What Would It Take To Have Open CA Authorities?

trainman writes "With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue — the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign. For smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult-to-swallow cost. Does a service such as this need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match? This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive. Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?"

CACert

try it....

Re:CACert

[zerOnIne]

Seconded. go here.

Re:CACert

Which doesn't answer the question as their certificate isn't supported in Firefox.

Re:CACert

[sakdoctor]

The cert isn't included in any browser your are likely to use.

Re:CACert

[rufus+t+firefly]

It isn't *included*, but it's definitely *supported*. Just go here with Firefox to install their root cert.

Re:CACert

[squiggleslash]

No, it shouldn't.

All CACert does is verify that you have control of the domain name you're trying to get a certificate for before issuing a certificate. That means that you can, with CACert, register something like "citicardbank.com" using throwaway fake information, put up a phishing website, get a certificate for it, and look perfectly legitimate to anyone you phish, without any of your victims ever being able to find out who you were. It doesn't, of course, have to be phishing. It could be "discountjewelryandelectonics.com", with you raking in the "orders" and running away with the cash, again with nobody able to find out who you are.

Given the general security principle, espoused by most web browser makers, of "Trust nobody unless it's a secure connection, and even then be careful", it makes no sense for Mozilla, Opera, or Microsoft to encourage the use of unaccountable certificates. CACert is fundamentally a bad idea, at least with the current implementation of most web browsers. The only way to make it acceptable is for the user to be warned every time they visit a new website with a certificate signed by a accountability-free CA.

And given it's the warnings the submitter is whining about, well, what's the point?

Re:CACert

[pablomme]

Or even better, go here, since the above address is an https and Firefox won't accept its self-signed certificate..

Re:CACert

[LordKronos]

Which does absolutely nothing to stop scaring visitors of your website. We need something that is accepted by default.

Re:CACert

[Bryansix]

Uhm, I sincerely doubt that Verisign actually makes you go in person to an office and fingerprints you and checks your Driver's License and gets a DNA sample. And since that's the ONLY real way to verify someone is who they say they are then Verisign can provide certificates to people running the same damned scam! Verisign offers no real value. It's all a scam they run for the perception of value added.

Re:CACert

[Illbay]

...it makes no sense for Mozilla, Opera, or Microsoft to encourage the use of unaccountable certificates.

Well, then O-B-V-I-O-U-S-L-Y you're in favor of evil "monopolies like Verisign," of which there are, of course, several (which means they're not "monopolies" at all, then, but since we just want to say "they're mean and charge too much money," why quibble?)

Re:CACert

[cbreaker]

Verisign and friends aren't much better. They have given SSL certs to all kinds of scammer or ridicuous domain names in the past, and continue to do so.

Trusting that companies like Verisign are doing the right thing is no better than doing nothing.

Re:CACert

[noa]

No.

I have bought a few "commercial" certificates from vendors in a capacity as consultant, and I use cacert certificates for my private work and their verification of domain is very similiar. You need to have access to the email sent to at least one official looking email address associated with the domain in question (you may choose from a short list of names like root@domain, hostmaster@domain, postmaster@domain etc.)

In other words, you couldn't get a cacert certificate for a domain you can't read the email for. The security of the process is not perfect, but it is no worse with cacert than it is with the other certification authorities.

Re:CACert

[mindstormpt]

Actually you can only get a certificate from CACert if you've been assured with enough points, and that's only supposed to happen after in-person ID verification by multiple members. The certificate includes the verified identity of the member, or the organization if that's the case.

You can debate if this web of trust model is acceptable, but it's been used by Thawte for some time now, and its certificate is included in every browser.

Re:CACert

[theodicey]

StartCom is free and already supported by Firefox.

Mozilla just wants CAs to offer some level of accountability and identity verification. Their CA certificate policy is explicit in its requirements.

I don't see the point in having Verisign certificates eveywhere, but I also don't see why you should blindly trust a Robot Certificate Authority like CACert, without further assurances.

Re:CACert

Given the general security principle, espoused by most web browser makers, of "Trust nobody unless it's a secure connection, and even then be careful"...

Actually, the principle espoused by most web browser makers seems to be "Trust anybody if your connection is unencrypted, but if you wish to encrypt your traffic, trust no-one unless they've given a wad of cash to a CA."

It seems to me that a user using an unencrypted connection to an unidentifiable web site (that is to say, all http web sites) should receive even more warnings than a user using an encrypted connection to an unidentifiable web site. But somehow, that's not the case.

This Firefox scaremongering isn't just driving people into the arms of Verisign, it's also driving webmasters away from using encryption, even where web forms might be involved. Too bad - encryption is a good thing.

Re:CACert

[tha_mink]

Have you ever applied for an SSL certificate? It's a PITA, because you do have to provide the issuer with a load of documentation (usually comprising of some legal documents such as your employer's charter et al, plus evidence you do, actually, work for them) to confirm you're who you say you are.

What are you talking about? I buy SSL certificates ALL THE TIME, and it couldn't be easier. It's easier than buying the domain name. It's automatic and happens in seconds these days. I have no idea where you get your certs from but yo, you don't seem like you know what the hell you're talking about.

Re:CACert

[Evets]

A chain is only as strong as it's weakest link. Verisign can require all the verification they want, but there are other "trusted" root CAs that don't.

I purchased an SSL cert, and because my spam software rejected the provider's messages (with good reason), they had to send my ssl cert to a throwaway address I set up. There was nothing in the way of identification verification.

Regardless of whether or not this was a "one-time" instance, once again we have people trusting big providers simply because they are big providers. A revenue stream does not make you secure.

There is no difference between a free cert, a $25 cert, and a $500 cert - other than the fact that no free cert providers have trusted root CAs by default. Nobody actually reads the certificates, the only time an end user ever cares about cert's it is because a dialog popped up that gave them a warning, and half the time with a warning, the end user simply clicks on through anyways.

People should see SSL certs for what they are - end point-to-end point encryption mechanisms and nothing more. Thinking they are anything more is simply a false sense of security.

Re:CACert

[jjhall]

What do you mean CAcert has no accountability? They have a web of trust in place that actually checks IDs person to person. Thats more than Verisign does. All they do is charge a credit card.

A CAcert server certificate does exactly what it says it should, that the owner/controller of the domain is in control of the server. It does not verify the personal integrety of the person running it. Of course a Verisign certificate says exactly the same thing but some money exchanged hands in order to say so. But you're trained to trust it more because "its always been that way."

Personally I think browsers should ship with no root certificates installed at all, and the user can seek out and install the ones they trust. Have you ever looked at the list of default roots in your browsers? Can you verify that every one of them does more verification than CAcert does?

CAcert is getting close to being audited so that their root will be included in browsers by default. Does that change your stance regarding trusting their server certificates? If not you're going to have to start remembering to remove their root from each browser installation. While in there how many more are you going to remove?

It bothers me seeing people put so much blind trust in Verisign and Thawte and the likes. To take it a step further, have you ever gone out to your bank's web site and written down the fingerprint of their signature and attempted to verify it at your bank? 99.9% out there will say no.

The point of an SSL certificate is to secure the communications line, and to ensure the entity you're communicating with now is the same one you communicated with previously. Intentions of the person/server you're communicating with is outside of the scope. No amount of money exchanging hands will change this fact, yet Verisign has obviously convinced a lot of people to the contrary.

Re:CACert

[homesnatch]

My hosting provider requests Thawte SSL123 certs for me. I get is an e-mail from Thawte requesting approval.... Click a link, verify info, that's it! If e-mail address verification is all that is needed to approve an SSL certificate, it seems to me that a "free" service could be just as secure.

Re:CACert

[Hork_Monkey]

2-3 ago I had to request certs for a few clients. Some of those clients couldn't be assed to send me those documents, so I created some fake articles of incorporation.

