
Maintaining digital certificate security - ayrx
http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html
======
michaelt
Software vendors shouldn't list CAs as trusted when they prove they can't be
trusted - but removing a CA from the trust store breaks things for innocent
websites who just chose a crappy CA.

Every CA should be required to publish a signed, public list of every
certificate they have issued that is currently valid; and no certificate
should be considered valid if it isn't on a CA's public list of certificates.

That way, when a CA fucks up like this, vendors could remove their
certificates from the root stores, but could grandfather in all their previous
certificates so the CA's customers have a few months to get a certificate from
a decent CA. We could even use the list to contact all the CA's customers and
advise them of the upgrade deadline.

If this CA isn't removed from the root store, it sends a message to other CAs:
You can issue bad certificates with impunity, and there will be no negative
consequences.

~~~
jewel
A compromise that wouldn't hurt innocent websites would be to remove the CA's
ability to issue new certificates.

CAs knew that the stakes were high when they signed up to be a CA, so I think
it'd be fair to remove them permanently. Eventually, only the truly paranoid
would be left. It may cost a bit more to run a fully secure CA, and that would
be reflected in the cost of a certificate from those that remain, but that'd
be a price that everyone should be willing to pay.

~~~
gtaylor
> It may cost a bit more to run a fully secure CA, and that would be reflected
> in the cost of a certificate from those that remain, but that'd be a price
> that everyone should be willing to pay.

I don't know, this could really discourage the adoption of HTTPS. We need to
be making it easier for sites to adopt it.

Ideally we could lessen our dependence on CAs. Sure, a "fully
secure/expensive" CA would validate a certificate's authenticity with high
confidence, but we'd be excluding tons of hobby projects and small shops who
wouldn't want that expense.

~~~
marcosdumay
What good does widespread HTTPS use do if you can not trust it?

I'm all for reducing our dependence on CAs, and, reducing the number of CAs we
trust for signing a site, like putting the keys in DNSSEC. But until we do
that, we must not trust bad apples.

~~~
AlyssaRowan
It's _always_ better than plaintext HTTP. Nothing is worse than plaintext.

TLSv1.2 with good ciphersuites using ECDHE with a named curve like secp256r1
[murky origins I know, but we know of nothing else wrong with it, though
Curve25519 is superior in my opinion], and an AEAD like AES-128-GCM or
CHACHA20-POLY1305, properly implemented with no TLS compression at least
comprehensively prevents Eve from spying on the contents of your connection in
most cases, even if you're using self-signed certificates with no pinning and
are entirely unprotected from Mallory.

A browser shouldn't call it secure or the endpoint trusted, but it _should_
transparently replace all uses of unencrypted HTTP worldwide, including
internal ones. That should not be discouraged, and will hopefully be actioned
with HTTP/2 - that was the plan, anyway.

Even if the encryption is crap (Export ciphers... RC4?) I guess it does take
_some_ more work for Eve, which knocks out a few of the lower-capability
adversaries.

~~~
leni536
Couldn't Mallory just replace the certificate with her own one? The browser
would just pop up the same warning. The warning should show some form of a
public key fingerprint at least before clicking through "I understand the
risk".

------
blueplanet
Moxie Marlinspike gave a talk at DEFCON 19 about how broken the CA model is
and suggested an alternative.

The talk -
[https://www.youtube.com/watch?v=pDmj_xe7EIQ](https://www.youtube.com/watch?v=pDmj_xe7EIQ)
The alternative - [http://convergence.io/](http://convergence.io/)

~~~
exo762
Had notary up and running, but was not able to force browser into using one.
Unfortunately there is not enough attention from community to this project.

------
kylec
Once again, demonstration that the CA model is broken. Why does it make sense
for any CA to be able to issue certificates for any domain?

~~~
jonny_eh
What would the solution be?

