Will New Free Certificate Authority Help Or Hinder Online Security?
from the first-things-first dept
A couple of weeks ago, Techdirt wrote about Let's Encrypt, an interesting new project from the EFF, Mozilla and others to set up a free certificate authority (CA) that will allow anyone running a website to offer encrypted connections. That sounds like a great idea, since it will make snooping on web traffic much harder. But a post (on LinkedIn, unfortunately) by Alexander Hanff, Chief Privacy Officer at Connect In Private, wonders if it might actually make things worse. Here's why:Creating a new Super Certificate Authority is the equivalent of painting a huge red target onto the backs of all the people who use it.Techdirt asked the EFF to respond to this concern, and Peter Eckersley, the organization's Technology Projects Director, replied as follows:
Let's not mix our words here, it will become a target -- that much is completely indisputable, it would be utterly naive to believe the US Government will not target this new CA with court orders. What's more, given the historical evidence, there is a strong chance that such orders will be for "super master keys" allowing them to pretend to be whomever they like [for man-in-the-middle attacks] and it will be done under the guise of National Security because of course a CA which provides free certificates for everyone is (in the eyes of law enforcement) a hotbed for criminals and terrorists -- why on earth would a terrorist pay Verisign for an SSL certificate, leaving a paper trail, if they can obtain an anonymous certificate for free from Let's Encrypt?
Mr Hanff is right to be concerned about structural flaws in the CA infrastructure, but he hasn't understood the problem. This is something we've been working on for years: https://eff.org/observatory https://www.youtube.com/watch?v=9VAreZZhue4 and we certainly wouldn't have picked a design to make the situation worse.As that points out, the first problem is to get people using encrypted connections; after that, we need to work on those "structural flaws in the CA infrastructure" that Hanff and Eckersley agree are a serious issue that needs addressing.
Anyone who looks at the CA infrastructure is going to think, "oh, there are expensive high security CAs, and weaker low security CAs, and hundreds of others run by various corporations and governments, I'd better pick one I can trust". But it turns out not to matter which one *you* pick, because our web browsers have been designed to trust hundreds of them. So even if you buy from the one with the best combination of security and jurisdictional robustness, a would-be man-in-the-middle attacker will pick a weak one to use against you. We've seen this play out for instance with the Iranian attack on Gmail via a CA in the Netherlands, and a Turkish CA issuing improper certs for Google.
Let's Encrypt's first mission will be to solve the grand problem of HTTPS, which is that hundreds of millions of sites don't use it at all. But it will also be engineered to begin addressing the structural flaws in the whole CA marketplace. For sites that it want it, we'll assist in using mechanisms like pinning to protect against the hundreds of other CAs that the site isn't using (pinning lets a site declare that only a small and specified number of CAs can sign certs for it). And for our own CA, we will use Certificate Transparency or equivalent mechanisms to ensure that if our operations were ever compromised or compelled in any way, that would be recorded and rapidly visible to the whole Internet.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: alexander hanff, certificate authority, certificates, let's encrypt, privacy, security, surveillance
Companies: eff, let's encrypt
Reader Comments
Subscribe: RSS
View by: Time | Thread
Put the CA out of reach...
It is only vulnerable if it is within the jurisdiction of the US government. I wonder if putting the CA on a small satellite or in international waters would make it less vulnerable to court orders (though, at that point, physical security would likely be more of an issue, since they can just blow it up.)
Maybe the answer is to adopt more of a Skipjack approach to CAs, where multiple CAs are involved in generating new certificates, and no single CA can generate a certificate from a CSR. That way, if one CA is compromised, the keys to the castle aren't completely lost. Will mean a lot more infrastructure costs...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
but it's progress...
At that point, it's trivial to change CAs to one that is more "trustworthy" - but for the vast majority of websites that isn't probably a big deal anyway.
[ link to this | view in chronology ]
Pinning plus private CA
For places that don't have an IT staff capable of dealing with OpenSSL, I can already sketch out the hardware and software for a small turnkey box that's a dedicated certificate authority capable of generating it's own root and intermediate keys and certificates, generating server and client keys and certificates and writing them out to an external flash drive for transfer, and managing a historical database of generated certificates (it wouldn't retain client or server keys for obvious reasons). The most expensive part of it would probably be the display, the rest shouldn't cost more than your average home WiFi router. Sure it's not going to be as secure as Verisign can manage, but conversely it's not going to be nearly as attractive a target as Verisign would be either and it wouldn't need network connectivity which right there severely limits possible attacks.
Let's face it, in most non-corporate situations you don't care about the absolute physical identity of the entity running the Web site. You care mostly about whether you're talking to the same site every time and that nobody's hijacked you to a bogus server. The biggest risk there isn't validating the site's server certificate, it's that someone'll have used a malicious link to take you to a completely different site in it's own domain without you realizing it.