A few days later, I had SSL certs for those organizations.

A PITA, yes, but by no means a secure system.

Re:CACert

[NNKK]

If by "several" you mean "several owned by VeriSign", you're correct. They operate under multiple brands and have purchased a number of other major certificate authorities over the years.

Re:CACert

[mrchaotica]

of which there are, of course, several (which means they're not "monopolies" at all, then

Oligopolies and cartels can legitimately be complained about too, you know!

Re:CACert

[noa]

And my point was that there are commercial certificates (RapidSSL springs to mind) accepted by IE and Firefox that doesn't require any authentication besides having control over the domain. You won't get a meaningful name in the cert, except OU=Domain Validated, but you will get an SSL connection without browser warnings

Re:CACert

[Hatta]

Sounds like a good way to keep the riff raff out.

Re:CACert

[Vancorps]

Note, that is an SSL123 cert and not an extended validation certificate. If you get an EV cert you have more hoops to jump through going to far as faxed letterhead and the likes.

Although worth noting, if you already have a relationship with Thawte then the process is easier and takes less time. The first cert always takes the longest.

Re:CACert

[Zeinfeld]

ObDisclaimer: Not speaking for my employer here. Yes I work for a commercial CA.

Actually you are way off base here. Mozilla and VeriSign are both members of the W3C Web Security Context working group where one of the things that we have been working on is how to better make use of self signed certificates.

I always enjoy reading articles on Slashdot describing what they imagine the optimum strategy for a large public company is.

Making it easier to use encryption with self-signed certificates is a benefit to a large commercial CA. People who use self-signed certificates today are candidates for an upsell to a public accredited domain validate cert later.

The basic problem is that people think that a CA sells encryption, that is wrong, we sell authentication and in the case of Class 3 or EV, accountability. I cannot guarantee that the merchant you buy from is honest, or that they will deliver that plasma TV. But I can ensure that they are likely to face consequences if they do.

If people really want to set up an open CA then read my book, the dotCrime Manifesto, I describe what we were trying to do when we set up the idea of CA services in the first place. I think that setting up an open CA would be a bit like setting up an open source effort to do people's taxes for them. But someone might work out a way to make it interesting enough for the participants to have it done well.

Re:CACert

[Crayon+Kid]

If anybody can get an SSL certificate that will be accepted by Firefox, for free, no questions asked... then the entire point of having CA authorities goes down the drain. You can't simultaneously have a certifying entity AND let everybody in. Because if that happens we might as well forget about CA use in the browsers and just use SSL for encryption.

Re:CACert

[the_olo]

Yeah, right.

$ wget http://crl.cacert.org/revoke.crl

...

23:04:36 (241.13 KB/s) - `revoke.crl' saved [1911370/1911370]

$ openssl crl -in revoke.crl -inform der -noout -text | less -in

...
Serial Number: 057FA5
Revocation Date: Jul 18 13:35:01 2008 GMT
Serial Number: 057FAA
Revocation Date: Jul 18 14:54:49 2008 GMT
Serial Number: 057FB4
Revocation Date: Jul 18 14:43:07 2008 GMT
Serial Number: 057FB5
Revocation Date: Jul 18 14:43:26 2008 GMT
Serial Number: 057FB9
Revocation Date: Jul 18 16:12:12 2008 GMT
Serial Number: 057FBB
Revocation Date: Jul 18 14:59:13 2008 GMT
Serial Number: 057FBC
Revocation Date: Jul 18 17:48:23 2008 GMT
Serial Number: 057FCE
Revocation Date: Jul 18 16:13:58 2008 GMT
Serial Number: 057FD0
Revocation Date: Jul 18 16:11:48 2008 GMT
Serial Number: 057FD1
Revocation Date: Jul 18 17:00:35 2008 GMT
Serial Number: 057FD3
Revocation Date: Jul 18 16:18:22 2008 GMT
Serial Number: 057FF3
Revocation Date: Jul 18 19:43:57 2008 GMT
Serial Number: 057FF4
Revocation Date: Jul 18 19:52:50 2008 GMT

They're revoking a certificate roughly every hour, their CRL is 1.9MB in size and from looking at the serial numbers it seems that lots of certificates are pretty close to each other, which means that a significant percentage of issued certs is getting revoked.

This would indicate that their loose verification is being severely exploited by the bad guys.

Now are you completely sure that when you add this CA to your store, you also configure the CRL handling properly? For how often do you schedule download of the CRL? Do you really think it's a good idea to download a 1.9MB CRL every 1 hour (there's no OCSP service for their certs, it seems, at least there's no OCSP URL on their CA certs)?

I suspect that you didn't give a thought to this, as well as the majority of people who install CAcert root certificates in their browser, not suspecting what can of worms from security perspective do they open. They probably don't even know what a CRL is for, not to mention checking the CRL handling settings in their browser after they install CAcert's root x.509.

Re:CACert

[fyngyrz]

Maybe I'm missing something, but isn't this suppose to add some level of trust?

Sure. You're supposed to trust that your connection between you and the other end of a conversation using that cert will be encrypted.

That's all certs have ever provided; the rest is 100% marketing myth on the part of the CAs, and misunderstood excuses on the part of conspirators like the Mozilla foundation, Microsoft and so on. The fact is that any cert can be compromised within seconds after it is issued, and so can browsers, hosts lists, and a long list of other target; therefore, certs provide NO assurance you're connected to who the URL indicates you are. The idea that doubtful protection against "man in the middle" attacks are worth the cost of the CA infrastructure is ludicrous. But as long as browser manufacturers continue to collude with the CAs, there's no way out for any site that doesn't want their visitors smashed over the head with entirely bogus errors and warnings.

As far as Firefox is concerned, it's open source. Someone should take it and fix it so that it stops with all the consumer warnings and just says "encrypted connection established." Just go AROUND the CAs; they're total scams anyway. You don't need an "open" CA, you need to tell them to take along walk off a short pier.

While they're fooling with FF, maybe they could fix more of the darned memory leaks. After running FF 3 for about 24 hours, it's consuming an obscene 200+ MB here; and it *starts* at about 40 or so, which is also absolutely ridiculous.

Re:CACert

[the_olo]

The fact is that any cert can be compromised within seconds after it is issued, and so can browsers, hosts lists, and a long list of other target; therefore, certs provide NO assurance you're connected to who the URL indicates you are. The idea that doubtful protection against "man in the middle" attacks are worth the cost of the CA infrastructure is ludicrous.

Would you care to somehow substantiate that claim? How are you going to compromise that cert? What do you mean by "compromise"? Without serious arguments and proofs you really sound like that crazy Time Cube guy.

Do you even have any understanding of how PKI works? Could you prove it by elaborating on it and presenting real attack scenarios? Because without that you just seem to be a troll.

Re:CACert

[squiggleslash]

If you buy them "ALL THE TIME" and never have to present any identification information, then I can only assume you have a standing arrangement with a CA and have already registered your details with them. If you really go to arbitrary CAs you've never done business with before, and are asked for no proof you are who you say you are, then I'd like to know who those CAs are. They probably need to have their authorities revoked.

Your experience neither matches my own, nor those of the people I asked who also have gone through the process in the past.

Re:CACert

[darkfire5252]

Why do you need identification to transmit a PUBLIC key (aka SSL cert)? Note: The moderators in this discussion who nuked my other post, like the parent, seem to not understand the difference between public and private keys. Crypto is complicated, but those who don't understand it should not be moderating a crypt discussion!

Nor should they be posting in it. You do not understand the difference between a key and a certificate, nor do you understand the purpose of a certificate authority.