~~~
richardwhiuk
DANE TLSA is probably the best current option.

~~~
AlyssaRowan
On that note, it's worth taking a look at [https://tools.ietf.org/html/draft-
nygren-service-bindings-00](https://tools.ietf.org/html/draft-nygren-service-
bindings-00) \- the "B" record, which is in a _very_ early speculative draft.
One shot among several at gluing this stuff together.

------
y0ghur7_xxx
_This event also highlights, again, that our Certificate Transparency project
is critical for protecting the security of certificates in the future._

No! Certificate Transparency still relays on central authorities. We need to
get rid of CAs. TACK + Convergence is the correct solution.

~~~
contingencies
I agree decentralization is desirable but haven't studied all of the proposals
in depth. Over at [http://www.certificate-
transparency.org/comparison](http://www.certificate-
transparency.org/comparison) Google claims:

...that their CT approach is superior to TACK because (T1) Servers can
instantly roll out a new key if the previous one is lost (T2) Global (ie.
whole internet sees evil server instead of good server) and targeted attack
detection is superior (T3) There are no trusted third parties (T4) Newly
issued keys on totally new sites can also be validated (to a greater extent)
(T5) No server modification (ie. to deliver pinning headers) is required.

... that their CT approach is superior to Convergence because (C1) It is not
known to introduce side-channel attacks due to changes in the SSL connection
negotiation phase (C2) Servers can instantly roll out a new key if the
previous one is lost (C3) Global attacks (ie. whole internet sees evil server
instead of good server) are negated (C4) There are no trusted third parties
(C5) Newly issued keys on totally new sites can also be validated (C6) No
server modification (ie. to deliver pinning headers) is required.

Can anyone refute these claims?

~~~
y0ghur7_xxx
Alexandra C. Grant wrote a paper comparing different methods of improving the
current CA system:
[http://www.cs.dartmouth.edu/reports/TR2012-716.pdf](http://www.cs.dartmouth.edu/reports/TR2012-716.pdf)

But unfortunately she does not take TACK/pinning + Convergence in
consideration.

~~~
mike_hearn
I wrote an article discussing many CA alternatives which also includes
Convergence, here:

[https://medium.com/bitcoin-security-
functionality/b64cf5912a...](https://medium.com/bitcoin-security-
functionality/b64cf5912aa7)

Convergence IMHO does not work. The UI is poor and fundamentally it's just the
CA model with very short lived constantly renewed certificates. There's no
particular reason to believe it'd work better than the existing PKI for
ordinary users.

~~~
exo762
> it's just the CA model with very short lived constantly renewed certificates

Very strange conclusion. Convergence have following properties CA model does
not have:

* trust is optional (you don't have to trust Iranian CAs) * trust is revocable (you can safely remove trust from any notary) * trust is distributed (you trust only if all notaries are acting as one; as opposing to "you trust anything any of CAs will say")

Notaries are not signing anything, they are not CAs. Also, there is nothing
like "short lived constantly renewed certificates" in this model. Hosts are
using self-signed certs (or CA signed - does not matter). Notaries are
functioning in "attacker will not MiTM whole Internet" model and only help you
detecting if something went wrong.

If anything, convergence is a combination of TOFU and WoT models. Although an
attempt to describe a security model by such comparisons does not help much.

------
mqzaidi
The CCA is so aware of its own vulnerability, it refrains from the use of SSL
on its own page
[http://cca.gov.in/cca/index.php](http://cca.gov.in/cca/index.php) \- no https
here :)

~~~
hrjet
Indian govt websites have a pathetic sense of security. One prominent consumer
facing website with logins and company data has a certificate issued to "Mohan
Babu" (equivalent to John Doe) and expired 5 years back! I guess that's
somewhat better than the other Indian govt websites that have no SSL at all!

------
korzun
> At this time, India CCA is still investigating this incident. This event
> also highlights, again, that our Certificate Transparency project is
> critical for protecting the security of certificates in the future.

What is there to investigate? If they had a proper system in place this should
not require 'investigation'.

