Are Some CAs Too Big To Fail? 163
Trailrunner7 writes "In the wake of this weekend's revelations of the seriousness of the attack on certificate authority DigiNotar, security experts have renewed criticism of the Internet's digital certificate infrastructure, with some wondering if larger certificate authorities (CAs) might be too big to fail. Would Mozilla and Microsoft and Google have revoked trust in root certificates from VeriSign or Thawte had they been compromised? Unlikely. 'It's not a simple matter of removing certificates from a database, because they're not in any databases,' says researcher Moxie Marlinspike, who presented an alternative approach to the current SSL infrastructure last month at DEFCON. 'We may never track them all down.'"
User ignorance (Score:4, Insightful)
Re:User ignorance (Score:4, Interesting)
The problem with CAs are that they never really do their job quite well. If you are paying hundreds or thousands of dollars for a Cert they really should do a lot more work to verify who you are and the browser should identify the level of security the Cert gives.
A cheap level (Under $50 per IP) for those B2B type of apps where you are connecting to a trusted source anyways but you don't want the error message or tell your customer to setup something new. A one note should suffice. Then you got a level good for online business (Under $500) this is for online stores, the CA needs to determine that it is a real store with the ability to sell the goods. However the browser should alert when ever there is a data stream that looks like a social security number or pushes a request for such non-merchant information. then you got the premium HIPAA level cert where it the CA needs to keep a close eye on its organization make sure the companies security is strong enough for the CERT this would be a full allow for the browser.
Re: (Score:3)
Self signed certs would probably be a better idea for businesses you already have a relationship with, like banks... You already have offline contact with the bank via mail or even walking into a branch, so they could use this to send you their certs and you won't have to trust anyone else.
Re: (Score:2)
Why not have the bank be the CA for the businesses it does business with? That way, any business needing an SSL cert can go to their bank and get one. The bank's reputation is on the line and there's a definite trust enti
Re: (Score:2)
Yes, this is sarcasm in that FireFox will go apeshit over a self signed cert, but pass all these fraudulent ones for months until people actually run the update.
Re: (Score:2)
CA-issued certs, even free ones from StartSSL and cheap ones from GoDaddy, have the advantage of being revocable. Nearly all the self-signed certs I've encountered lack a CRL or OCSP responder. This is a Bad Thing.
Re: (Score:2)
An man-in-the-middle attacker can just drop the packets to the OCSP (do browsers by default even download any CRL's anyway ? usually they are just to large like 700MB+) it will timeout and the browser by default will just continue.
Re: (Score:2)
You already have offline contact with the bank via mail or even walking into a branch, so they could use this to send you their certs and you won't have to trust anyone else.
I would totally, TOTALLY, trust a self-signed cert for my bank that turned up on a CD in my mailbox over one that was signed by a CA.
Re: (Score:2)
However the browser should alert when ever there is a data stream that looks like a social security number or pushes a request for such non-merchant information.
I'd love to see you try to implement that...
Re: (Score:2)
Are you saying that you want browsers to only work to spec in the USA? Or are you expecting browser developers to have regexes for social security numbers in every country in the world, and to keep up-to-date with the legislation which is the closest local equivalent to HIPAA?
Re: (Score:2)
A highschool course in IT taking down Thawte or forcing them to clean up their act would be about as likely as a highschool course in personal finance bringing down Goldman-Sachs or leading to the end of byzantine financial chicanery...
Re: (Score:2)
Oh yes, and while we're at it we'll teach them all how to fix a car so they can call out their mechanic if they recommend un-needed repairs, and teach them all construction so they can better review the work of the guy who builds their next home, and we'll put them all through medical school so they can better hold their doctors to best practices.
Honestly, there's a point where you have to get off your high horse and realize that we have specializations for a reason, and it behooves those in the know on a g
Re: (Score:2)
Specialisation is for people who want to live securely in large communities. It's one thing to design a small hut for a temperate climate, and another to design a block of flats which can withstand a natural disaster. It's one thing to program a computer, and another thing to write robust software which handles exceptional cases well and doesn't let a script kiddie drive a bus through it. So by all means, attempt to eliminate specialisation, but only if you're happy living in a small hunter-gatherer communi
Re: (Score:2)
Any system that relies on users to know what is or isn't good is doomed to failure. Users don't check the address bar and don't know about certificates, nor should they.