In public/private key cryptography, the public key ensures that one can have a secure conversation with the holder of the corresponding private key. It does not address the problem of verifying who the holder of that key is. So, if Alice and Bob desire a private conversation using asymmetric (public/private) key cryptography, the first step is for them to exchange public keys. However, during the exchange, Mallory intercepts Alice's public key and supplies Bob with Mallory's public key. Mallory can now read the messages between the two and no one is the wiser. Enter the Certificate Authority. The CA's job is to act as a foundation for trust. The CA's key is provided to Alice and Bob securely (i.e. when installing an OS or browser). Alice and Bob can then go to the CA, prove that they are Alice and Bob, and they receive a certificate. The certificate for Alice consists of Alice's public key cryptographically signed by the CA's private key. Bob can then take the CA's public key, which he received previously, and verify the signature on Alice's public key. Bob has then proven that the CA is stating that that public key does in fact belong to Alice.

So, if the CA isn't actually verifying that Alice is Alice or that Bob is Bob, then Mallory can get a certificate that states Mallory is Alice, and we're back to square one.

Re:CACert

[bored_engineer]

How does this compare to other authorities like Verisign? How frequently does Verisign revoke a certificate? If it's not very often, should they be revoking more than they do?

Can't you get a short-lived certificate from CACert? Could what you point out be the expiration of those shourt-lived certificates? I thought that they have multiple levels of trust, some levels of which include having trusted people confirm your identification.

I don't know much about this stuff, so I'm not trying to be snarky, just asking.

Re:CACert

[nine-times]

I think his point is not that there was danger in sending the public key, but that there was no attempt made to verify even that he was connected with the domain. So if you go to a website and submit a certificate request, and then they send back the public key to an e-mail address at the domain the certificate is for, then there's at least some pretense of verification. You've demonstrated that you at least have access to an e-mail address at that domain in order to get that public key. (or else you've done something else clever)

If, on the other hand, they're willing to send that cert to some random gmail address, then I can probably pick any random website I want and get a certificate for that site, without having *any* connection or contact with that site. There's not even a weak pretense of verification.

I can't speak for the mods, but maybe that (paired with essentially calling the guy an idiot) is why your other post got modded down?

Re:CACert

[Cyberax]

It's much more stricter now. For one thing, they don't sell certs to individual, only to companies. And they also physically mail you a USB signing device for driver signing, not just a certificate.

Re:CACert

[the_olo]

How does this compare to other authorities like Verisign? How frequently does Verisign revoke a certificate? If it's not very often, should they be revoking more than they do?

Well, let's have a look.

Verisign has a much more complex pki hierarchy, so there are much more different CRLs. I've visited my local bank's site and had a look at their cert's chain. There were 3 levels of Verisign CAs above their x.509 cert and two of them had CRL distribution points specified (the top one, Verisign Class 3 Public Primary Certification Authority, had none, but I think it didn't need one since it's highly unlikely that the lower ones like Verisign's Class 3 Public Primary Certification Authority G5 will ever be compromised. They still have a 3rd level below and their 2nd level private keys are probably used only in high security, do-everything-manually-inside a-vault-by-a-highly-trusted-personnel-group context, not for signing any customer's certificate requests).

So I downloaded both CRLs:

$ wget http://crl.verisign.com/pca3.crl
$ wget http://evsecure-crl.verisign.com/pca3-g5.crl

and then inspected them:

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Last Update: Apr 29 00:00:00 2008 GMT
Next Update: Aug 14 23:59:59 2008 GMT
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
a4:ff:fd:d1:4c:b8:e9:70:d5:d3:90:8c:85:64:e4:8e:36:21:
e8:b0:54:1d:2f:31:ac:00:92:9e:c9:42:d7:0f:c4:86:21:a3:
8f:23:f3:8b:e5:2d:5f:48:bd:ab:29:29:39:80:d1:b0:85:59:
ad:84:2a:d5:e9:1e:b1:8a:d4:44:97:5c:44:15:a1:61:64:49:
83:1f:12:b9:08:63:6c:8c:4b:2d:31:61:45:ae:1f:9a:8c:32:
e9:3f:86:1b:15:02:0d:30:9c:ae:d9:53:0c:cc:d1:2c:ec:6a:
57:db:c3:60:67:a4:a6:42:a2:72:37:8d:48:68:84:cf:2c:67:
b2:8f:60:6c:f4:2c:e4:90:71:88:1b:87:31:e5:88:b4:eb:dd:
38:17:7f:9b:f9:02:52:e1:03:b3:3e:7b:9f:1b:8f:5a:81:24:
ba:6d:9f:77:c7:db:53:88:89:8e:f5:b2:ff:79:51:e9:8b:ea:
f2:e2:dd:1c:52:d6:1c:d8:24:2c:f6:ac:a4:11:43:1b:6b:c8:
55:1b:b1:f0:e7:38:a8:f7:41:67:26:be:5b:b4:9f:da:a6:f7:
d0:f5:64:f9:68:83:28:b5:b4:86:90:92:a4:8d:95:36:78:42:
53:92:5f:92:9d:6c:60:95:59:d1:bb:e0:fe:0d:02:a0:31:74:
6f:1a:7c:04

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Last Update: Jun 5 00:00:00 2008 GMT
Next Update: Aug 16 23:59:59 2008 GMT
Revoked Certificates:
Serial Number: 01761E18E2BC615F3EDEDD32A5B9FD0E
Revocation Date: Sep 24 16:48:23 2002 GMT
Serial Number: 112C147CE97CF5EF8C3CB4E9E46A2099
Revocation Date: Jun 5 17:49:07 2008 GMT
Serial Number: 156079D71A719DDB94BBE7DE9F66681B
Revocation Date: Sep 23 17:14:00 2002 GMT
Serial Number: 1C3F41C5C0161761816E4660A350F0A0
Revocation Date: Sep 23 17:15:48 2002 GMT
Serial Number: 1ED2FBD389179A0C9FFD52A065BD3533
Revocation Date: Feb 7 21:24:58 2001 GMT
Serial Number: 219185AE83A9BB59E5B1B5495369EEE3
Revocation Date: Jul 6 17:14:11 2001 GMT
Serial Number: 242DE0F2497B72DD901816753CE95F2E
Revocation Date: Apr 3 17:22:26 2008 GMT
Serial Number: 26F29D223FB00479A7BA35317D851331
Revocation Date: Jul 6 17:21:18 2001 GMT
Serial Number: 341BA0A1D332DDF1FD107B578DC7F0B5
Revocation Date: Jun 5 17:50:30 2008 GMT
Serial Number: 42F5B783B86305DDB50303E5B7D01BCD
Revocation Date: Apr 11 17:59:10 2007 GMT
Serial Number: 48DC5079C688954ECE8AA7BD2A20E7A9
Revocation Date: Feb 7 21:20:31 2001 GMT
Serial Numb

Re:CACert

[LordKronos]

Sounds perfectly fine to me.

First, what the CA's actually consider "authentication" before issuing a cert is laughable. It ensures nothing except that your credit card wasn't declined.

Second, most people DO NOT pay attention to who the certificate was issued to. Most people don't even know a certificate exists, much less how to see who it was issued to.

Third, especially because of the previous 2 point, a LOT of people really don't care to try and provide those feature. All they want is SSL, so that info isn't transmitted in plain text. If there were a way to do SSL without a CA, that would be great, but as it is you are held hostage to either paying for a certificate or making your website users jump through hoops to accept a self signed cert.

