Do the SSL Watchmen Watch Themselves?

StrongestLink writes "In an intriguing twist on the recent Comodo CA vulnerability discussed here last week, security researcher Mike Zusman today revealed that three days prior to StartCom's disclosure of a flaw in a Comodo reseller's registration process, he discovered and disclosed an authentication bypass flaw to StartCom in their own registration process that allowed an attacker to submit an authorized request for any domain. During a month which was marked by the continuing paradigm shift to SSL-verified holiday shopping, the Chain of Trust continues to run off the gears, and Bruce Schneier is even commenting publicly that SSL's site validation mission isn't even relevant. What lies ahead for the billion-dollar CA industry?"

Let governments handle SSL

[coryking]

SSL certificates are one area best served by government. Bear with me here,

SSL certificates are the online version of your driver's license or your passport. We entrust our governments to provide us with reliable, trustworthy forms of identification. We know that if we see a driver's license or a passport, we can be reasonably certain the person holding said identification is who they claim.

It is becoming increasingly clear that SSL certificates issued by private industry cannot be trusted. Since private industry issues them, there are real standards for how one qualifies for a certificate. A $20 SSL cert from Godaddy is just as valid of identification as a $500 one from Verisign. Worse, the private industry has a conflict of interest. Their business makes money by issuing certificates to paying customers, not rejecting customers for bad information. The more stringent their policy, the more applicants they reject, and the less money they make. It is simple math, they have to make it as easy to get an SSL certificate as possible or go under. (The bond rating industry suffers from a different, but somewhat similar conflict of interest, actually)

Who then should issue certificates? The only entity that doesn't have to make money--your governments. Ideally you should be able to walk into whatever agency issues photo identification in your country and somehow get an SSL certificate issued. Businesses and non-profits could get them issued by checking a box on the form they use to set up a corporation or LLC.

Letting the government deal with this has many extra benefits. For starters, we could make SSL certificates fall under the same kinds of laws that govern passports or drivers licenses. If you forge one, or enter fake information, you could be charged under the same laws that faking a drivers license fall under. For second, if done right, good governments would issue these for virtually nothing and maybe protocols like S/MIME would finally get widespread adoption.

What about open source projects who currently cannot afford SSL certs? Well, if the government does it, they could file as a non-profit and get one for free (or reduced cost).

How would this work from a technical standpoint? How would browsers deal with a long list that has every countries certificate authority? Dunno, but it seems it wouldn't be a big problem. It is a technical problem though, so we can solve it somehow.

What international agency would regulate this? Who regulates passports? Dunno, but seems to me we already have a long history of internationally recognized identification--both for business and personal use. Why not task those guys with SSL certificates? This is more of a political problem, and isn't as easy to solve as the technical bits.

Bottom line, I know we all seem to hate more government, but SSL certificates are one thing governments should be doing, not private industries. It might create a new class of problems, but I suspect the new problems will be much less severe than the ones we have now.

Re:Let governments handle SSL

I can't wait to see the phishing websites validated by the Nigerian government's CA.

Re:Let governments handle SSL

[wizardforce]

Your trust of government is simply astonishing after what the Bush administration has been up to for the last eight years especially considering all those slashdot stories concerning fumbling incompetence on the part of certain governments... The problem wish computer security isn't private industry, it's that there are few direct consequences for companies that produce faulty security systems, banks with shoddy security etc.- legally granted limited liability is a problem, Once they find their own heads on the chopping block after a security flaw is found they'd be a lot more keen on solving the problem.

Re:Let governments handle SSL

[djupedal]

>SSL certificates are one thing governments should be doing

So, after wading patiently thru your treatise, it would seem you elected not to answer the question, which would explain your warmth towards politicos, at least :)

Re:Let governments handle SSL

[minsk]

So you have some governments that issue high-quality reliable certificates.
And some corrupt ones which can be bought for peanuts.

So someone has to choose which root certificates to trust.
Someone, probably being the browser makers.

So what would it solve?

Re:Let governments handle SSL

[Phroggy]

It is becoming increasingly clear that SSL certificates issued by private industry cannot be trusted... Who then should issue certificates? The only entity that doesn't have to make money--your governments.

The problem with your idea is, even though you're correct that private industry cannot be trusted in this matter, the government cannot be trusted in this matter either.

These are technical flaws, not policy flaws - mistakes are happening due to software errors, NOT because some executive decided that allowing anyone to have a certificate without verification would be a great idea. I may trust the government's intentions, but experience suggests that they won't develop a system like this in-house, but contract it out to the lowest bidder, who is likely to have far less experience with this sort of thing than the current players.

For starters, we could make SSL certificates fall under the same kinds of laws that govern passports or drivers licenses. If you forge one, or enter fake information, you could be charged under the same laws that faking a drivers license fall under.

Pretty much all current spam is illegal under the CAN-SPAM act, so spammers could be charged under that law. They're not. I have no confidence that fake SSL certs would be prosecuted.

Re:Let governments handle SSL

[Lumenary7204]

The United States under the Clinton/Gore administration already tried something similar to this; five words spring to mind: "Clipper, Skipjack, and Key Escrow". (If you need a refresher, I suggest the book "Crypto" by Steven Levy.)

