Another CA Issues False Certificates To Iran

arglebargle_xiv writes "Following on from Comodogate, we have another public CA issuing genuine false certificates to Iran, this time for Google. There's speculation that it's a MITM by the Iranian government, but given the existing record of CAs ready to sell certs to anyone whose check clears, it could just be another Comodogate." Another (anonymous) reader says, "What might be worrying is that the CA behind the forgery is the official supplier of most Dutch Government certificates, diginotar.nl. They are supposed to be very stringent in their application process. As a Dutchman, I'm very interested to see how this one plays out." Adds Trailrunner7: "The attack appears to have been targeting Gmail users specifically. Some users trying to reach the Gmail servers over HTTPS found that their traffic was being rerouted through servers that shouldn't have been part of the equation. On Monday afternoon, security researcher Moxie Marlinspike checked the signatures on the certificate for the suspicious server, which had been posted to Pastebin and elsewhere on the Web, and found that the certificate was in fact valid. The attack is especially problematic because the certificate is a wildcard cert, meaning it is valid for any of Google's domains that use SSL."

This is ridiculous

[mysidia]

Any CA that can't implement sufficient controls to prevent such shenanigans, should not be a CA in the first place. Needless to say i've changed my browser and OS settings to distrust the CA. I expect a serious explanation shortly, and short of some unusually extreme extenuating circumstances, I think all browser vendors and OS vendors should evict the CA immediately, to make an example of them.

I am curious though.... did the CA fail to implement its CA CPSs, or did its Certification practice statement actually have a hole where such a thing could happen?

Re:This is ridiculous

[msauve]

Even if there do turn out to be "extenuating circumstances," Diginotar should be out of business. They haven't announced that they've issued a compromised cert. One might argue that hiding the error is worse than making it in the first place.

Re:This is ridiculous

[mysidia]

That adds insult to injury there... either (A) their security/review practices aren't up to snuff, and they didn't ever detect they'd issued a compromised cert. OR (B) they knew about a problem and hid it for PR or other reasons.

I suppose browser policy guidelines possibly need to be revised to require that CAs perform additional certificate issuance monitoring, requiring a third party to 'sign off' on any issuance before any certificate can finally be issued..

For example: I would like to see every CA required to submit to a Super-CA 3 details for every certificate:
(a) Certificate common name
(b) Requestor's real name
(c) Requestor's e-mail address

And await approval from the Super-CA for final issuance.

And by that, I mean, for example, the CA would submit the request, and the Super-CA would check if _any_ certificate is already issued by any CA for the common name or any subdomain of the common name, IF a cert was already issued, the Super-CA contacts the domain owner before approving a CA's proposed certification.

Re:This is ridiculous

[HappyPsycho]

Given that the standard procedure for getting a certificate for the domain issued (at least for GoDaddy, I assume others as well) is to ask the technical contact for the domain itself for authorization to grant the certificate I don't think a change to procedure is necessary.

This procedure alone would alert someone within the organization (I assume with a brain) even if someone within the organization is doing something dangerous to the organization (If you don't know the company or the individual making the request shouldn't be doing anything of this nature why would you approve it?). If the CA fails to follow this procedure then they need to be removed.

Re:This is ridiculous

[arglebargle_xiv]

That adds insult to injury there... either (A) their security/review practices aren't up to snuff, and they didn't ever detect they'd issued a compromised cert. OR (B) they knew about a problem and hid it for PR or other reasons.

They've been ordained as the official Netherlands CA by the Dutch government. If you're dealing with the government electronically, you have to use them (and they $$really, $$really milk thi$$ for all it$$ worth). Admitting to a problem would be bad for business. Another couple of failures of this magnitude and the Dutch government might even start thinking about revoking their license to print money, or at least issuing licenses to other organisations as well.

Re:This is ridiculous

[mysidia]

Given that the standard procedure for getting a certificate for the domain issued (at least for GoDaddy, I assume others as well) is to ask the technical contact for the domain itself for authorization to grant the certificate I don't think a change to procedure is necessary.