Re:CACert

[jd]

All possible attacks against certificates are purely hypothetical at this time. These would include:

• A poor, seeded PRNG being used where the seed is somehow exposed or part of the key - such as a simple hashed value of the same information that is made public, where the PRNG algorithm can be determined and reproduced in some way
• Someone has figured out a solution to the factoring problem, breaking RSA
• The effective key length is so short that the private key can be brute-forced

There are also two attacks against infrastructure which can compromise a key:

• The machine generating the key pair has been compromised in advance, with private keys intercepted and copied elsewhere
• Any machine subsequently storing the private key has been compromised, allowing the private key to be stolen

Of all of these, the last one is the only one anyone needs to take seriously. Even then, there are plenty of ways of making directories and files very secure, and making sure that potential exploits like buffer overflows are blocked in advance. (Just use a malloc replacement that prevents them.) The other attacks are so improbable that you can ignore them.

This leave one other attack vector:

• Social Engineering

This, according to reports, was used to obtain Microsoft's private keys from Verisign. Most reputable cert vendors have established better practices now. Simply choose one that will only deliver keys to an authorized contact point and only after a call-back check or some other authentication scheme.

Re:CACert

[CastrTroy]

Exactly. SSL and Certs solves the wrong problem. It's hard for somebody to actually sit in the middle of your connection and do an actual MITM attack. It's much easier to just break into the database at the other end of the connection and steal all the data. The solution isn't to encrypt the credit card number, as it travels to the reseller. The real solution is to not send them the credit card number at all, and just send the retailer a signed cert from the credit card company, verifying that the transfer has been from the buyer to the reseller has been approved. The reason something like this didn't get set up, is because it means the retailer has to do a little more work to get things set up initially. We went with the easy method rather than the secure method in this instance.

Re:CACert

[the_olo]

At last a well researched reply :)

You've probably missed some hypothetical ones.

• an attack on client's implementation of certificate handling (exploiting some potential yet unknown flaws in certificate handling routines of a popular browser so that a malicious certificate gets accepted as genuine)
• a semantic attack on the user (e.g. a long URL that contains the name of hijacked site as initial part of HTTP Basic auth username, followed by lots of gibberish, and then the rest of actual URL that points to a malicious server with a cheap, yet valid throw away certificate for the malicious site's actual name)

These are probably the most likely to succeed - especially the second one since the human is usually the weakest link.

Re:CACert

[darkpixel2k]

Encryption like that is practically useless without verification of some sort. Man in the middle attacks will allow an attacker to read the traffic without some means of forcing the person at the other end to identify themselves.

Maybe I'm missing something, but gpgauth is setup to make sure you are talking to the same key every time--and not that some company has verified that xyz.com is who they say they are.

Use slashdot as an example. I don't care if they've been verified by Verisign. Seriously--what do they know about me. UID, username, email, website, and a few other BS details.

The scenario is this: Surf to slashdot for the first time ever. Read it, love it, decide to sign up. You click 'sign up', enter your username and your public key. The server now 'knows' you. It encrypts some random data to your public key and sends it to you along with it's public key. You decrypt the data with your key, re-encrypt it to the servers key, and then send it back. You're authenticated.

Now the next time you go back, you enter your username and encrypt some random data to the servers key. If the server is a man in the middle, it won't be able to decrypt your random data. If it's legit, it can decrypt it and re-encrypt it to you. You've just verified the server. Then it sends you some random data, and you decrypt/reencrypt to it. You've just verified both ways.

You're right that there's nothing there to validate that Slashdot is really at 123 whatever st. in Springfield, but you have verified that the server is the same one you signed up with in the beginning--and really, that's all that matters with a lot of sites.

Re:CACert

[Antibozo]

Sigh. The point of encryption is to hide what you are saying from some people, while revealing it to some other people. Do you really not understand that you can't do this if you don't know which people you're talking to?

The point of SSL is validation, then encryption. Without both, it's useless. And if you were paying attention to the noise about DNS cache poisoning last week, you should know that, without validation, SSL is truly useless.

Re:CACert

[nog_lorp]

Heap overflows can be just as dangerous as stack overflows, although nontrivial to exploit.

Stack overflows are preventable too though.
Overwriting returns via stack overflows are totally preventable by using a separate stack for storing return addresses (as in Forth).
Data overwrites are preventable in varying degrees with sentry values.

Re:CACert

[Antibozo]

All you really need do is validate the hostname ownership; however.

You do this by requiring a verifiable e-mail address at the domain.

Do you really seriously believe that plaintext email from an ISP to a domain account is secure? None of the measures you propose is even remotely secure; that you even propose any of those things is ridiculous. If someone controls your upstream router, what does any of those tactics prove to anyone?

The correct solution, as I've said elsewhere, is to couple the DNS with the public key distribution, by using DNSSEC and publishing public keys in the DNS. Without DNSSEC, DNS is insecure. With it, certificate authorities are useless middlemen, and create opportunity for subversion without providing any benefit whatsoever.

In other words, once we have a secure DNS--along with client software to pull public keys out of that, instead of using certificates signed by untrustworthy, costly, third parties--the CAs are obsolete. Naturally, companies like Verisign have been dragging their heels on DNSSEC because it leads to the demise of one of their big cash cows.

DNSSEC is the solution to a number of problems, and will lead to vastly improved security of the Internet by providing a verifiable, trustworthy, highly redundant, distributed, hierarchical database. Once we have that, we'll wonder how we ever got by without it, and why we tolerated the stupidity of the very concept of a CA for so long.

Not the first one...

[bradgoodman]

I have been using PayPal for many years for automatic payment processing on my web site for shareware I sell.

When Google Checkout came along, I figured I'd accept that too - so I started doing scripts on my web site to take Google Checkout payments.

This came to a screeching halt when I realized that Google Checkout payments (or at least automated CGI processing of them) would only be done through web sites with SSL certificates signed by one of the "Major Authorities".

I wasn't willing to shell out $100 (about half my yearly profit!) for the stupid certificate.

This FF3 problem is even worse - if you use SSL, your web browser would be screaming to your end-users that you're probably dealing with some hokey-untrusted individual!

Let's just say that in any respect, I won't be having any little buttons on my site recommending that people use Firefox...

Re:Not the first one...

[hedwards]

The problem is the warning and it should really be changed. These sorts of certs do not guarantee the identity of the parties involved, they just make it difficult to impossible to eavesdrop. There isn't any reason why the key couldn't be stolen or misappropriated.

I definitely sympathize with you, paying that kind of fee is kind of ridiculous. Which is why I do not have one. But really the issue is that Google and the other companies want reliable certs and they're not going to accept all of the certs. If a smaller authority is reliable the only issue is keeping track of them to make sure that's still the case and adding them.

I'd definitely consider asking them about it, especially since it's causing them to lose smaller stores about it.

Re:Not the first one...

[nine-times]

I wasn't willing to shell out $100 (about half my yearly profit!) for the stupid certificate.

It's not quite as bad as all that. Namecheap offers "RapidSSL" for $13 a year. They even have a deal where you can get a free SSL cert with registration or transfer of a domain. Still, yeah, SSL certificates are kind of a racket.

Re:Not the first one...

[bradgoodman]

>> I'm pretty sure I paid more in taxes out of one paycheck a month than you've collected in 4 years at $200/year.

I'm sure you do. Irrelevant.

>> Again, FF's fault how?

Its not - it has to do with root CAs...like the title of my post implies (let me clarify) [Firefox is] "Not the first one..." [Google Checkout does this too]

>> It's not like it's impossible to accept a self-signed cert, and for all the "scripting" you've done, why don't you mention a quick blurb about FF3's advanced certificate security and validation mechanisms and how a user might go about accepting your self-signed cert.

I agree. Not impossible. It's a source of confusion for those who don't understand, and a just pain in the ass for those who do. And 99% of the time, your not securing financial transactions, your encrypting pages on the bug tracking database at work, or something mundane.

I've expirienced this myself.

[vidarlo]

I run a small norwegian forum, and we use SSL. Since our income is around 100USD a year, which is donated by members, it would be very unfair to spend all of that on a SSL cert. However, how can one explain that there is no security risk involved in creating an exception when the browser so fiercly states that it is a huge security risk? It would be better if you just got a warning like "This site is probably not your bank"...