The **last** thing I want is for my government to be the entity that issues the requisite public/private key pairs to the private institutions and companies with whom I do business. My business is **my** business - and not the government's business - until a **legitimate** search warrant or indictment says otherwise. And even then, it's still **my** business.

As the article posting indicates, SSL is built around a Chain of Trust. People buy SSL certificates from the likes of VeriSign, Thawte, Equifax, etc., because they are well-known and (ostensibly) trustworthy organizations.

I, for one, do not entirely trust my government. I don't trust VeriSign and crew all that much, either, but their reputations are a strong motivation for them to do their jobs reasonably well, and provide products that perform as advertised. To do otherwise would damage their reputations, resulting in lost customers and weaker profit margins.

Most governments, on the other hand, don't care much about their reputations, and have little regard for profit margins (just look at the US Government's annual budget deficit). They therefore have no compunction against using excuses such as "national security" and "protect the children" to provide (at best) or mandate (at worst) inferior solutions to technological problems.

Admittedly, some companies - like AT&T, for instance - are so large and well-entrenched that they sometimes bow to the mandates of government, and little heed the damage done to their reputations because of it.

But most companies are not that large, and can ill afford to lose face in the marketplace. Reputation is their bread-and-butter, so they do what's in their own best interests, which may even coincide with their customers' best interests.

Re:Let governments handle SSL

[pha3r0]

Their business makes money by issuing certificates to paying customers, not rejecting customers for bad information. The more stringent their policy, the more applicants they reject, and the less money they make. It is simple math.....
Who then should issue certificates? The only entity that doesn't have to make money--your governments.

Sir. I am not sure where you live but here in America we have seen countless changes made by various government agencies just so they can grab more tax money for there already inflated budgets.

Allow me to weave a tale for my fellow readers. My very first job was in a paper and printing supply warehouse. Things were great. I worked there for about 6 months before I got a rather strange call. It was a customer of ours who placed regular orders for pens and toner and the like. She said she was going to be placing a year end order and would like to know what our current prices on commodity items were. I gave her the run down for copy paper her normal toner carts and some other odds and ends. She said okay and a few minutes later I had a PO in the fax machine.

Now there normal purchases were anywhere from 5-50 dollars. She sent me a PO for 10000 dollars even. The top of the list was her standard set of supplies there was then a note to fill the rest of the 10000 bucks on copy paper.

Now being young and trying to do a good service i called her back to make sure there had not been a mistake. She told me no, that is correct. "We need to spend the rest of our budget or they will not give us as much next year".

Yes, the current system might have holes but I for one am all for keeping business private and reducing the size of MY current government

Re:Let governments handle SSL

[Znork]

without ever seeing your private key

Why would they need your private key? As long as they can sign any key as being valid for being 'you' they can make their own signed public/private key pair purporting to be you and MITM any communications to you. To get around that you'd still need out-of-band exchanges of the keys in which case the government signing serves no purpose.

In addition, the web of trust needs to be more configurable in any case.

Without a doubt.

Nope. Government AND private companies

[Cyberax]

It's better to use private companies with government oversight.

I now live in Ukraine and we have such a system. Government licenses private companies to work as certification centers and mandates that only certain (strong) crypto algorithms must be used.

As a result, I can use my private key to sign my tax report for IRS (or tax report for my company). IRS in turn uses its own key to sign their letters.

That's pretty cool, if you think about it.

Re:Nope. Government AND private companies

[witherstaff]

OH boy, the 'but the US is huge' argument that comes up every time broadband in the US is discussed. I'd buy that if our metro areas were chocked full of fiber speeds and just the rural areas were slow. The fact is that even in our largest metro areas the US broadband is horrid.

A recent study shows that even our smalled state, Rhode Island, with population density of over 1000 per square mile, has an average speed of only 6.7 Mbps. If you can't make that dense of an area high speed there is something seriously wrong with our system. Namely the Telco lobby arm is so strong that their gov't sanctioned monopoly remains and speeds don't improve.

Re:Nope. Government AND private companies

[Znork]

Sweden, Finland, Norway and Canada whose population density is lower than the US yet have higher broadband penetration seem to suggest that theory may not be entirely accurate.

Paradigm Shift?

[Zordak]

Apparently somebody didn't get the memo that the only valid way to use this phrase anymore is to mock people who want to grow the enterprise by leveraging synergies.

demontrate control of the domain in question

[dencarl]

Why don't they use the method Google uses to verify control of a domain (and hence ownership)?

The CA should require a unique file (containing a serial number) to be posted to a specific location on the website. Failing that you should be able to receive mail to an arbitrary email address at the domain.

CAs who don't employ a technical measure (such as above) to verify domain ownership *prior* to issuing a cert would be taken out of the list of trusted CAs.

Re:demontrate control of the domain in question

[blueg3]

Kaminsky's DNS attack -- and the BGP hack, for that matter -- demonstrate pretty clearly why being able to masquerade as a particular host to the CA is not sufficient to prove you are actually the proper owner of that domain.

