibly a database of known certificates on the Internet so that inconsistencies can be easily discovered. All it takes is one CA to get caught doing this and then their reputation will be tarnished and they will be out of business. I don’t think CAs would be willing to take that risk.

by Robert on March 31, 2010 at 1:26 am. Reply #

Robert,

Major CAs have already been caught issuing bad certs, with no major repercussions. See Verisign, Microsoft. QED, your assertion of “will be out of business” is clearly incorrect.

by adam on March 31, 2010 at 3:47 am. Reply #

That’s true. Maybe I am being overly optimistic about what will happen when a fake certificate is found. But, as far as I am aware, those incidents of bad certs involved low assurance certificates. With EV certificates, there should be little to no room for the same kind of mistakes to happen because of the stringent standards so the consequences may be greater if a fake EV certificate is ever issued.

by Robert on March 31, 2010 at 2:26 pm. Reply #

Perhaps, but not even an EV certificate would be immune from the compelled generation attack–that’s part of what is so disturbing about it. I would also challenge you to find a single non-technical user who knew what an EV certificate was and how it differed from a non-EV cert.

The accuracy and effectiveness of CA’s and SSL are an article of faith for the average Web user. I worry about what it means that people ascribe such confidence to a system comprised of hundreds of companies and thousands of people.

I also think that, in much the same way that the ChoicePoint incident turned out to be just a blip in the long run, so would a forged EV certificate also be (at most) a blip outside the crypto and security communities.

I’m trying to get a final post together in what has now turned out to be a series which looks at the various options for a post-CA (rather than just non-CA) world, but just haven’t had the time.

Unfortunately, the mechanisms either don’t scale or don’t provide significantly better protection than the CA system today.

by Chandler Howell on March 31, 2010 at 4:26 pm. Reply #

[Disclaimer: I’m the COO/CTO of a CA]

Let me help in your evaluation. It’s true that there have been some failures and there will be probably some more in the future. But how does it affect you?

By comparing all publicly known mistakes of wrongful certificate issuance during the last few years with all legitimate certificates installed at websites, we can learn that the failure rate is approximately 0.000003% for a limited time.

Comparing this further with the visits made to those SSL enabled web sites, the risk of failure at any given time is probably a few thousand times lower then the number above.

This makes CA issued SSL certificates not only reasonable secure, but actually highly effective.

Now, in case nevertheless a mistake happened, CAs are insured to the extend to cover eventual losses to third parties and have the ability to revoke a certificate if needed. This allows billions of site visits and sensitive transactions every day in a secure and reasonable way (also by mom and pop without knowledge what a fingerprint or a digital certificates is).

I hope this perspective to be helpful.

by Eddy Nigg on April 1, 2010 at 1:32 am. Reply #

Leave your comment

Not published.

If you have one.