Slashdot Mirror
Can We Fix SSL Certification?
Em Adespoton writes "At DEFCON this year, Moxie Marlinspike gave an excellent presentation showing how broken the current SSL certification model is and proposing a replacement. Naked Security adds to the issue, asking: does it even matter if you can trust your certificate notaries?"
SSL certification is just plain broken; in another decade it will have collapsed in a heap.
"YES, we can!"
Please use this thread to formulate your answers in a form of a questions. Thank you in advance for your contribution to the overall improvement of the Internet infrastructure and supporting the freedom of expression.
as long as the cert has the correct server name wtf does it matter if its self signed as long as the owner of the domain has signed it ?
use the public owner key which can be stored in a TXT record in DNS on the domain to verify.
The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.
Simple, almost trivial work around: Multiple SSL certs for a given host, not just the one true cert per ip addrs/host.
A bank or online stock trader is probably gonna have to cough up for ALL the majors. My current employer will probably continue to selfsign, at least for corporate webmail. Everyone else, somewhere in between.
I could see a requirement for PCI compliance you must get certs from at least 3 of this list of 40 providers, etc.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
There is exactly one way for SSL certification to be fixed, and that's for browser makers to grow a pair and stop trusting root CAs who do not enforce strict rules for identifiability on all the lesser CAs under them. Yes, this will be painful as many legit sites will catch it in the neck for problems not really of their making, but anything else leaves CAs with an incentive to cheat; cutting violators off from the magic money machine is the only way of getting the crap out of the pool.
"Little does he know, but there is no 'I' in 'Idiot'!"
Not as long as there are Millions to be made.
"NO, it's fucked!"
At this point, short of whatever this software and proxy thing this guy is pushing being bundled with IE 10, Firefox 5, Chrome, and every other browser, plus as mandatory, automatically applied hotfixes to all other browsers all the way back to IE 6, plus utilities like curl, wget and so on (and I haven't even touched imaps/starttls for smtp and ftp/etc), the SSL certificate infrastructure cannot be replaced. Nobody is going to choose a cert that will cause most of the browsers to flip out, so they'll keep right on buying their certs from the authorities they already pay.
Now that secure DNS zones are starting to appear, stuffing the cert into a signed DNS zone comes up as an option, but this is just kicking the can: who is signing the cert for your zone in the first place?
Wouldn't it be possible to verify the certificates via the DNS? Once that is secured with DNSSEC, this should be a very good solution. Or am I missing something?
all i need is a key to encrypt my communication with. if i can do it with an openssl command on some local computer, none should need to pay anything to 3rd parties to use ssl certs on their servers.
no - i dont need anyone to 'verify' any domain. i dont buy from any sites i dont know and trust, and therefore third party intermediaries cashing in by selling me trust is totally unnecessary. not that it works at all though - even a megacorporation can swindle you through numerous means.
Read radical news here
Are there alternatives to SSL for HTTPS? If so, what are they and how supported are they? I'm no fan of SSL, but I'm much less of a fan of plaintext channels.
There is exactly one way for SSL certification to be fixed, and that's for browser makers to grow a pair and stop trusting root CAs who do not enforce strict rules for identifiability on all the lesser CAs under them.
Right. CA's are supposed to be financially liable if they issue a cert to a party other than the one they're certifying. Part of the problem is that CAs get to write their own "relying party agreements". We need a tough, standard relying party agreement with a minimum guaranteed liability to get into a browser's approved root cert list.
Once in a while a CA will slip up. Then they pay. That keeps them honest. A CA is an insurance company, and should be regulated as such.
1. Prevent MITM attacks. Query several notaries and make sure that they fetch and deliver the same certificate you got. OK, I'll buy this. But:
2. What about a lazy CA that issues a certificate for an evil, look alike site? If the notaries are requested to fetch that certificate, it will be the same as the one I got. If you get diverted to an evil twin site and check its certificate, it will appear as valid.
I like the concept of trust agility. There should be several methods of authentication in play at any time. And if we can incorporate some principles from neural nets, your system should be able to change the trust weight it assigns each method dynamically based on some learning algorithm. So if one CA/notary/whatever screws up a few times, they get knocked off the bottom of your stack.