All too often their machines are 0wned already by malware and spyware, probably because they saw some cute puzzle game and just kept clicking OK at that damn dialog box getting in the way of playing my game!!!
Re: (Score:3)
Maybe we should do a better job of teaching people about computers and technology...
Sorry, had to stop you right there, because the only thing that is ignorant here is thinking that users will actually learn to use the very device they rely on for damn near everything.
Just saying, if users haven't learned by now, they won't. Period.
And while we're on the topic of ignorance, can we please get the hell away from this "too big to fail" crap? Do images of the Titanic at the bottom of the sea paint enough of a picture? Does the word "Rome" ring a bell? I mean c'mon, seriously, let's at leas
Re: (Score:2)
The term 'too big to fail' doesn't refer to being unable to fail but rather, not being -allowed- to fail because the consequences of failure would be too catastrophic.
Re: (Score:2)
> The term 'too big to fail' doesn't refer to being unable to fail but rather, not being -allowed- to fail because the consequences of failure would be too catastrophic.
Which is a bogus term. "too big to fail" = "the general population gets fucked with the bill"
True Story:
Forest Ranges used to be anal about stopping _every_ forest fire. They eventually learnt that this makes the situation _worse_ in the _long_ run because all the decay that _would_ of been cleared when a big fire hits, is still there.
S
Re: (Score:2)
Do images of the Titanic at the bottom of the sea paint enough of a picture?
As they say, sometimes failure isn't an option - it's mandatory.
Good point (Score:4, Interesting)
Re: (Score:2)
How would I trust that this plugin does the blocking of everything correctly and how I want it?
Re: (Score:2)
Re: (Score:2)
Perhaps we could sign it for authenticity with a certificate provided by a trusted third party.....oh wait.
Too big to fail... (Score:5, Insightful)
Re: (Score:2)
F and i thought i was a dem
Re: (Score:2, Insightful)
Both Democrats and Republicans (and even Tea Partiers, from what I've seen....) are for big government. The argument is what part of the government should be big.
We compromise by making both sides big.
Re: (Score:2)
Segmentation (Score:2)
I'm not too sure how CA's work, but if till this point we know, say "Thawte" is uncompromised.
Then, secure Thawte, issue new certificates using a different name, say "Thawte2"
Change this name every year or so, securing the previous certificates.
This way, in case of a compromise, only a max. of 1 year of certs are invalidated
Marlinspike's approach (Score:5, Interesting)
Marlinspike's approach, implemented in a Firefox extension [convergence.io] presented at DefCon '11, is to do away with the notion of CAs altogether in SSL, replacing it with a distributed network that reports on the certificate they see. Basically, if the certificate you see agrees with the rest of the network, then you're not being spoofed.
He had previously explained [thoughtcrime.org] the properties a replacement to the CA system had to demonstrate in order to be viable
Re: (Score:2)
How do you authenticate the authentication server?
If I got it right, this system needs to contact some server that says "I cerfity this cert as valid, because the fingerprint was the same from the 50 different network paths we checked it". Ok.
But, that message has to be transferred securely as well, otherwise Mallory just spoofs that server, and you've got no security. And you can't do the checks yourself because you don't have 50 servers around the world you can use for testing.
Re: (Score:2)
You dont. You are the authentication server, and you ask 50 servers.
Re: (Score:2)
That's not very useful if your ISP is doing the MITM, which is very much a reality in many places right now.
For instance, there have been several articles here on ISPs injecting content into the websites they serve.
Re: (Score:2)
Re: (Score:2)
How are you so sure of that? What would prevent it?
They're in between you and those 50, they can spoof everything they like.
Re: (Score:3)
To add a notary you have to input the public cert for the notary, how do they MITM that without throwing warnings.
Re: (Score:2)
But that's not very useful, because compromising one CA gets you back to the same situation again.
It's just lucky that the compromise is public this time, they don't have to be. The attacker could make the cert then spring the trap at a convenient time. By the time somebody figures it out, the damage will be done already.
Re: (Score:2)
But that's not very useful, because compromising one CA gets you back to the same situation again.
No, that's the whole point, compromising one notary does NOT get you back to the same situation.
