
Microsoft silently adds Amazon root certificates to its CTL - svenfaw
http://hexatomium.github.io/2016/01/21/amazon-roots/
======
FiloSottile
All Amazon roots are cross-signed by other trusted roots, so they were already
trusted by all systems, including Microsoft:
[https://www.amazontrust.com/repository/](https://www.amazontrust.com/repository/)

They are also on their way to be added natively to the Firefox root store:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1172401](https://bugzilla.mozilla.org/show_bug.cgi?id=1172401)

~~~
svenfaw
Indeed they are cross-signed with a Starfield root, so I wonder, what would be
the point of adding them natively? Are there any benefits to that?

~~~
FiloSottile
Eventually, once the roots are trusted natively in enough systems, dropping
the cross-signed root, making handshakes smaller and path-building simpler.
Also some of their roots are stronger than the cross-signer, so when/if the
cross-signer becomes too weak and gets dropped, the better Amazon roots will
stay.

And I guess being a first class citizen of the CA space, which is good because
it brings audits, participation and accountability.

~~~
vtlynch
>And I guess being a first class citizen of the CA space, which is good
because it brings audits, participation and accountability.

Just to clarify on your last point. If Amazon wants to issue certificates it
has to conform to industry regulations and undergo audits regardless of if its
using another companies' roots.

------
rusanu
AWS just announced Amazon Certificate Manager service, free SSL/TLS certs for
assets hosted on AWS[1]. It makes sense to ask trust roots to add Amazon own
certs.

[1] [https://aws.amazon.com/blogs/aws/new-aws-certificate-
manager...](https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-
deploy-ssltls-based-apps-on-aws/)

~~~
rusanu
BTW if you request a ACM cert for <domain>, make sure you set up one of the
admin@, administrator@, hostmaster@, postmaster@, webmaster@ email addresses
for <domain>, as the ACM verification email is sent to these addresses, in
addition to the WHOIS registered for <domain>.

The ACM certs cannot be used with an EC2 hosted site.

~~~
ceejayoz
> The ACM certs cannot be used with an EC2 hosted site.

For clarity, ACM's certs don't come with access to the private key, so you
can't install them yourself directly on an EC2 instance. You can easily and
fairly cheaply put an ELB or CloudFront in front of that EC2, though.

------
xupybd
"Amazon is reported to have some very close ties to spy agencies." Why would
we trust that any of the other providers would not co-operate with the CIA?
Wouldn't they have to under the law?

~~~
Spooky23
It's just an attempt to add a salacious element to an otherwise dry story.

It's like taking the Chevy Bolt announcement and adding "General Motors,
owners of the Hummer brand and makers of black SUVs, is known to have long
standing business relationships with military and intelligence services."

~~~
withjive
That analogy is actually pretty weak.

When you buy Chevy Bolt, your not expecting to use TLS to securely lock your
doors.

However, if ACM is compromised by a "spy agency" — then anything you intended
to be protected by a secure HTTPS transport is now logged, and easily decrypt-
able by the "spy agency" at their convenience.

~~~
strommen
When you buy a Chevy Bolt, you may not realize that a) the government knows
everywhere you drive, and b) law enforcement can remotely disable your car via
OnStar.

~~~
withjive
Not a problem unless your a criminal.

~~~
iolothebard
With foresight like this, who needs to worry?

------
z3t4
Isn't SSL/TLS certificates broken when all you have to do is to add one root
certificate to MITM everyone else's SSL/TSL?

~~~
InclinedPlane
Is it broken when a CA can be compromised without consequence? Is it broken
when bad actors can have root certs installed in most browsers?

Yes, it's broken. It's been broken for a very long time.

~~~
cm2187
In a way it's broken for the same reason than the banking system was: too big
to fail. So many websites rely on a few CA that we can't allow to fail,
otherwise we break the internet.

I wonder if we shouldn't adopt a solution similar to what was adopted for
banks: a plan for orderly failure. Having a protocole, at least for DV
certificates, to easily switch all your website to another CA. All CA would
have to implement the same API, and all web servers would be able to consume
that API. The same API would be used for auto-renewing certificates.
Effectively generalising let's encrypt for commercial certificates.

~~~
icebraining
I think that's one of the goals of Let's Encrypt, by developing the ACME
protocol, which will be submitted as a standard RFC: [https://ietf-wg-
acme.github.io/acme/](https://ietf-wg-acme.github.io/acme/)

------
moviuro
See the info repo provided by amazon:
[https://www.amazontrust.com/repository/](https://www.amazontrust.com/repository/)

------
nailer
If there's an issue here, it's not that the root stores adding Amazon's root
certs are doing anything nefarious: it's simply that Microsoft should improve
their communication.

~~~
crosre
Could it be they were not provided that option?

------
vpcguy
Microsoft published their updated list of CAs on their website today, and
Amazon is there.
[http://social.technet.microsoft.com/wiki/contents/articles/3...](http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-
trusted-root-certificate-program-participants-v-2016-jan.aspx)

------
rockdoe
IIRC Chrome uses or at least used to use the Windows certificate store. So
will it trust these automatically?

~~~
akerro
Yes, Firefox ships it's own package of trusted roots.

------
xutopia
Can someone explain this like I'm 5? I'm not sure what this means and why it
matters.

~~~
josinalvo
(maybe I got a bit carried away with 'like I am 5' :P)

1\. When you type an address in the address bar, (say, www.mybank.com) it is
possible for the network infrastructure to take you to mybank.com, but also
possible for it to take you to evilsite.com

2\. To prevent this, browsers check that mybank.com has a secret number[0]. If
not, they tell you the infrastructure is messing with you.

3\. To know the correct secret number to mybank.com, you "consult" some other
"sites"[1]

4\. But how can you tell if those sites are OK? Checking some other site? At
some point, you need numbers that your browser knows since installation

5\. Amazon just got one of their numbers into the 'internet explorer' browser

6\. The author of the article is afraid amazon uses their numbers to 'vouch'
for evilsite.com rather than mybank.com (every number in your browser can
vouch for any number for any site -- which is kind of dumb)

6a. Also, author notes that, while adding numbers to a browser is usually a
big deal, microsoft has not told anyone that they are adding amazon's number

[0] technically correct, but a bit misleading [1] technically wrong, but hey,
you are 5

------
dredmorbius
CTL???

~~~
rusanu
Certificate Trust List [1].

> A CTL is a predefined list of items signed by a trusted entity. ... The
> primary use of CTLs is to verify signed Messages, using the CTL as a source
> of trusted root certificates.

[1] [https://msdn.microsoft.com/en-
us/library/windows/desktop/aa3...](https://msdn.microsoft.com/en-
us/library/windows/desktop/aa376545\(v=vs.85\).aspx)

~~~
dredmorbius
Thanks.