Re:I've expirienced this myself.

[duffbeer703]

In your case, it's probably appropriate to ask your uses to add CACert or a self-signed certificate to their browsers. This isn't rocket science.

Re:I've expirienced this myself.

[trainman]

In your case, it's probably appropriate to ask your uses to add CACert or a self-signed certificate to their browsers.

This isn't rocket science.

But it does create a problem with non-tech savvy users try to visit your site and get scared off by the scary warning message.

The specific situations I'm thinking of when I posed the Ask Slashdot, and am currently trying to deal with, are academic and non-profit sites that need encryption. All I want is a cert that will allow visitors to our research project from around the world and differing levels of computer savvy, to visit our web app without getting scary browser messages.

Unfortunately the system is 100% geared towards commercial entities that needs to verify identity. There's nothing for the non-commercial sector, and that's what I'm looking for something to fill.

I had a user yesterday who thought our app was down because he installed FF3 and got this scary error message. Fortunately he was only on the other side of campus and I could walk over and show him how to setup an exception. I can't do that for a researcher in India, China, or Europe.

There has to be a way to get an easy "this cert belongs to this domain" validation without costing huge amounts of money or giving scary, incomprehensible to non-tech user messages.

Re:I've expirienced this myself.

[Chandon+Seldon]

This is utter nonsense.

There is no security benefit to having the browser flip out over self-signed certificates. In fact, it *reduces* security by forcing some sites that would have used self-signed certificates to stop using SSL entirely.

The simplest non-wrong thing to do would be to simply treat self-signed SSL certificates just an insecure site. That way no one is being "tricked" by it, but the self-signed sites still get the security of being encrypted.

The best thing to do would be to mark sites with self signed certificates differently than CA-signed sites (sort of like extra-validation certificates are marked green). Maybe Green with a lock for extra-validation, yellow with a lock for normal validation, and purple with a feather pen for self-signed.

A difficult and hard to swallow cost?

[blowdart]

$27 a year? (GoDaddy) $50 a year? (InstantSSL) etc.

Sorry, but if an organisation can't swallow around $50 a year then they have more serious problems that wanting SSL.

Re:A difficult and hard to swallow cost?

[cstdenis]

Don't buy from GoDaddy. There are better and cheaper alternatives.

$14.95 - http://www.rapidsslonline.com/rapidssl-certificates.php

And unlike godaddy that on is not a chained cert.

Re:A difficult and hard to swallow cost?

[the_olo]

I don't see them in my CA collection that shipped with Firefox 3.0.1pre. What's their browser coverage?

Try Godaddy

[tedhiltonhead]

Godaddy has a very simple SSL cert option that only validates that the certificate issued matches the domain registration info, which is super cheap.

Re:Try Godaddy

[bigtangringo]

Sorry, but you have no idea what you're talking about.

GD gives you a full blown SSL cert that works just like what you would get from Verisign.

$30 for a standard cert, $200 for a "wildcard" cert which lets you SSLize all your subdomains.

Re:Try Godaddy

[jagilbertvt]

Untrue.

You can get a chained cert for very cheap from godaddy (and others) that will use your own domain name (www.yoursite.com).

No

[squiggleslash]

One entire point of SSL is to ensure that the user can trust the site they're connecting to. If I register citicardbank.com, my inability to get an SSL certificate for it without being traced by my phishing victims severely undermines my ability to rip people off.

The only way to get what you're asking for is to get a secondary protocol, somewhere between HTTP and HTTPS, that would provide privacy for the communication link but wouldn't promote the notion that the end domain is what it says it is. Whether such a thing is a good idea is open to question, even if it is desirable.

If push comes to shove, the only problem with the present regime is that it's expensive. There's increasing amounts of competition in that space, so you should expect prices to come down over time. Wait. .com domain names once cost more than what many SSL certs do today.

Re:No

[squiggleslash]

First of all, that's not in any way, shape, or form, a counterpoint.

Are you using different top level domains for all your systems? Because if you're not, you should be able to make do with a wildcard SSL certificate, which generally runs to a few hundred dollars per year, not $1,000. Just saying.

In any case, your particular set of circumstances means you have control over who would need the self-signed certificates. In particular, you can legitimately create a CA of your own and import it's certificate into the web browsers of your users, because that CA (you) is accountable to you and your users.

This is very different from someone outside of the organization trying to get "secure access" to your systems, not knowing for sure that they really are connecting to you (and not a typosquatter.)

Re:No

[Fastolfe]

The only way to get what you're asking for is to get a secondary protocol, somewhere between HTTP and HTTPS, that would provide privacy for the communication link but wouldn't promote the notion that the end domain is what it says it is. Whether such a thing is a good idea is open to question, even if it is desirable.

If you have no guarantees about the identity of the person on the other end, how do you know that your session is really private, when it could be someone sitting in the middle, pretending to be the web site to you, and pretending to be you to the web site? It could be more private to someone casually eavesdropping, but if you're worried about privacy, you should be more worried about the person that has the resources to be that man-in-the-middle. You can't really have a private data exchange with someone who is essentially anonymous.

Re:No

[Aliencow]

Get a wildcard certificate or a UCC. UCCs let you have multiple hostnames on the same domain, and they aren't so expensive.

IE7

[airedalez]

Why is this being brought up now as something new? IE7 has been doing practically the same thing since it was released. I agree that there should be something "open source", but this is far from new...

Monopoly?

[nonpareility]

The fact that there are "compan*ies* such as Verisign" means Verisign is not a monopoly. In Firefox, go to Tools, Options, Advanced, Encryption, View Certificates, Authorities. These are all valid CAs according to Firefox. As for being cheap, a quick check at GoDaddy's says you can get one from them for $30/year.

Domain only?

[coolhelperguy]

For all but the biggest transactions, most people couldn't care less about what the certificate says. Really, how many people check the certificate on, say, PayPal, to see that it's actually owned by them?

I'm all for breaking the monopoly of current root CAs, but for the most part, that's already being undertaken over at OpenCA, which is indeed trying to get included into major browsers. (Last I heard, they had problems with IE, but Mozilla and perhaps Apple were willing to let them try if they had several audits, among other things.)

Perhaps a better solution would be for Firefox 3 to detect self-signed certificates (separate from expired, or wrong-domain certificates) and warn the user that there's no good way to be sure that the people running the website are who they say they are, but that if all they want to do is connect and have an encrypted communication, have a simple (but slightly scary) button to proceed, once per session. That of course wouldn't protect against man-in-the-middle attacks, but that's the reason the root CA infrastructure is in place. Getting something like OpenCA in more browsers is probably the best (only?) fix for that.

Re:Domain only?

[rehevkor5]

It's simple. The browser should detect self-signed signatures and then instruct the user to verify the SHA1/MD5 hash (fingerprint/thumbprint) with the site's owner. That's all that needs to happen.

Re:Certification crap

[qbwiz]

First of all, what does this certification crap prevent?

I go to randommalwaresite.com, I get a certificate for randommalwaresite.com!

AFAIK, I believe it prevents man in the middle attacks from happening:

You go to mybank.com, but you actually access randommalwareip, which gives you a phony certificate from mybank.com.

Re:I doubt it will happen.

Well considering Mozilla don't trust the windows root certificate in their browsers (and more annoyingly ignore the certificate store in Windows itself in favor of their own alternative) why would MS bend over for them?

"Open" vs. "Secure" - A Contradiction

[bradgoodman]

I don't think anyone really wants "Open" CA authorities. "Open" and "Secure" are generally contradictory in this context (not everywhere).

I think the optimum solution would be a cheap root CA who is also highly trusted.