You missed the point... that's a standard procedure for Some CAs

However, the results in actual reality are less consistent than that. Therefore I'm saying an additional authority should ask, as an additional check against the CAs.

If the right person at GoDaddy feels like ignoring the verification requirement for a customer due to "special circumstances", and just issuing the cert -- that can happen, without performing the standard validation.

I'm saying what you refer to as standard validation should be mandatory as an additional validation (even if the CA does the exact same validation already).

Some CAs will issue a certificate if simply shown a driver's license photo copy or some papers that look legitimate at a glance, without any domain validation.

Some CAs will ignore their own policies.

A way you can force them to behave is to require a counter-signature by a Super-CA for every CA issued certificate.

Normal CAs should be precluded from being associated with a Super-CA in any way. and Super CAs should be limited in number; a good set would probably be the major browser makers themselves -- being a Super CA for every certificate that their respective browser will recognize as valid.

Notary idea

[93+Escort+Wagon]

I'm beginning to think some variation of Marlinspike's distributed notary system may actually be the way to go. This just can't be allowed to happen, given the importance of internet communication nowadays. If the CAs can't prevent this, it's time to find an alternative.

Re:Notary idea

[RajivSLK]

There must be something I don't understand about this system...

The whole idea is to compare a certificate served by a website to a client with one received from the same destination by a notary. If the client is surfing from a compromised network and gets served a fake certificate, it won't match with the one from the notary, triggering an alert.

How does it prevent a man in the middle attack from simply forging the certificate and all of the notary responses?

Re:Notary idea

[HappyPsycho]

What may be a better solution in the short term would be to examine the policies of browser / OS certificate acceptance policies. After something like this if it is found to be negligent or worse yet malicious on the part of the CA, they get dropped temporarily. As the number of offenses increases the drop time increases, if they behave good for a while the drop time is reduced. Similar to BGP dampening, where any sort of instability must be removed as soon as possible to prevent the whole system from crashing down.

If they seriously start screwing up they will be out of business long before any sort of threshold is reached that they should be removed as a registry (why bother the regulators, let business forces rip them apart, always a more effective solution).

Re:Notary idea

[swillden]

There must be something I don't understand about this system...

The whole idea is to compare a certificate served by a website to a client with one received from the same destination by a notary. If the client is surfing from a compromised network and gets served a fake certificate, it won't match with the one from the notary, triggering an alert.

How does it prevent a man in the middle attack from simply forging the certificate and all of the notary responses?

Wrong question.

The notary responses can't be forged; they're signed, and you have their public keys. This is essentially the same as having the public keys of a bunch of CAs, and you'd probably get those keys in the same way: with your browser (though it's more likely that you'd edit them, or replace them with a set from some reputable site, etc.).

The right question is: How does it prevent a man in the middle attack from simply fooling all of the notaries?

The idea is that it's difficult for an attacker to get between the targeted server and all of the notaries, and even if he can, it's impossible for him to hide the fact that he's done so from the targeted server, which can (and should) also make periodic queries to the notaries, asking them what certificate they're seeing from it (note: this last bit is my assumption about how Marlinspike assures the notaries aren't serving up the attacker's cert; I haven't actually seen any explanation of it from Marlinspike).

As long as some notary has a network path to the server that the attacker can't compromise, that notary will report the true site certificate, rather than the attacker's substitution. This means, effectively, that the attacker must compromise all network paths between the server and the rest of the world. And if any notary is being fooled about the site's certificate, the site can find that out by querying the notary.

It's also important to realize that Marlinspike's system is an additional verification mechanism that can stand beside the existing PKI infrastructure, not a pure replacement. You can easily have both the decentralized notary system plus the centralized certificate authority system and, in fact, if Marlinspike's system were deployed I would expect high-value sites to have CA-issued certificates, and multiple network connections from independent providers, and to work with major notary service providers through a second channel to ensure that only their correct certificate is verified by the notary.