While I embrace the global infrastructure, it's a bit weird to give authority
rights within a country that has a pretty broken legal system (re: Avnish
Bajaj, etc).

~~~
mike_hearn
Presumably if they got hacked, they want to know how they got hacked. Perhaps
there's a new zero day on the loose. It always makes sense to investigate
these things.

------
Karunamon
It's because of incidents like _this_ why I call our PKI a scam and a racket.
The fact that this is even a thing that can ever happen points to massive,
systemic problems in the trust model.

~~~
hsod
> a scam and a racket

Can you elaborate? I've heard a lot of people say it's broken or badly
designed, but not that it's malicious or intentionally broken.

~~~
marcosdumay
Well, it's broken and there are people getting lots of money due to the fact
that it's broken.

Almost certainly the creation of the standard was not malicious, and almost
certainly it currently gets support of people acting with malice. But I don't
have anybody to point a finger at, even the most logical suspects aren't
overtly trying to keep it broken.

------
eyeareque
Maybe we need a browser add on that warns us when a shady/incompetent CA has
signed the certificate of the current site we are on? As it sits today there
is no repercussion for these terrible CAs that screw up like this.

~~~
eli
If you don't trust the CA, you could just remove it from the root store of
your OS or browser.

~~~
eyeareque
True, but that is a manual process that most users don't know how to carry
out. We need to make it easy for the masses to "punish" the terrible CAs. If
you can put pressure on the bad CAs, they will at least try to get better.

~~~
eli
Understanding SSL is already really hard. What is a user supposed to do with a
warning about a valid cert from a questionable CA? The site is _probably_ fine
so you're mostly just teaching them to ignore SSL warning messages.

~~~
eyeareque
The idea is to cause at least a small percentage of users to distrust the
cert/CA. This would cause the sites who buy CAs to avoid going with the shady
CAs because of the user complaints they got after browser warnings were shown.

------
ntakasaki
The CA system is broken, so is BGP with routes being essentially hijacked by
the word of mouth protocol. Wonder what the fixes or a reboot of the internet
would look like.

~~~
martindale
Like this:
[https://github.com/cjdelisle/cjdns/blob/master/doc/Whitepape...](https://github.com/cjdelisle/cjdns/blob/master/doc/Whitepaper.md#what)

------
bla2
It's a scary thought that this probably has been going on mostly undetected
for over a decade before Chrome added cert pinning.

------
IgorPartola
I wonder if having your registrar be the only one able to issue you a cert for
your domain would solve this. That way the user can verify that the cert was
not only signed by a trusted CA but by a trusted CA for this specific domain.

~~~
kiallmacinnes
The registrars would love this ;)

DANE and DNSSEC feel to me like the only currently proposed replacement for
the CA system that has a chance of succeeding, not necessarily because of
technical superiority, but because of practicality and simply being "good
enough".

~~~
marcosdumay
It's technically superior.

Instead of trusting 600 CAs, with DNAE you only trust the TLD, second level if
existent, and registrar. It's an incredibly smaller attack surface. You can
also register in a second TLD, inserting redundancy into any system that knows
your address beforehand.

------
AlyssaRowan
I wonder if we can map _every_ intermediate?

Obviously Certificate Transparency (or any public audit log to some extent,
really) helps a _bunch_ with this sort of thing.

------
danielweber
So when does the CA death penalty occur?

~~~
exo762
Never. Once CA, forever CA. Can't remove particular CA on local level (too
hard for users), can't remove particular CA globally - because all those
legitimate certs signed by that CA.

~~~
cbr
DigiNotar went bankrupt and had their cert removed from browsers after they
tried to cover up a hack:
[http://en.wikipedia.org/wiki/DigiNotar](http://en.wikipedia.org/wiki/DigiNotar)

------
elchief
I wonder what those other domains were and why Google didn't pin them. Is it
costly to pin a domain?

------
chris_mahan
The Cathedral isn't finished and it's crumbling already.

Back to the Bazaar!

------
higherpurpose
> The India CCA certificates are included in the Microsoft Root Store and thus
> are trusted by the vast majority of programs running on Windows, including
> Internet Explorer and Chrome.

Jesus Christ, the CA system is so broken.