A client should contact more than one notary when it sees a new site certificate, so a single compromised notary can't fool it. Even more important, if a notary proves untrustworthy browser makers can remove that notary's certificate from their list and push an update. Under the current system, removing a CA's cert means that all sites certified by that CA lose certification, which means that shutting off Ver
Re: (Score:2)
You don't think Google or Microsoft can make notaries? .. They have bots that scour and cache the internet already. Grabbing the ssl certificate of a site and caching it isn't that much more to deal with. Plus, I have the option of hosting a notary at home if I want.
The idea is to get a proof of concept out there, and a decent implementation of it I might add (I'm running it at work, home, and school). We just need to get the major browser vendors onboard (MS, Google, Apple), and then get it rolling.
The bea
Re: (Score:2)
Already happened (Score:2)
with Comodo, they only hardcoded some certificate signatures but did not revoke the entire CA. There is another problem: "your website is too small to care". I am not sure if a small business operator will receive the same treatment like they did with Comodo, patch their browsers to protect users of your small site
CAs should have to post a bond (Score:2)
CAs should be limited to sets of domains, and this enforced in browsers. Country-level CAs should be limited to the country in which they operate. Government CAs should be limited to their domain (".gov", "mil.uk", etc.).
CAs for the open domains should have to post a big bond, which can obtained through a bonding agency if necessary, with a value of at least $10 million, to back up their "relying party agreement".
That's what "corporate responsibility" means - third party bonding.
Re: (Score:3)
CAs should be limited to sets of domains, and this enforced in browsers. Country-level CAs should be limited to the country in which they operate. Government CAs should be limited to their domain (".gov", "mil.uk", etc.).
CAs for the open domains should have to post a big bond, which can obtained through a bonding agency if necessary, with a value of at least $10 million, to back up their "relying party agreement".
That's what "corporate responsibility" means - third party bonding.
Well, theres one thing I guarantee we are not going to do. Lets look at the american experience:
1) I trust my employer to give me a job for life in return for my loyalty. Whoops
2) I trust my bank to only loan me a mortgage I can pay off. Whoops
3) I trust my health insurance company to be there for me when I'm sick. Whoops
4) I trust my car insurance company to help me with my claim. Whoops.
5) I trust my hardware store (and China) not to sell me poisonous drywall. Whoops.
6) I trust my food store not to b
Re: (Score:2)
6) I trust my food store not to baby food full of melamine. Whoops.
They accidentally the whole jar?
Re: (Score:2)
There are more problems with SSL than this (Score:2)
We regularly find Windows workstations that won't accept a valid certificate from any of several known good servers one of our applications use. Sometimes installing the root certificate solves it, but often it doesn't. Most of the time reinstalling Windows is the only solution.
Microsoft is of no use in these circumstances, as they avoid dealing with root certs at all. The CA also has no answer. Applying root updates, the specific certs, an all-encompassing cert, even removing and reapplying the CA in W
Re: (Score:2)
This isn't related to an intermediate CA issue, is it?
For example, Entrust, as part of the switch to 2048-bit certs, starting using an Entrust L1C chain authority - and we've had to load that L1C intermediate certificate onto servers to get them to recognize the certs that Entrust issued. Until you load them, the UI is not terribly helpful - the certificate chain tab doesn't show the missing L1C certificate.
Re: (Score:2)
One set of certs are Equifax, the other from GTE Cybertrust. Both have troubles.
Re: (Score:2)
You don't by any chance have connection problems to Microsoft ?
As Windows comes with only a few root certs by default, the rest is checked on first-contact by contacting Microsoft to see if they think it is a good CA.
Even if the user has no administrator rights, it will still install the CA-root certificate on the machine-account.
Re: (Score:2)
This problem affects >40 of our users. It's not me. Our application uses Windows and OpenSSL. The network traces are definitive.
Re: (Score:2)
And no, we are unaware of connection problems to Microsoft. We see good Windows Update sessions, we can download the rootsupd.exe when we ask for it, and we do NOT see any network call to Microsoft in response to the failed attempt.
I'm not professing to be an SSL expert, I just know what I see, and we see problems getting root certificates installed correctly and working, and there is literally NO help from MS or the CAs. MS is mute on the subject, even abandoning a support call without explanation.