Have gnu, will travel.
If someone hacks the router to my network, then they will be able to intercept the communication when I query the notaries. Most MITM attacks are done close to either end of the communication and not on the backbone. I don't see how this would fix the problems as the expectation is that whoever is eavesdropping is doing it at either end, in which case they would either intercept my communication with the notaries or the communication between the target and every notary.
Must have missed the part that actually proposes a replacement. Article disses DNSSEC (probably rightly) as being just more complicated than SSL/TLS , but not really any better architecturally.
Seems SSL/TLS does the job pretty well for what it does, at least from an architecture standpoint, it is just a shame that browsers only recognize (by default) only certain trusted certificate authorities, which introduces a third "trusted" party into your two-party communications.
Cutting out the third party (or parties) trust hierarchy would leave you vulnerable to man in the middle attacks, so it is hard to see a way around certificate authorities or something basically identical. DNSSEC, might make sense from the perspective of the same companies providing dns also providing a inline method of verifying that the name of the host matches the certificate and distributing that over the existing DNS infrastructure. Assuming some hierarchy of trusted DNS. But really this would be more of a process improvement, for one stop shopping for DNS and certificates with perhaps some distributedness of the actual certificates to make it a bit more resilient, than anything else more fundamental.
Is SSL/TLS really broken in a way that can be fixed? Or is it the nature of the problem that is the problem?
It would be great to have SSL fixed but it won't happen. The reasons are (same as Flash, HTML5 and Java, IPV6):
1) has a monetary interest in the technology
2) The public/private sectors have adopted this as defacto standard
3) Haters hate change in the name of "secure"
The only way to change this is to implement a work-around which excludes the current 'key masters' and makes the previous technology obsolete (like HTML5.. ok, mostly obsolete).
Join the Slashcott! Feb 10 thru Feb 17!
If security is very important to you, then hand-pick the CAs you trust. Thats like in real life. Normally its probably enough to look at the drivers license to check who is in front of you, however dont rely on that if you need extra security.
How about settings how much you trust a CA ? Would be arbitrary though ...
Do you know what a major PITA it is to deal with the insane browser policies that treat self signed certificates as if they are a terrorist organization, while giving a complete pass to the http based authorization with clear text passwords?
Bloody hell, what is wrong with this picture, where a self signed cert is actually presented as some form of a VIRUS almost to the end user, when all that is needed is a warning that there is a self signed certificate in the address bar, with an ability to mouse over to copy the fingerprint and compare it to a fingerprint found on a site or on a business card or email, etc?
How about making it easier for the web to adopt https in the first place by showing some humility and not behaving like total assholes on the part of the browser development/management teams and realize that majority of the sites that could use encryption for data transfers, especially where it concerns privacy matters, like user names / passwords, and rework the interface notifications that warn the users about self signed certs to something that doesn't look like a bomb is about to go off?
You can't handle the truth.
I definitely like it when my bank keeps their cert current. I don't really care so much when I'm buying a silly $16 t-shirt. If that site doesn't have a current cert at checkout and they do have a PayPal or Google option, I'll go that route for the 2 things I don't want in cleartext. (payment and address)
Everytime an SSL discussion pops up, I mention Enigform and mod_openpgp.
its openpgp for http.
search wikipedia
No. Next question?
Can't we just use Angie's List to let us know who reliable sites are? Or Super Pages?
Maybe the solution is a distributed web of signing trust?
I mean, *somebody* works at Amazon.com right?
That *somebody* has to have *some* friends right?
I know my friend Eric in real life, he knows his brother Marc in real life, Marc was college roommates with Steve, and Steve got a job at Amazon.com.
Shouldn't these verified in-person connections be enough for me to establish Amazon's identity? Especially if I have multiple verified paths in my social graph to the same entity?
Scrap CA's - start with an empty list. Break up the concepts of verification and encryption.
Religion is what happens when nature strikes and groupthink goes wrong.