Re:Sorry to go off-topic

[chill]

quis custodiet ipsos custodes

Latin for "who will watch the watchers".

We need multiple tiers

[lord_sarpedon]

Need a two tiered system.

The world is so fucked up right now as far as censorship and snooping. We need encryption, everywhere, right now.

Tier 1:
"httpe" that acts similar to SSH - big warning on key changes. Known key can be included in html links even from untrusted sites (such as from a google search results page) for a cautionary warning with no loss of security. No prompt for a new site. Prompt if it changes. Prompt if a link gives a 'known' key different from the given one.

Very easy to gradually deploy.

Tier 2:
Well-known certs for the root nameservers. Stick self-signed cert in DNS records. Sign DNS responses. Imposes a chain of trust type requirement on lesser nameservers.

Tier 3:
The fancier certs being passed around these days which are supposedly hyper deluxe verified. Actual monetary cost involved here. Determine a magic solution to make at least a few of the CAs trustworthy.

It was vaporware anyways

[Gothmolly]

The "industry" provided no value - it merely allowed you to pretend you were somehow secure, above and beyond the actual SSL part. Smoke and mirrors. If this "industry" dies, it will be a market correction, nothing more.

Bruce is wrong

[dachshund]

"SSL protects data in transit but the problem isn't eavesdropping on the transmission. Someone can steal the credit card on some server somewhere. The real risk is data in storage. SSL protects against the wrong problem," [Schneier] said.

I respect Bruce, but I think if you say something true enough times, you lose sight of the fact that in this case it may not actually be a valid point. While credit card theft is a major problem, Phishers frequently target bank account login credentials--- which are not stored all over the place. In this case, SSL is one of the primary protections keeping you from all kind of hell (losing your credit card is a pain in the butt, but usually it's insured... losing your banking credentials can be a huge disaster). Now imagine that instead of a few rubes being conned by Phishing emails, you had millions of relatively savvy customers at a large ISP diverted to a fake Bank of America site (perhaps with help from insiders at the ISP). The losses could be substantial.

Again, Bruce is right about one problem but not necessarily about every problem (and I can't help but notice that he works for a storage company...)

Re:Bruce is wrong

[blueg3]

Actually, it's mostly popular to get bank credentials directly from the user's machine via malware. Jacking SSL isn't as successful.

Re:Sorry to go off-topic

[93+Escort+Wagon]

quis custodiet ipsos custodes

Latin for "who will watch the watchers".

So did you know that phrase before it was used on Star Trek: TNG?

Taking a harder line on certs.

[Animats]

There are really three tiers of SSL certs being sold:

1. "Domain control only validated" certs. This means the cert issuer got an answer from an e-mail sent to the domain. This is the "QuickSSL" tier.
2. "Location and business identiti validated" certs. What SSL certs were supposed to mean. The cert issuer actually checked out the business for existence. At this tier, there's often a "relying party" guarantee.
3. "Extended validation" certs. The cert issuer had to meet some audited standards to issue the cert. Mostly used by banks.

Current browsers don't distinguish between #1 and #2. They should. "Domain control only validated" certs are enough to secure some social networking site or blog, but not good enough to send someone a credit card number. If they're taking your money, the cert should contain enough info to allow you to find and sue them.

Our SiteTruth system distinguishes between #1 and #2, because we're looking for business identity. It's a useful way to filter out the "bottom feeders".

The problems with bogus SSL cert issuance seem to be, so far, confined to the "Domain control only validated" certs. This is an additional good reason to distinguish between them and the better tiers.

Re:Taking a harder line on certs.

[sjames]

Personally, I lost faith in the CAs and the certs they sign early on. I was at a sort of b2b expo (The dot-com boom was just barely beginning but nobody knew it).

I met a representative from a CA that I won't identify, but I'm sure you've heard of them. He came prepared to give 'why you need a cert and https' sales pitch to various sorts of people from CEO to sales to CTO to techie.

He wasn't (apparently) prepared to discuss trust and authentication in any depth. When he told me (paraphrased) that they "KNOW the entity they give a cert to isn't committing fraud because they have to sign a LEGAL DOCUMENT that says they aren't!", *I* KNEW that there was going to be a problem sooner or later.

Of course, https is screwed up anyway because of the way it munges security and authenticity together. Ideally, browser and server should immediately do a key exchange, then once the connection is encrypted, perform optional authentication after the browser sends the host field. The lock icon should indicate encryption and authentication separately.

While I agree with the current idea of a default keyring and trusts since the average user would be lost otherwise, the trust levels should be fully configurable by the user.

Which Government?

[upuv]

You have placed your trust in the government. However which one?

Most governments would with the best of intentions try to do the right thing. However some would not. Some would down right look at this as a cash cow. It would be ripe for the picking of corruption and miss use. With next to no legal recourse.

So who governs the government?

I would contend that this belongs in the hands of grander body. The UN or blocks of countries, the EU, NAFTA, African Union, G8,9,10,11(What ever it is now). etc. At least this way there is an established forum for discussion, sanction, policy standardization.

You are correct on the other hand that companies are not the right bodies to govern the safety of web commerce. This is just begging for greed, non-disclosure and abuse.