I don't know who this would be - maybe someone like a traditional brick-and-morter "bank" which could vogue for an SSL certificate being validated in the same way that are able to link a bank account to a person, company, SSN, etc.

I was going to say also someone like Google.

The point is, if a CA-signed cert was $5, no one would be complaining, but if any 'ol shmucks signed certs were automatically accepted by your browser, the whole system wouldn't mean anything.

Secure DNS can help

[John.P.Jones]

Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?

How can anyone possibly establish that a given certificate is associated with a given domain without first proving that they do indeed have the (ownership) rights to establish said association?

What you are asking for can be accomplished via SecureDNS, you can enter the hash of the certificate in the DNS entry and Secure DNS ensures that only the authorized party can enter that association and verifies that it was not changed. SecureDNS facilitates a lot of these kinds of authentication issues by extending the rooted hierarchy of DNS names to securely dissiminate information, whether it be IP addresses of servers or public key commitments. See my paper "Layering Public Key Distribution Over Secure DNS using Authenticated Delegation" (ACSAC 2005).

You're kidding right?

It sounds like some people need to educate themselves on security and the reasons for SSL in the first place. Also take a look at the current situation on the internet - for example how do phishing sites currently operate?

One of the biggest reasons for using or trusting SSL is that you can trust that the website is who they say they are. If you give out certs without validation, you're not helping the community at all.

If you think just encryption is enough, you're wrong. People are rarely defrauded because their packets were intercepted. Using encryption on the internet is like using a armored car to deliver $5 from the man on a park bench to the hotdog stand on the corner. The endpoints are the biggest security problem these days.

All of the phishing attacks have to do with sending you to a malicious site that convinces you to enter your information.

There are cheaper SSL certs out there than verisign, do some shopping around.

Firefox is not trying to harm a small site. They are trying to protect the community from the phishing attacks.

Ah, let's just solve that FACTOR problem...

[tjstork]

1. Step 1 - FACTOR algorithm in polynomial time
2. Step 2 - SSL is obsolete, and certificates are pointless
3. Step 3- PROFIT!

Certification trust levels

[davidwr]

The certification authorities really need to get together with the web browser vendors so the big scary warnings can be made trust-level-appropriate.

For example:

Domain confirmed: [green][yellow][red]
Responsible Party Identity Confirmed: [green with seal][green][yellow][red]

Where "yellow" meant unconfirmed or self-signed and not whitelisted SSL or an easy-to-fake or -steal ID such as a credit card, "red" meant revoked, expired, or invalid credential, and "green" meant a valid SSL or hard-to-fake or -steal personal ID such as a driver's license backed by a notary. "Green with seal" meant a financially-backed guarantee, something big banks would probably get.

Most small-time web sites would be either green/yellow or yellow/yellow, depending on if they had self-signed certificates.

The cost of a "no identity confirmed" green/red certificate shouldn't be much more than domain registration. A "yellow/red" self-signed certificate would remain free.

If people expect "green with seal" when dealing with major financial companies, "green" with most businesses, and "yellow" for personal web sites, they'll give the appropriate level of trust.

Trust is the issue

[AlexCV]

The problem with SSL certificate is that what you're supposed to be buying is trust. Your 400$ is supposed to be for VeriSign to validate that (a) an entity of that name/address pair exist; and (b) there's supporting evidence that the applicant represents that entity.

The reiterate strongly: Certificates are about authentication not encryption!

This isn't cheap, it requires a fair bit of effort.

Also, the CA needs to be trusted in the first place. That's very gray, but even old VeriSign is a lot more trustworthy then "Joe Q. Random Computer Service Associates" with a PO Box in RU.

Most proponent of "free" CAs really want the little padlock without any concern about trust because they implicitly trust themselves. Suppose you did have a shall-issue free-for-all CA on the web. What value would you place on its certificates? Would you trust that entity to not have a compromised private key?

StartSSL is free or cheap, as you prefer

[petard]

They offer certs with domain validation for free. There are gentle attempts to upsell you to higher levels of validation, but their domain validated certificates work without errors. Look here.

If you want certs that are validated to your business' identity (instead of just your domain) and don't indicate in the DN that they were free, there is a small charge.

Monopoly?!

[thepacketmaster]

A monopoly would be a telephone company or electric company from the 80's, where you had no choice. Last time I opened up the Certificate Authority section of Firefox, there were a LOT of CAs. To name a few of the public ones:

• Verisign
• Thawte
• Go Daddy
• Network Solutions
• GeoTrust
• Entrust

Not to mention there are a bunch of second level CA's that are very reasonably priced. I think trainman needs to do a bit more research. If you can't afford GoDaddy's prices, I don't think you really need to be concerned with your customers freaking out.

Certificates ARE about ENCRYPTION

[unity100]

the foremost aim of an SSL cert is to encrypt the communication so 3rd parties cant eavesdrop.

it doesnt make a ZIT of difference if the site you are shopping from has a Verisign signed 256 bit certificate or a self signed certificate. almost all certs are encrypted with similar technologies encryption wise. if you are concerned with 'authenticity', you dont know a website or dont trust them or suspect them, you should NOT be shopping there in the first place.

yes, this move of firefox 3 is a VERY bad thing. it really pushes people to the arms of verisign, geotrust (which is verisign) and so on.

not only that, it will also force control panel companies like cpanel, which serve millions of website users through web hosts to have to force users of their services to pay for SSL certs for each server they use or let their users connect to their site control panels through unencrypted connections. that will eventually drive up prices in the high to mid end hosting market. which is BAD, since majority of people host their websites in such small business hosts with $3-4 bucks a month. the overall effect that will have is yet to be seen.

yes, this was a stupid move by mozilla team, unfortunately.

Re:Certificates ARE about ENCRYPTION

[Percy_Blakeney]

Yes, SSL is about encryption. That's why the signing issue is important -- without it, you are vulnerable to man-in-the-middle attacks, which effectively negates the encryption.

Re:Certificates ARE about ENCRYPTION

[Rakishi]

The problem as I understand it is that self-signed certificates are NOT as secure. Specifically a man in the middle attack can easily fake a certificate because your site needs to send the public key to the user in an insecure way (ie: third party intercepts public key, send their own public key, to you they look identical).

The point of a CA is to prevent this by having a public key come pre-loaded on your machine so there is no possibility of successful interception (ie: the replaced public key would be rejected by the CA).

Re:Certificates ARE about ENCRYPTION

[Deanalator]

Bullshit, a self signed cert contains almost *NO* protection at all compared to a pure plaintext session. If anything, firefox needs to be more paranoid about things like sending things like session cookies, and posts with password fields in clear text.

When a cert failure occurs, there needs to be more than just an "OK" button to click through.

If you want proof, just sit at an airport with cain open for an hour. I think someone like you would be shocked at how many VPN and email credentials for some major fortune 500 companies you can grab.

Re:Certificates ARE about ENCRYPTION

[BitZtream]

the foremost aim of an SSL cert is to encrypt the communication so 3rd parties cant eavesdrop.

Wrong. The point of certificates is authentication. The exact same encryption and key exchange thats used in SSL can be done without certificates anywhere in the chain. It is just kind of silly to do the authentication or the encryption without the other.

You obviously know nothing of the types of attacks certficates are there to protect, such as dns hijacking.

No, this is not a bad thing for Firefox. Having non-authenticated certificates allowed by default would break down that layer of trust that people expect when they visit a site using a valid certificate signed by a trusted root. That would be far worse for a web browser than making it hard to access websites that want to use SSL but are too lazy/cheap to get a authenticated certficate.

Go back to your hippie commune to whine, and get a cluepon or two on your way.

FF3 is right

[duffbeer703]

This FF3 problem is even worse - if you use SSL, your web browser would be screaming to your end-users that you're probably dealing with some hokey-untrusted individual!