A web of trust is only as trustworthy as the least trustworthy member of the web.
connect enduser device to "the mall" and as long as you trust your VPN connection to the mall, and the VPN connection from the mall to "vendor" (amazon, whatever)
How is that any different from the status quo? Amazon, eBay, Etsy, and the like are malls (trading platforms with multiple vendors), and the VPN connection to the mall isn't much different from a TLS connection to Amazon's checkout server. So how would one trust a VPN connection to a mall? One might use route diversity and key continuity to detect MITMs, as the Perspectives project does. That would help against a MITM between the Internet and the shopper, but it wouldn't detect a MITM that has sat between the Internet and the mall since day one.
The DNSSEC layer only verifies no one has altered the port 53 packets. [...] SSL layer encrypts the whole data stream.
Then use them together. Have each domain owner run his own CA and use an RFC 4398 resource record to put the certificate for that in DNS. If a TLS connection's certificate chain ends up at an untrusted certificate, the browser would fetch a CERT RR for the domain and treat the result as a domain-validated intermediate CA certificate signed by the DNSSEC root.
OpenID and other SSO type things is a better solution for keeping login credentials safe (well known site is the only place you log into it can use crypto keys stored in your browser)
How does OpenID help keep logged-in users' session IDs from getting firesheeped?
Anybody can create an SSL certificate for any domain given the right access and if you or your computer accepts a certain CA
If you own the secret key of a public root key for a CA that is installed on the victim's PC, then yeah.
I guess guruevi's point is that a lot of sovereign states know such secret keys, and many of these countries aren't the best of friends with industrialized free-speech countries: Turkey, China, B*lg**m (pardon my French), etc. One possible way to mitigate this is not to allow, say, Gobble-Gobble CA in Turkey to sign the certificates of sites aimed at the U.S. market.
Out of 140+ comments here only two mention Convergence. Yours, and a kind of incidental mention earlier. Even I missed it because I focused only on Marlinspike's old blog article.
Focus, people: Convergence
Look it over and see what you think.
If folks involved in Perspectives (Mr. Wendland?) are watching this discussion, could you comment on the arrival of Convergence? It's relationship with your work?
I would rather you do the legwork. I was trying to prompt you.
As of the publishing of Marlinspike's article Bob Parsons was majority shareholder. It's his company. He's since sold most of the company off -- he's now under 50% -- but he's still the biggest shareholder.
Bob Parsons started the company, he owned the company, he owns the biggest chunk of the company now, his ethics continue to be highly influential. The company's history of controversy shows his influence, either directly or by setting a tone for behavior: http://en.wikipedia.org/wiki/Godaddy.com#Controversies Have you heard about Bob Parson's stance on torture?
In short, the quality of GoDaddy is related to the quality of Bob Parsons.
The article says, GoDaddy is controlled by a guy who hunts Elephants and therefore you shouldn't trust GoDaddy. That is ad hominem and in no way a rational argument regarding the trustworthiness of a DNS registrar. If GoDaddy has given reason to distrust them, then Marlinspike should have pointed to that. He did however point to Elephant hunting.
You think what the government has done with passports and driver's licenses (and SSNs) so far has been better than the mess made by the Joe Random guys who decided to be the root CAs?
I'm not sure. I'm also not sure the government should do a better job. I'm not sure it's the government's job to tell me my wife is my wife or my children are my children. Or my friend is my friend. Etc. If I have to ask such questions, I think there are fundamental issues that ID simply cannot deal with.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
We aren't broken. We are supposed to be this way.
This conscept of trust is broken. Misapplied, as well.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
We are asking the math to do something it can't do.
No semantics in mathematical symbols, no matter how hard we try to impose them from the outside.
"Root of trust" is a wrong idea. Just Plain Wrong.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
If you say our whole society is reliant on inherited trust, either your society is not my society, or the trust of which you speak is not the trust in which root CAs tell everyone whom to trust.
There are two kinds of trust in operation here, and the current implementations fail to distinguish them properly.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
So Perspectives would stop coffee shop MITMs. But the MITM could still touch responses if the MITM were to insert itself between the server and its only upstream connection to the Internet. Then all notaries would see the same MITM'd certificate. This might happen under a government that censors the part of the Internet that reaches its soil.
Have scanned the comments, am not seeing discussion of Notaries.