My sus
Re: (Score:2)
Our problem is that we have workstations that cannot negotiate connections despite having valid certificates. The certs install fine, just don't work.
Yes, i'm sure its our fault. understood.
Re: (Score:2)
Our problem is that we have workstations that cannot negotiate connections despite having valid certificates. The certs install fine, just don't work.
Yes, i'm sure its our fault. understood.
That's entirely Microsoft's shoddy implementation at fault. YOU think the certificate is valid. The OS disagrees. It's not the certificate's fault the OS won't listen to your instructions to trust it.
Re: (Score:2)
Um, no. The plural of anecdote is not data, and the singular sure as hell isn't either. One person having issues with their SSL with no evidence of anyone else having that same problem is almost 0% likely to be an issue with the implementation which is the same as that of millions of other people without that problem.
Re: (Score:2)
Interesting, so you're saying you have millions of data points behind you?
I can't be bothered to tally mine up, and I'm sure the same is true for you. That we're even having this conversation is proof enough that it's fucked enough to have an unacceptable rate of failure.
Re: (Score:2)
Millions don't use these servers.
It still doesn't work.
It's SSL, the traces show SSL is refusing the connection.
Like I said, must be us.
Re: (Score:2)
Not one person. >40 of our users across the US and oversease are having these problems.
And the network traces are definitive. We see the connection attempt, the server offers its certificate, we refuse it, server says 'goodbye' correctly.
And we see plenty of root certificates in these Windows installations. MS has expanded the Root CA program dramatically. Lots of national CAs are in there. I like the proliferation of Chinese authorities about as much as a stick in the eye.
What a poisonous concept we've embraced. (Score:2)
Re: (Score:2)
Yup, in my book too big to fail is too big to exist.
When something too big to fail does fail, the solution should be a government takeover for the public interest. The government keeps the operation running, dives through the records for evidence, and then files criminal charges against the former management and sues them for damages.
The too-big organization is then chopped up into manageable pieces and they're all IPOed. The proceeds are used to pay off first any expenses incurred by the government to ru
Confused... (Score:2)
'It's not a simple matter of removing certificates from a database, because they're not in any databases,
I don't get this. Removing/replacing a CA cert from trust is easy for browsers/os vendors to do, technically (CA should be on the hook to re-certify certs if they are forced to remove their cert from circulation).
With OSCP, at least *good* certificates *are* in a CA's database, and OSCP will fail for any signed certs that cannot update the OSCP server's hosted copy. Implementation wise, OSCP validation is done poorly, but that's not a flaw of the theoretical design.
There is a whole lot of people calling t
Re: (Score:2)
Re: (Score:2)
And if you kick a big CA like Verisign out, you'll basically break the internet since so many websites rely on certs signed by them.
Sure, it's easy to remove/revoke a root cert. It's not easy to deal with the clusterfuck of having 80% of all HTTPS websites giving an error.
Alternative improvement idea (Score:5, Interesting)
So I've seen quite a few people wanting a switch to self-signed certs (who IMO mostly don't understand what making that secure actually involves), and an idea to check certs from different network paths (which doesn't work if your only path is compromised, and how do you secure the communication to the service that does the check for you?).
So here's an alternative idea: Require multiple CAs.
Instead of doing it the "extended validation" way which is more money for not a whole lot more service from the same provider, it'd be much better to have multiple CA signatures on a single cert.
Compromising multiple CAs in the same timeframe to create a cert would be considerably harder than creating one. More importantly, it'd make revoking large CAs much easier.
Let's say that the new norm is to have a site's cert is signed by 5 different CAs, and that the minimum acceptable amount is 3 signatures.
Then, if Verisign gets compromised there's no problem with pulling their cert: you're down to 4 valid signatures on your certificate, which is still fine. That should put considerably more pressure on CAs to perform better.
Even Verisign wouldn't be able to trust that their security problems would be let go due to their popularity, as even the largest CAs would be completely expendable without the end users needing to care much. The site would just go with a different 5th CA to return back to the full strength.
Re: (Score:2)
That's a fairly novel idea that would provide pretty good privacy.