The result would be nearly impossible to subvert.

As a bonus, Marlinspike's system would allow self-signed certificates to operate with a fairly high degree of assurance.

I really like it.

Re:Notary idea

[LazyBoot]

As long as you don't install a (non-notary-checked/non-SSL) browser patch over the compromised network then you should be fine.

How do you prevent this with the rise of silent/background patching of the browsers, like chrome does? (And I think I read somewhere that firefox does it too for minor patches, but don't quote me on that)

Re:Notary idea

[jd]

The CAs can prevent it. Back when certificates first started, certificates were graded according to the quality of information needed to back them. The highest grade required two or maybe three pieces of approved official ID and direct contact with the purchaser. It would not surprise me if some of the vendors also ran background checks and perform other basic authentication.

If they only want one level today, then what's to stop them from switching to the highest standard they used to have, rather than unifying on the lowest standard?

Ahhhh! Money. Yeah, that would be a big factor. You'll sell more cheap certs that are no good than you'll sell deluxe kitchen-sink-included certs. Enough more that nobody could afford to sell the deluxe model.

This is considered surprising?

[Targen]

Security people have since forever warned the rest of the world against the risks of blindly trusting centralized/hierarchical trust schemes. It's not the first time this happens. It won't be the last. And while standard practices remain as they currently are, we're all in the hands of whoever's got money and power, and governments tend to have a lot of both. Most of you might not care much about this since you probably live in places with decent governments*, but it's a real concern for an enormous portion of the world's population.

*IN RELATIVE TERMS. I know many of the governments of the "free world" are guilty of all manners of despicable privacy violations with all manners of awful consequences, but please don't even attempt to compare these issues to the sorts of oppression that happen in full-blown totalitarian regimes.

Re:This is considered surprising?

[bky1701]

I know many of the governments of the "free world" are guilty of all manners of despicable privacy violations with all manners of awful consequences, but please don't even attempt to compare these issues to the sorts of oppression that happen in full-blown totalitarian regimes.

The "free world" is effective enough at controlling the people though other means (bread and circuses) that it need not resort to more extreme measures: the people are powerless, and so abusing them overtly would only potentially give them something to unite against.

You aren't free only because you can say something, although that is a prerequisite. You're free because you can effect social change. Tell me with a straight face that there is a wide gulf between Iran and the West in that respect, and I shall laugh at you. The West simply learned the hard way not to use the stick every time.

Re:This is considered surprising?

[jpapon]

Sure you're free to "effect social change", you just might not be all that effective; the system in place in most "free" countries makes it difficult, but not impossible. This is, in fact, wise, because (believe it or not) not everyone wants to enact the same social changes as you.

Re:This is considered surprising?

[gilboad]

I'm *perfectly* happy with not giving *you* the power to "effect social change"; something tells me that what-you-consider-social-chance is what I consider anarchy...

- Gilboa

Re:This is considered surprising?

[bky1701]

Interesting. I am a supporter of public services, welfare (to an extent, one far more comprehensive than we have in the US), nationalization of certain industries, etc.. Being for personal freedom as well makes me an anarchist? If what I just listed are aspects of anarchy, things have changed a lot. Perhaps you shouldn't jump to conclusions that anyone criticizing your precious country is some kind of radical.

My point, though, is less about any specific change; in fact, you can be on opposite ends of the political spectrum and realize the same problem. Western democracies are extremely good at keeping intact the old aristocratic systems, while managing to convince the general public that they actually have a say. Both sides in the US play upon the psychology of the people, while both have the same root goal of making sure they are the ones in charge. Who has more power in the US - lawyers, lobbyists, the rich, or common people? I suspect only the most deluded would choose the last. No matter your politics, it is rather obvious that voting is more a system of rubber-stamping than actual government. You will never get anywhere in politics without money, and you'll never get money without money.