If you're not talking notaries, or you're saying 'Moxie didn't describe his alternative', it just means you missed (or were asleep / hung over) at the Defcon panel by Marlinspike & Diffie (and questions from Hoyt Kesterson, a former chair of x.509 standards). Go back and reread the 2nd link, especially the last few paragraphs. Moxie's April blog entry didn't get into Convergence, which is an attempt to flip the model upside down.
Everyone talking about trust and signing parties, congratulations: you pretty much independently arrived at M&D's conclusion about them. Ditto MITM. Ditto DNSSEC (both as a spooky single point of failure and the flaw of shoehorning too much shit into DNS records).
In a nutshell, what drove Moxie nuts was watching as there were NO REPERCUSSIONS when Comodo screwed things up terribly. And since web browsers can't/won't just arbitrarily screw all the corps that buy Comodo crap by dumping Comodo from their CA list, nothing will change.
So, he flipped the model around. Users... well, actually, clients... get to revoke trust relationships. And we would do it via the idea of Notaries. The notary pool might vary based on nationality of users (many people in countryX may not care enough to have a notary that focusses on vouching for countryZ websites), or it might introduce a bit of paranoia: As the panelists mentioned and Naked Security restates, clients might even choose a mutually-distrustful set of Notaries to trust: the US Dept of Homeland Security and a branch of the Peoples Republic of China.
Here's my notes on how Convergence works: an SSL page gets the cert from the website, and requests the cert in parallel from notaries. If there's no match or if one of them flags it, you'd get an alert: distrusted by NotaryX. The distrust mechanism is immediate (a Notary can revoke and know that all future use of that cert will be flagged), and if a notary refuses to revoke a cert after a monumental screwup like Comodo's, the users or client-code developer can comparison-shop and find a notary that recognizes the flip-around in nature of their job (vouching for the validity of 3rd-party certs TO US, not trying to keep getting payments by those who currently buy certs).
FWIW, I wasn't completely convinced by Moxie, though not because of Kesterson's good question (What stops this from becoming another economic race to the bottom, like where SSL certs are bought on price, since the buyers evidently aren't technoliterate enough to grok SSL and flee Comodo like they should). Mine's along the line of Schneier's axiom on how crypto is hard: even an easy and promising alternative needs a bit of hard scrutiny to make sure it isn't just creating a different set of problems.
(whew, talk about tl;dr)
One last thing: when the defcon vids get published, this one's worth watching just for Whitfield Diffie's bit on Defcon presentations needing a glass of scotch whisky vs authenticity of his remarks. Priceless.
For gods sake make it simpler. As someone said, why do I need Authorities and all that other cr@p. All I should need is a key FFS. Take truecrypt for example- if I don't want to use an unrememberable string of characters I can use a photo of my kids instead...
the fingerprint of the fake "google.com" cert created by the dhs would have a different fingerprint than the real "google,com" cert .
correct?
if "google.com" would post their fingerprint somewhere on their site, then we, the users, could verify it. and then we would immediately notice a fake man-in-the-middle cert,
correct?
and maybe this process of checking the fingerprint could be semi-automated. and then even self-signed certificates would not be an issue anymore.
The point probably being that elephant hunting is both illegal and unethical.
e.g. http://www.hondafinancialservices.com/ proudly displays a Verisign logo and touts security while, since a few months ago, redirects https to http.
The unaware are entering their login data in the clear, giving sniffers access to payment account data.
I get that you were being sardonic, WSG. But... as for a gold-standard CA I would trust a USPS verification. Or even a CA that was USPS certified. Or, perhaps, in the case of a foreign CA, maybe Customs-Service certified.
But wait. There's more. Let 's put this into a broader context. I have long thought that the USPS missed the boat when they did not offer protected email services back in the day. What about a two-cent encrypted email with a usps.gov address? Nowadays it would be possible to have a lifetime USPS email account. Bill Gates has maintained forever that a paid email option would solve a lot of problems. He's not ALWAYS wrong. (FIlter. Read USPS Encrypted Only.) Sweet.