If you're not willing to lay out as little as $15 for an SSL-Cert that will work on FF3, you are a hokey, untrusted individual!

Re:FF3 is right

[iminplaya]

Hey! 15 dollars buys an awful lot of beans and tortillas, pal

A Trust Web for Victory

[Doc+Ruby]

Instead of relying on centralized CAs, and implicitly trusting these privileged monopolies, we could shift to trust webs.

It's like a social network. You trust who your "friends" trust, and distrust who they don't. With weightings, so some friends' and enemies' associations (and dissociations) count more than others Because some people you trust in their content, but not their judgement of who to trust (and vice versa, but probably more rarely).

Trust webs can perfectly simulate the current centralized trust model. You can just set your trust web to always trust whoever, say, VeriSign trusts, and ignore everyone else, which is what we get by default today. But you could tweak your trust web to say "If my grad student distrusts a site, then ignore whether VeriSign trusts it".

Such a trust web could therefore just ship set up with the current CAs the only trusted authorities, and work exactly the same as now. But we'd each have the freedom (or our sysadmins, who could lock the trust web changes away from normal users) to emphasize whoever we actually trust to influence our automated trust.

Independent authorities could "watch the watchers". So investigators with a reliable track record could become important "second guessers" to the "offical" CAs. People could make their reputation by proving a trusted authority has less than 100% good judgement. And the whole system can become more robust, instead of fracturing as soon as different CAs have different trust levels for different sites.

The technique and some SW is already available, for apps like PGP and others that rely on a Public Key Infrastructure. What's necessary for the critical mass that makes such a system work is for a browser like Firefox to upgrade to a trust web, with an easy and reliable UI with sensible defaults. Then we're as strong as the trust network in which we embed ourselves.

Re:A Trust Web for Victory

[the_olo]

This idea is very interesting indeed. If I understand you correctly, you're proposing to move the web of trust PKI known from PGP/GPG to the arena currently occupied by X.509 and hierarchical PKI, right?

This could really lift the burden of managing the complexity of trust, life cycles, secure storage of central CA private keys from the CA. I can see that even Verisign has significant problems with that. Their certs don't seem to specify OCSP URLs yet, and they had some scaling problems with CRL distribution points. Distributing the PKI could solve lots of problems and the cost of maintaining that infrastructure would be more evenly distributed, too, which would lead to practically free certification (with some hidden costs, obviously, mostly in time and effort of participating parties).

There are potential problems here that I see, though.

Adapting the web of trust idea to the web for the HTTPS protocol would need preparing and constantly tweaking some variables. E.g. above what level of trust should Firefox's address bar turn yellow? How do you communicate the level of trust of the given site to the user so that he's likely to understand it correctly?

And how do you prevent coordinated abuse of that system? Note that the OpenPGP's web of trust has never been tested in the situation where successful attacks would be so highly rewarded as they currently are in the realm of HTTPS/X.509 (think phishers and other scammers).

For example, a network of criminals might recruit some number of homeless people from large cities around the world. These people have their IDs, and are willing to do anything for some money they need to spend on food/alcohol etc. It's quite common for those homeless with nothing to lose to get recruited, shaven, dressed and sent into bank offices to open small disposable credit accounts in their own names using their IDs, only to hand all the money they can get to their recruiters who give them some small percentage which they are going to quickly spend anyway. Then they run into trouble with law enforcement when it turns out they cannot pay, but hey, they didn't quite realize what was this all about, they weren't quite sober anyway.

Now the criminals might find it beneficial to recruit those people to go into key signing parties and obtain verified signatures on their keys/certificates practically for free (well, say one cheap wine per signed key). When they collect the necessary amount, they cross sign those keys to gain high enough level of trust and set up a large scale phishing site. They make gobs of quick cash before the web of trust reacts to the manipulation, which can require a significantly long time in a loose informal structure like this.

Would the idea that you propose be resilient against concerted efforts like this one?

Re:It would take....

[just_another_sean]

someone with a stuffed wallet. They essentially would have no more room in their pocket to earn money from people who simply want want credentials on their verified, secure web site. Unfortunately that isn't happening soon.

Sounds like a job for Shuttleworth then!

Does No One Understand English Any More?

[Illbay]

The O.P. mentions "...monopolistic arms of companies such as Verisign."

Okay, look. The word "monopoly" has as its prefix the stem "mono-," from the Greek, meaning "one." That means there can only be ONE "monopoly."

A phrase such as "monopolistic company LIKE Versign..." is absurd on the face of it. If there are other companies LIKE Verisign, then there is no monopoly.

Is it REALLY that hard to understand?

This is an example of how the rising generation is so used to "buzz words" chosen for shock value, etc., and has gone completely away from clarity of speech and writing. What the O.P. means to say, really, is "I don't want to pay the going rate for this service, so I'll call Verisign 'a monopolistic company' because everyone knows 'monopolies' are bad, and that will communicate the 'badness' of 'companies like Verisign.'"

Oddly, the word "rhetoric," also from the Greek (rheteros, "a speech") used to be a positive appellation for the study of good, clear communication of thoughts and ideas. But it has also succumbed to the buzz-word dementia, and now usually means "empty words."

How sad.

Re:Does No One Understand English Any More?

[philo_enyce]

wow, you're pretty pissed about the summary, but how about correcting the poster's misuse of monopoly with oligopoly instead of ranting about how these kids should get off your lawn.

there is something of an enforced oligopoly in the market as only companies that are trusted by default are really usable by web sites serving the general public. the key thing to fix this is to have MS and mozilla trust more root CAs by default and open the market for more competition..

there are some significant barriers to entry into the root cert market, which allow the vendors to charge higher prices than they would be able to if there were low to no barriers to entry. it's simple economics. the most profitable markets are the ones that are difficult to get into, so it's in the economic interests of verisign et al. to keep the barriers in place. that doesn't necessarily mean that there is collusion in the market, but there sure is incentive.

i don't agree that the post is there to shock, it's there to gripe about a mostly closed market and ask for some kind of solution. not a bad issue to raise at all.

--philo

Levels of certification

[Animats]

There are already plenty of providers selling crap "domain control only validated" certs. We (as SiteTruth) regard those as having no value, and we encourage others to do the same. If it doesn't have an "L" (location) field, it's worthless. The introduction of those crap "quick SSL" certs poisoned the whole cert industry.

It's a problem that certificates which verify business name and address cost too much. They ought to cost maybe $25 per year. Validation isn't that expensive. That's what registered mail is for.

There used to be some enthusiasm for "web of trust" schemes of certification, but since the bad guys organized into criminal networks, domain farms became popular, and it became easy to get phony GMail accounts in bulk, that approach is obsolete.

Re:Such a thing?

[mistapotta]

My mother is a non-technical firefox user. Meaning, I got tired of cleaning up her machine, so I installed firefox, put the little IE icon on her desktop to link to the FF executable, and have had much fewer reasons to go over and "clean up her computer."

Re:I doubt it will happen.

[bigtangringo]

I wasn't involved in the auditing process when the company I worked for started it's CA, but I believe that assessor is WebTrust. The fees are... significant; as are the physical and technical security requirements.

CA signed certificates aren't quite a license to print money, but almost.

Complying with SOX, PKI, and PCI security requirements all at the same time was an interesting experience.

You've missed the point

[Rix]

This needs to be transparent for it to work. You've already lost the vast majority at "root cert". They have absolutely no fucking idea what you're talking about. That isn't going to change.

If it's not in the default install, it doesn't exist.

Re:You've missed the point

[rufus+t+firefly]

It looks like someone has already started the process for Firefox, at least.

Re:You've missed the point

[wasabii]

It is transparent when you get one from Verisign. So do that. Pay for the service you get.