Re: (Score:2)
Re: (Score:2)
He also claims to 0wn four more 'high-profile' CAs
http://it.slashdot.org/story/11/09/06/1245214/Possible-Diginotar-Hacker-Comes-Forward [slashdot.org]
Re: (Score:2)
Re: (Score:2)
That would be possible under a system like that, but I think the current system of trusted by default CAs ought to remain. 99% of people simply aren't going to take time to understand how a PGP style works. I'd know, I explaned PGP to several people and it takes a quite long time to do properly.
Besides, just what does your brother in law trusting a CA means? He thinks they're really professional? They are cheap and have nice customer service? But none of that has anything to do with their security and inter
Perspectives (Score:2)
So here's an alternative idea: Require multiple CAs.
Instead of doing it the "extended validation" way which is more money for not a whole lot more service from the same provider, it'd be much better to have multiple CA signatures on a single cert.
What you are proposing is roughly what the Perspectives [perspectives-project.org] project has implemented.
Re: (Score:2)
Not at all. My idea has absolutely nothing to do with what this project.
My idea requires: Certificates to support multiple CA signatures, and for a browser to require multiple valid CA signatures on a cert. Other than that it fits perfectly well in the current scheme. You'd still get your cert signed by companies like Verisign and Thawte, and their certs would still come by default with the browser.
Re: (Score:2)
I found this [grepular.com], which mirrors my idea.
I also looked at Perspectives.
IMO, it's quite silly.
First, the idea of it is to replace CAs with... a CA. It does exactly what any other CA does, except it implements a different policy. Instead of "we certify that bobsmith.com belongs to somebody named Bob Smith", or "the person who requested this cert proved they control http://bobsmith.com/ [bobsmith.com]", it's "we certify that this cert looks the same from everywhere".
It is just as hackable as any other CA, though I guess it does h
Re: (Score:2)
It is just as hackable as any other CA, though I guess it does have the slight advantage of the attacker to modify their servers and keep the intrusion active, instead of breaking in, making a few certs, removing traces and disappearing.
I disagree.
The idea is that the client doesn't rely on just one notary, the client checks several of them, chosen at random from a large list. So the attacker has to compromise all of the notaries the client chooses to use, simultaneously, and without knowing which notaries the client might use. The attacker could block access to all of the notaries but the one he's compromised, but that's trivially defeated by configuring the client to require multiple successful validations, and to refuse to validate
Re: (Score:2)
First, my idea is that it'd need to happen with 3 of them, which makes it more difficult than with just one.
Second, by requiring multiple signatures and adding a safety margin, any CA's signature becomes expendable. Right now gmail.com is signed by Thawte. Which browser vendor would dare pull Thawte's cert? Very few probably. Now what if gmail.com was signed by Thawte and 4 other providers? Then you could remove Thawte's cert, and nobody would notice anything, because it's still signed by >= 3 valid CAs.
Re: (Score:2)
I was thinking the same thing.
Dedicated certificate revocation servers? (Score:2)
Why doesn't each browser's company put up a certificate revocation server? Then, they can revoke individual certs, including those of the certificate authority, and control the length of the revocation, re-authorization, etc.
Already has happened (Score:2)
Well (Score:2)
One thing is that I would love a costless distributed solution like the one Marlinspike suggests. I'd much rather trust a large group of peers than a company whose security practices may be questionable. Sure, the peers might be much less secure individually but as a group it's extremely hard to force something onto everybody thus causing manipulative results. If the network both rates the certificates and each other, it's next to impossible to introduce corruption on a level that matters.
Now, given what we
another approatch... (Score:2)
What if you publish your own CA with the domain name in the DNS?
You first make an CA and publish your public key as an TXT (or something similar) field to your root domain (name.tld) and using dnssec to make sure it's correct. You can now use that CA to make certs of all the names that you want within your own domain.
If someone tries to make an CA of your name and try to intercept the dns traffic to change the public key, the dnssec would fail and in that case and the CA is invalid?
Re: (Score:2)
We shouldn't have CAs at all, they have proven themselves irrelevant, untrustworthy and insecure.
... and highly profitable, which is why we'll never get rid of them, unfortunately.
Re: (Score:2)
Highly profitable ? Hmm... well, there are also free certificates:
https://www.startssl.com/ [startssl.com]
Obviously you can pay for extra features, but it is still the cheapest choice for a lot of the extras.
Re: (Score:2)
Re: (Score:2)
The ones we got are simply not fit for the job and the govt needs to revoke their license.