Why pay you ask? The pitch would be that such a USPS communication would garner the same constitutional protection as paper mail -- requiring a court order to open it. Even if in some cases it was a pro-forma FISA warrant. Currently, the government can troll email content because legally such communications are in a grey area -- 'broadcast' as they are across the network and (mostly) in plain text. Sure examination of the content on your PC requires a warrant, but plain text on the wire -- not so much. Your stuff in the cloud? Meh! The security community might not like this USPS idea so much, but the Post Office could sure use some extra revenue. Whatever the details of the scheme the US Postal Service clearly has the gravitas to put order into many dodgy areas of electronic communication. This really is a no-brainer for Congress. They'll see the wisdom of these suggestions instantly and pass the requisite laws.
Oh, wait! Never mind. Forget I said anything.
"No fear. No envy. No meanness." Liam Clancy
Whats needed is a web of trust system that lets users define who they trust and who they don't. If I'm doing financial transactions, I'd probably trust *visa* more than some crappy SSL reseller to certify the SSL. If I'm looking at a government page, I'd trust the government. But if I'm looking an anti-government stuff I'd love to be able to say "If the govt is in the web of trust here, let me know, because I dont like that".
Its strange to me that if I set up a store with a credit card I get have to get an SSL from verison, despite the fact I *actually* have to convince VISA I'm safe. What this means is if I'm dodgy , even if VISA goes "Man no dude, your business is a ponzi", my customer visible certification is from verison who has no such protections. Why cant I send my business plan to my bank, the bank then signs a certificate using creds it got from visa which then I can in turn sign for MY subdomains so the web of trust is clear: Shaynes budget dongles is trusted shaynecorp which is trusted by widget-bank which is trusted by VISA, which is trusted by , uh, maybe the WTO (or something) which in turn is trusted by (etc). If I dont want to deal with VISA anymore, I revoke my trust of VISA and any VISA enabled site becomes untrusted so I instead look for ones with Mastercard trustedness.
Political groups could create their own trust chains (and you can inspect them and go "Hey hang on, I dont trust republicans, fuck that , revoke"). Company chains could create their own. But they are all related by a web of trust rather than a heirachy, and from there peoples intuitions about who to trust rather than "I hope verisign isnt issuing garbage SSLs again".
It would kill dead the stupid oligopoly over SSL whilst providing more robust tools for determining who the hell your actually talking to in a secure transaction.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
The problem is not how CAs act or how many of them there are. The problem is CAs in general, and I cannot for the life of me figure out why anyone ever thought they were a good idea. When I sign up a new set of credentials, they should come with a self-signed certificate *from the place I am getting those credentials* (ie. visa.com).
Any time anyone anywhere wants to verify my identity with visa.com, they can redirect me to visa.com (where I can verify the authenticity via the certificate they issued me) to enter my credentials. On the back end, the requesting site and visa also have a chain of trust involving those two.
- I can trust the authenticity of visa.com, and since they issued my credentials I have no issue with providing them.
- The site can trust the authenticity of visa.com, who they've chosen to do business with.
Bottom line, anywhere that I have an identity I should have a self-signed certificate from that place that comes at the time of my credentials. I will use that forever more to verify I am talking to the right people. Anyone that wants access to some part of my identity with them can make a separate chain of trust with them.
Can anyone tell me why someone once thought it was a good idea to have Verisign tell me whether or not I was dealing with visa? That just adds one more possible weak link to the chain. I've had people come back with such stupidity as "but your browser could intercept the certificate and oh noes!"; as if the browser couldn't already intercept your login details or just not tell you that the certificate you're trusting is invalid.
you NEED SSL on every connection, period.
For that to happen, not only do CAs need to die, but either IPv6 has to become widespread or Windows XP and Android 2.x have to die. The web browsers included with those operating systems only support one certificate per IP address/port pair.
For quick and dirty encryption with my attorney and accountant Acrobat suffices. (IMHO the protection is marginally better that MS Word doc password protection.) I can distill a password protected PDF and attach it. Sure it is breakable, but it shows due diligence on my part. Hacking the encryption to read the content is itself a crime. And makes it a harder target. I give the password to the recipient over the phone. And I make it a good one. I would prefer to use GnuPG, but that requires a learning curve for the recipients.
"No fear. No envy. No meanness." Liam Clancy