Re:You've missed the point

[GrievousMistake]

There's a middle ground, you know. What if I just don't want my user's passwords flying unencrypted over the wireless when people log in to my BBS?

Seeing how the majority of users will use the same password for everything given the chance, everyone benefits by having less unencrypted traffic flying around, even for simple hobbyist pages where the owner don't want to shell out cash.

I'm not aware of any way to get just the encryption without the certification hassle. I think you'd see encryption used a lot more uniformly on the common web if browsers wouldn't raise a scare to your users when you self sign.

Re:Certification crap

[bigtangringo]

Certificates don't do that, they guarantee you're talking to the domain you expect to be talking to. CA signed certs prevent man in the middle attacks.

That's it all certs do. If the box you're talking to was hacked, tough. That's outside the scope of SSL certs.

Re:Certification crap

[jd]

Let's start with a Man-in-the-Middle attack. Attacker finds an unpatched DNS and points www.somebank.com to their proxy that has SSL support. A user connects, thinking it is their bank. It looks like it, because it really is the bank's website that is being displayed, and the URL is correct. The user enters their account login information, because it's a secure site. The proxy, of course, decrypts the inbound user SSL traffic, stores username/password information, re-encrypts using the bank's SSL session and forwards to the bank. The bank never knows it's not the user - it's encrypted, after all, and it is all correct.

The idea of certificates is to authenticate the connection, make it impossible to someone in the middle to pretend to be the server to the client, and the client to the server. Actually, it would be better to require users to have certificates as well, in many cases, as passwords tend to be too trivial.

Now, the price of certificates is horrendous. The passport office provides a document as good, or better, than many certificates, but it doesn't cost many hundreds of dollars to obtain a passport. In fact, as digital certificates are essentially the same as a passport with electronic information, it might be better if the passport office issued digital certificates along with physical passports as a combined package. The added cost to them would be practically nil, and the certificates would have a much greater credibility level than those by most corporations, at least for personal certs.

Please. Don't give money to GoDaddy.

[weston]

http://en.wikipedia.org/wiki/GoDaddy#Controversies

This is to say nothing of a number of lower profile controversies and the fact that their entire site is a usability nightmare that seems largely designed to trick marginally informed customers into buying (and cause more savvy customers to explode in frustration).

You think Verisign et al do that? How? +an idea

[arete]

You think Verisign et al reliably do that? How?

There was a /. story maybe a year ago about all sorts of obviously fake ones... what the major cert providers verify is that your payment cleared. Which is _something_ because there's SOME kind of traceability. But it's not much.

I don't really blame them, though, because the problem is fundamental. There's just no real way for them to verify someone is who they say they are, because we don't really have a definition of who that "we" is. It's not like the gov't issues you a social security private key at birth and each corporation too (not to mention going international)

So the thing keeping them secure IS the payment and the record of the payment, and the fact that so many people fall prey to phishing without a valid cert that no one cares.

*****

In my opinion, the best we can do is issue physically linked certs. Cryptographically identical to existing certs, this changes the people part - The certificate authority a) must require a payment, but there's no minimum they can charge b) mails a physical letter with a code c) makes an automated, repeating voice call with a code d) if both codes are entered and they own the domain, issues a cert for that contact info, which can optionally be used to generate certificates for multiple servers.

Now, the hard part is that you haven't verified IDENTITY at all, you've only verified contact information. So the browser would have to literally display this information, if it was one of these contact-certs (perhaps in a bar just below the URL bar) I say in 'these certs' because for these certs you're not even implying that you can trust anything except the

You COULD set this authority up with a relatively small expense. You might be able to write a FF extension to display the addresses. If you have reasonable internal security, you probably could get FF to add you as a trusted authority, at least FOR contact-certs.

That's not GREAT, but it's the best we can do for simply automation for general-purpose merchants/certs... beyond that it's trying to do credit and background checks the old fashioned way.

My only OTHER idea is that the FDIC/NCUA/etc ought to get together and create a CA for US banks. Then you could even make the bank-trusted bar a DIFFERENT color. And presumably the regulators have a secure way to talk to the banks. (I'm not suggesting that this be legally mandatory for the banks to sign up for or use, but I think there's no one who is more likely to be able to authentically verify the authenticity of a US financial institution than the US regulators...)

Re: Counter to "Recommend Firefox"

[charlesnw]

So I'm sorry but I don't agree with that. First the warning from IE is much more accurate and non alarmist. It is different from the failed page message, while the FF3 ssl and fail to load page are very similar. This is rather annoying and the first time I saw it, I thought the URL was invalid. Also FF3 lets you visit the site as well.

I think FF3's cert thing is lamer and lamer

[arete]

I think FF3's cert thing is lamer and lamer

I've been thinking about this... and I'm happy to have FF3 mark the unsecure, secure, and EV-secure sites differently. But it's really, really lame to say that any self-SSL site is WORSE than a random non-SSL site. It's only the same. If they're going to go through the trouble of getting people used to trust markings, they should just mark the self-SSL sites like they mark the unsecure sites. Changing the URL bar to say:
(unverified) https:///

Would be enough, if they were changing the color/style of the secure sites. (Sure, don't give the self-SSL a lock icon. Fine.)

Re:I think FF3's cert thing is lamer and lamer

[jmpeax]

Mozilla Corp's profits from search engine affiliation may indicate a commercialism that could be at the root of the change in how Firefox displays self-signed certificate warnings. After all, if Google can pay to have its search page top-ranked in Firefox's quick search menu, why couldn't Verisign pay to have Firefox encourage people (by inconveniencing users of websites with self-signed certs) to buy SSL certificates?

Given the many problems with the way CAs actually verify identities (and don't actually verify potential criminality), I don't really see the point in this aspect of certificates. Surely the fact that they provide public key encryption for sensitive information is far more important and should be encouraged.

https://gmail.com

[InsaneMosquito]

I'm surpised no one mentioned this, but https://gmail.com/gmail.com pops up this alert in FF3, because the certificate is actually for mail.google.com. I'm surprised Google didn't fix this - especially considering how much money they give to Mozilla.

IE7 / StartSSL

[bunratty]

IE7 is worse, because its user interface does not ask the user if they want to add the site as an exception as Firefox 3 does. The end result is you get the big, scary warning in IE7 every time you visit the site, but you get it only once in Firefox 3 because you need to add the exception before it will let you proceed to the site.

Anyway, get a free cert from StartSSL and the problem is solved.

Public keys and identification

I or anyone else can make a public key, and claim it belongs to GW Bush. The process of distinguishing the real public key for GW Bush from fraudulent pretenders is called "identification". True, many/most paid certs don't do a very good job of it, but a public key is worthless for preventing "man in the middle" attacks unless you have some form of confidence that key A belongs with person A.

Dumbest statement in the history of security?

[harlows_monkeys]

For smaller, especially non-profit groups, which will never have issues with domain typo scammer...

This is a contender for dumbest statement in the history of security.

Re:Will Firefox do anything about it? No.

[StartCom]

That's pure nonsense. No CA ever paid a dime to the Mozilla Foundation or Mozilla Corporation (as opposed to the days of Netscape). Poke around http://groups.google.com/group/mozilla.dev.tech.crypto/topics to get a clue about how Mozilla handles inclusion of CAs.

The correct solution...

[Antibozo]

... is to drop the fundamentally broken X.509 PKI infrastructure, where any CA can sign certs for any subject, and switch to a DNSSEC-based PKI where signing authority is limited to subdomains of the authority. In the process, we end up with the ability to sign all the certs you want, for every host, if you like, and have SSL anywhere.

Nothing to hide?

[tapanitarvainen]

Even if you have nothing to hide now, one day you may, and then you probably don't want to advertise the fact by sudden conspicuous switch to encryption.

You might want to encrypt everything possible simply to make life harder for those who listen everything in the hope of catching something valuable.