What license? I suppose it depends on the country, but none is necessary here. If one was necessary, "they" contribute tens of thousands to re-election campaigns of multiple politicians, and "you" probably do not. Wonder how thats gonna turn out.
I run my own CA. Its not hard. I certainly needed no license. (Note: I guarantee my root cert is not in your browser). Reason why is some apps like fetchmail, dovecot imap, dovecot POP3, and a couple others, are easier run over SSL than thru shared SSH keys.
Re: (Score:2)
Re: (Score:2)
Like my disclaimer says
I suppose it depends on the country
but in the USA its completely unregulated, at least WRT "being a CA".
As I said, I am my own CA ... If I issued some certs to you, either barter or for cash, then I'd have all the usual financial / tax / zoning / liability laws that any business follows or pays money to get out of following, but absolutely no laws are specifically CA related.
Its easy to govt license physical things like nuclear material or firearm receivers, but I think you'd find govt licensing of openssl software to
Re: (Score:2)
All it takes is to convince someone to put your cert in the list of roots. That someone can be a distro maintainer, browser maintainer, or individuals. The more, the better. In the practical sense, if you can convince MS, Google, and Mozilla to include your cert, you are now a CA.
Re: (Score:2)
If you want to be on that default list, it will cost you a lot of time (and thus money) to get started.
It is not that you have to pay a lot of money to browser vendors, it is because every browser vendor has it's own set of rules, although many are discussed and 'standardised' through the CAB-forum.
Most of the money you need to pay is for the auditing by an organisation like WebTrust or PriceWaterhouseCoopers.
The audit looks at your processes and procedures. And checks all the paperwork and that you keep pa
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Yes - DNSSEC.
Right now if you lookup bank.com in DNS you get a bunch of records that are maintained by Verisign. With DNSSEC those records will be signed by Verisign so that you can be sure they aren't tampered with.
There is no reason that one of those records can't be an SSL certificate. There is also no reason that one of those records can't be an indicator of how much verification Verisign performed.
For 99% of intended uses just verifying that the domain owner uploaded the certificate should be adequat
Re: (Score:2)
So... you're saying he's qualified to run a CA? LOL
Re: (Score:2)
Re: (Score:2)
Furthermore...I would hate to be the subject of a later video from Marlinspike about how all these users gullibly accepted his notarizations of these certs. The whole situation is a nasty, twisty problem...and the worst part is that hosts can't do a thing about it.
Re: (Score:3)
The whole situation is a nasty, twisty problem...
...and it is dark. And I smell a Wumpus...
Re: (Score:2)
Re: (Score:2)
should be nationalized.
OK for "national strategic resources". I don't necessarily agree, but I mean OK as in I understand your idea. So what do you do with "inter-national strategic resources" like the corrupt world banking system, or corrupt CAs? "inter-nationalize" them? What would that even mean? The UN owns them? The UN is just a gang of thugs, literally. The IETF? The NANOG emailing list and its cabal?
Re: (Score:3)
should be nationalized.
Government-run CAs are the only ones you can absolutely guarantee will be used to issue fake certiifcates at some point.
Re: (Score:2)
Surely anyone arguing otherwise would have to justify privitizing the army?
At least in your strange "the only reason for nationalized things is because they are too big too fail" world.
Re: (Score:2)
Re: (Score:2)
In the country where DigiNotar was based, you'd be lucky to get half that.
Re: (Score:2)
> I think about 2008 but I also think about USSR. Was the entire country "Too Big To Fail"? How about USA, is it "Too Big To Fail"?
> Who can prevent a country from failing?
Agreed, but I think about the $700 billion bailout to the banks.
Repeating what I posted in a different thread...
"too big to fail" = "the general population gets fucked with the bill !"
True Story: Forest Ranges used to be anal about stopping _every_ forest fire. They eventually learnt that this makes the situation _worse_ in the _l
Re: (Score:2)
I am familiar with the forest fires coming back with vengeance after a while, it's a true problem that people create.
The prohibition of usury is more about unreasonably high rates charged for loans, but the religions are wrong. There should be a way to charge any amount of interest, but of-course the risk that comes with this is such that you should know, that many of the loans you make won't be returned. Some will be returned within a small amount of time, so even though the interest is very high, the abso
Re: (Score:2)