The fact that massive political divisions exist, while nothing really ever changes, is a good example of why I say democracy is a distraction. It doesn't matter what grand shows you put on, or what ideals the government is founded on: sooner or later, the old systems creep back in. I'm not sure if this can be fixed, or if it is just human nature, but ignoring it solves no problems. Democracy is the most ingenious invention ever for keeping people in check.

Playing global sports, "my country is better than yours! mine is freer than yours!" only leads to wars and hate, not solutions, when everything in the end is so similar.

Re:This is considered surprising?

[ibwolf]

You're free because you can effect social change. Tell me with a straight face that there is a wide gulf between Iran and the West in that respect, and I shall laugh at you.

It is difficult to effect social change in the west because most of us are, on the whole, content with things as they are. Sure, there is room for improvement, but (a few fringe groups aside) few of us want radical change. This is the essence of democracy.

In Iran it is difficult to effect social change because if you seem even remotely likely to succeed in undermining the government they will crack down on you hard.

Of course, democracy is somewhat flawed in that it involves giving people what they want and what people want isn't necessarily what is good for the whole (or even themselves). ("People are dumb, panicky, dangerous animals and you know it.") But that is completely different from an autocratic rule that puts the welfare of its citizens behind all concerns of the ruling elite.

Democracy isn't perfect (and as practiced in the USA, could be improved notably), but it is still the best system we've got. Or to borrow a quote

Many forms of Government have been tried and will be tried in this world of sin and woe. No one pretends that democracy is perfect or all-wise. Indeed, it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time.

I believe that Churchill was onto something there.

Re:This is considered surprising?

[bky1701]

In a dictatorship, suppressing people only begets more anger. It might temporarily put it down, but it doesn't change the underlying emotions.

Democracy gives an illusion of power to people who have none. How many times have you been advised to write your congress person if you have a problem? Illusions of power beget apathy. As long as the situation does not become too horrible (and indeed, few dictatorships survive such situations), and as long as the choices are fairly limited, democracy ends up functioning surprisingly similar to all those other worse forms of government tried before. Except, democracy, as it creates apathy, is that much less likely to improve.

You claim to be "content with things as they are," but if you look around you, can you not see the massive injustices everywhere? What you take for granted as normal today, might very well be looked at in the future as serfdom or divine right are now. Yet, you're happy, and don't really care to improve. There is no questioning if the system; the system is good, you think. I have say in the system, so it must be good. Yet many have put forwards ways to improve society, and yet very few have been tried. Even the ones that work end up being ignored. Why is that?

This is the problem. You faithfully believe things are good, because you see democracy, and believe in a collective approval of how things are. You are allowed (in your Free Speech Zone) to protest torture, or the cutting of programs, or changes to taxes in whichever direction you might be concerned, and so you rarely do those things. The collective of people will get what they want, by voting in the rich and already powerful, to supposedly do the people's bidding. That is the thesis of the United States government as it stands today.

That is why there is no fundamental difference in dictatorships and democracy. A dictatorship is the lowest form of government; it rules by force alone. Then you have monarchy, which justifies force with religion. Then you have democracy, which justifies it with arguments and speeches. None of them are that different on a basic level. All have similar social strata, chains of command, and often enough, leaders. That you are so willing to believe that simply having a democracy automatically makes you better, is exactly my problem with democracy.

I think what a wise man asks is - if democracy is better than all other forms of governments; to whom?

Re:This is considered surprising?

[jpapon]

You will never get anywhere in politics without money, and you'll never get money without money

While it's certainly easier to make money if you already have some, I would say most of the most visible billionaires (especially in tech) made their money starting from essentially nothing.

Western democracies are extremely good at keeping intact the old aristocratic systems, while managing to convince the general public that they actually have a say.

Western democracies, especially the US government, were created with strong provisions to ensure that it is difficult to change the status quo (i.e. checks and balances). While you can claim (with some truth) that this was done to protect the rich, it also protects many other minorities by ensuring that it is difficult for the majority to enact changes which effect them in a negative way. The general public has also enacted sweeping changes in American government over the past century. Look at Social Security, the Civil Rights movement, and gay rights in the past decade.