[ link to this | view in chronology ]
Re: Pinning plus private CA
But if when you first visit the "site" it's actually the MITM attacker serving you the certificates to be trusted...?
I still think there are benefits to a more central approach - though obviously some risks as well. (and I would trust an EFF run PKI A more than one by joe-blows-cousin for just one website)
Lets have a go at this (with Secure DNS) before we palm it out to every site individually... [plug - not affiliated just like it] try Calomel plugin to check (and validate) certificate strengths for every website you visit & run ssl observatory - we need to do our part also :)
[ link to this | view in chronology ]
Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Pinning plus private CA plus client certificates
The user agent applies for an anonymous client certificate, devoid of identifying information. It can be used to log in at that site only.
In combination with DNSSEC and DANE, it allows the browser to do a proper authenticated public key exchange.
The strongest protection comes from this: As the server and client certificates are signed using the same private CA, they have a way to mutually authenticate each other. No more MitM, DNS-hijacking, IP-rerouting attacks. All without the user having to make a single security/cryptography decision.
Details are in my paper: http://eccentric-authentication.org/Usable-Security.pdf or check out that site.
[ link to this | view in chronology ]
Re: Re: Pinning plus private CA plus client certificates
[ link to this | view in chronology ]
Re: Pinning plus private CA
SSL will be useless very quickly because people will simply not remember if they accepted it before or if their browser lost the information somehow and you will find that people just trust everyone claiming to be a CA.
[ link to this | view in chronology ]
Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Pinning plus private CA
and how would that CA be authenticated by the browser? By a higher CA that's already in the browser? That higher CA can be compromised.
Oh, you mean the private CA should already be within the browser? So every browser should have the public key of every website out there? Isn't that the entire problem that having a certificate hierarchy system is supposed to solve?
[ link to this | view in chronology ]
Re: Re: Pinning plus private CA
I use a private root CA for all my needs. If someone needs the cert, they get it directly from me, and check it based on the fingerprint. This is an order of magnitude more trustworthy than any of the commercial certificate authorities. While it's not automatic (and therefore requires a tiny bit more effort on the part of both the site and the users), any site can easily do this.
Personally, I don't consider certs signed by commercial authorities to be trustworthy. There's been too many cases of them being subverted to just take them on faith anymore. I consider them "sortof trusted": in other words, I would never use them thinking that they are providing strong security, but they are good enough for everyday use.
Private root certs can actually be trusted.
[ link to this | view in chronology ]
Re: Re: Re: Pinning plus private CA
So every website is going to have their own 'root CA' and the browser must pre-contain the root CA of every website out there?
[ link to this | view in chronology ]
Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Pinning plus private CA
The whole notion of independent root CAs was a broken idea from the very start. In fact, this was a big part of the debate when the idea first came around. It subverts the entire chain of trust from the root of it. The only reason that people went along with it was because it's far more convenient than doing things the right way.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
Getting the certs in a secure and trustworthy way isn't as hard as you might think (even if they're on the other side of the planet) -- but, as I said, it is inconvenient.
"That maybe even less secure because phone calls generally have no encryption (and even if they did how do you securely share encryption keys?)."
The lack of phone encryption is not an issue. If an attacker eavesdrops on the key exchange, the attacker has not learned anything that is useful -- they've only obtained the same public cert that they could get by asking for it themselves anyway. That's one of the beauties of public key encryption: the key exchange can take place over insecure channels without compromising the crypto.
The issue of knowing who's giving you the key is obviously a big problem -- but one that there is currently no good, universal, and convenient solution to in any case. Third party root CAs are not trustworthy and therefore a key signed by them should not be trusted. This includes every preloaded key on your system.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
Doing it the right way is what I propose in my paper.
Please see http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html and the paper: http://eccentric-authentication.org/Usable-Security.pdf
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
It recommends using DANE to ensure that the CA is actually the CA you think it is. That's well and good, but doesn't really impact the problem I'm discussing here: that the CA itself cannot be considered trustworthy. This problem is why I say that the concept of independent root CAs is a broken one, and people only accept it because they're making a tradeoff in favor of convenience over security.
Have I misunderstood? What we need is a way of eliminating independent CA authorities altogether.
[ link to this | view in chronology ]
Re: Re: Re: Pinning plus private CA
Which addresses nothing and leaves the same problem I mentioned.
[ link to this | view in chronology ]
Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
That does not make the exchange less secure. It doesn't matter if the call is eavesdropped on.
"(maybe how I should have stated it better), there is no cryptographic method of verifying who you are talking to"
Oh, now I understand. You're mixing different things here -- here, you're talking about authentication, not cryptography. Although certain types of cryptography can be used for authentication, authentication is a totally distinct thing -- and can be done in the total absence of cryptography.
For example, let's say you want to authenticate that the person you're talking to on the phone really is working for the bank that you think they are. This can be easily authenticated by the simple expedient of you calling the bank's well-known and widely publicized contact number.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
Because any other way would mean needing to prove you are directly talking to the site operator (and not a man in the middle) through your computer over the Internet.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
That's correct, and that's a security risk. But it's no different than the risk you take in accepting the keys that are preloaded into your system anyway, so it doesn't represent an overall decrease in trustworthiness.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
Sure, this means that you are relying on the operating system certs that are pre-installed but, presumably, you got your computer/operating system from a much more secure channel which is better than just randomly downloading files online with no preloaded certs. and, yes, the certificate authorities on your operating system could also be compromised.
So when you download firefox you know with some degree of certainty that the exe file came from Mozilla and so any pre-installed certs within the setup file came from Mozilla and weren't compromised in transit. So yes, there are two potential points of failure
Mozilla could be sending you bad certs (ie: the feds could be working with Mozilla)
The CA's that come preloaded with your OS could be compromised.
But that's still much better than just downloading the exe file without any preloaded certs whatsoever and trusting that you are getting those certs from the site owner. It's much better than just visiting random websites without any preloaded certs whatsoever and trusting that the certs given are authentic. At that point you have no way to know whatsoever. At the very least when you bought your operating system they came preloaded with certs and you can compare those certs with certs from other people that have gotten their operating system from different sources, Microsoft and other cert authorities can ensure various MS operating system retail outlets distribute their operating system with the proper certs or else someone will likely catch it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
That's right. And you're taking it on faith that those certs are the correct ones. Because of that, those keys are less trustworthy than the ones that your obtained and verified directly from the entity the keys are meant to represent.
"but, presumably, you got your computer/operating system from a much more secure channel which is better than just randomly downloading files online with no preloaded certs."
If you take the "much" out of that statement, then I agree. However, I'm not saying "don't use certs". I'm saying that the preloaded certs are less trustworthy than the ones you've properly obtained yourself.
"Mozilla could be sending you bad certs (ie: the feds could be working with Mozilla)"
My point exactly, although it is unlikely that the attacker would need to work directly with Mozilla (or any other browser maker) to accomplish that. At least, when bad certs have been included in the past, it hasn't been because anyone was working directly with them.
"The CA's that come preloaded with your OS could be compromised."
Indeed, and some have been. For this discussion, there's no difference between the OS certs and the browser certs. All preloaded certs are suspect.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Pinning plus private CA
[ link to this | view in chronology ]
Re: Re: Re: Re: Pinning plus private CA
Which addresses nothing and leaves the same problem I mentioned."
Here's the commenter: The site specifies the certificate of the private CA in the DANE-records. This ties the CA to the domain name.
We could add Certificate Transparency to monitor long term stability of that tie. It protects against DNS-manipulations as well.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The problem is trust
The solution is not to trust anyone. Trust makes things easy because you transfer the security problem to another authority, but the more difficult (but the only secure one) path is to be fully responsible for your own security.
[ link to this | view in chronology ]
Re: The problem is trust
[ link to this | view in chronology ]
Key Pinning and CT
While there is no good solution to replace the whole CA system yet there are actually pretty nice workarounds for a large number of problems. They are called HTTP Public Key Pinning and Certificate Transparency.
You can start adding Key Pinning to your site today. Chrome supports it, Firefox and IE work on it, it will improve your security a lot and it'll make CA compromises much less of an issue.
[ link to this | view in chronology ]
Re: Key Pinning and CT
Here would be a better solution.
2 Tier PKI.
Tier 1. CryptoAuthentication (These would be certs issued publicly just like our current CA PKI saying this entity is legit enough to issue you/self trusted certs)
Tier 2. CryptoEncryption (These would be Cert servers actually signing and encrypting the certs... then issuing them)
Tier 1 Signs Tier 2 which work effectively just like Extended Validation certificates that require intermediaries. Except the intermediary would be a private CA while the root is the public CA.
This would prevent government snooping dead in it tracks, and with some added features can also be used to allow automatic tracking of issued certs so that the moment a pseduo MITM attack cert was circulating it would be near instantly discovered!
Yes, this would require changes to how the current PKI system works, but would be DAMN worth it! It also has the added benefit of mitigating compromised public Root Certificates.
The pinning method is not sufficient because it still has too FEW people involved. With my method, anyone that wants encryption will have to run a PKI server, and with a good open sourced PKI product this would not be too much to ask!
[ link to this | view in chronology ]
https://www.techdirt.com/articles/20141106/05305729062/are-apple-google-microsoft-mozilla-helpi ng-governments-carry-out-man-in-the-middle-attacks.shtml#c552
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Canary?
[ link to this | view in chronology ]