Democracy is the most ingenious invention ever for keeping people in check.

Of course it is, it's a form of government. Government exists, essentially by definition, to keep people in check. The beauty of Democracy is that it does it without, for the most part, causing levels of oppression which the people deem insupportable. Perhaps one day humanity will discover a form of government which can maintain order with a gentler yoke.. but that day has not yet arrived.

Re:This is considered surprising?

[gilboad]

Let me start by pointing out that "nationalization of certain industries" goes against one of the basic principles of freedom (One that was actually acknowledged as such by the U.N.) - the right ownership of private property. I should also point out (at the risk of triggering the Godwin's Law) that the man-kind's worst totalitarian regimes (e.g. Nazi Germany, Lenin/Stalin's USSR) started by the nationalization of industry, land and private assets in the name of the "common people" as a first step in their attempt to re-model the society to match their perfect image (does who did not match their view ended up as slave laborers in Siberia or executed in Auschwitz)
The reason I took the time to point this out is simple: You *assume* that your views are moderate and that are shared by 99% of the western world working class, while in-fact, you'd be amazed at how many people will consider these views to be radical and dangerous - and I'm not talking extremely wealthy people who "rather maintain the current order".

Beyond that. your attempt to compare the brokenness of the Democratic system (and I don't doubt this fact) to the (very-short) life of a woman that somehow got blamed for infidelity or blamed for tarnishing the family-honor in Iran, Afghanistan or in the Gaza strip (let alone basic human rights, religious rights, etc) is amazing at best. I could only wonder how you view WWII and/or the cold war. (though I can easily guess).

- Gilboa

Re:This is considered surprising?

[cavreader]

Last time I saw a public political protest in the US there were no club waving motorcyclists chasing down the protesters and cracking skulls of anyone to slow to get out of the way. This occurred in the 60's civil rights era but that type of government sanctioned violence is in the past. There were no reports of the government security services raiding the homes of anyone expected of leading the protests. In the US when someone decides to defy an order to cease blockading the target of their protest or creating a general nuisance to those around them who are not part of the protest they get picked up and herded into the police vans for a trip to the police station and released a couple minutes later with either a sternly worded warning or a misdemeanor with a nominal fine which if contested in court usually ends up reducing or eliminating the fine entirely. Try that in places like Iran or Syria and you can expect to get your head based in before being taken to jail for a more thorough beating and if you are really lucky you might see daylight after a few months, that is if you are still alive.

Re:This is considered surprising?

[j-beda]

You will never get anywhere in politics without money, and you'll never get money without money

While it's certainly easier to make money if you already have some, I would say most of the most visible billionaires (especially in tech) made their money starting from essentially nothing.

Only by the poorest definition of "nothing". Virtually all of them came from upper middle class with a culture of education and an extensive family and social network of secure individuals and families. The hard work and vision of the individual are not to be denied, and of course that is a vitally important factor, but the external influences are very important too. None of those multi-millionaires are orphaned children of dirt farmers from the back-woods of nowhereseville.

Re:This is considered surprising?

[Burz]

trip to the police station and released a couple minutes later with either a sternly worded warning

Only if they feel like it. Its not uncommon for protesters to be jailed for a day or more with no access to a toilet. And that's after being kettled-in with barbed wire for hours.

You should look up the 2008 Republican National Convention protests. Even members of the press had their badges ripped off by police before being manhandled and abducted.

The anti-pipeline protesters are currently being held for far longer than "a couple minutes".

Re:This is considered surprising?

[bky1701]

Let me start by pointing out that "nationalization of certain industries" goes against one of the basic principles of freedom (One that was actually acknowledged as such by the U.N.) - the right ownership of private property.

Owning a "business" (a government created entity, btw) as a property right is a very American idea. You'll find it is lacked across most of Europe. Further, you jump from "nationalization of certain industries" to "nationalization of industry." I said the first, not the second, so the rest of your straw man is invalid... as I said nothing about that. I find it comical you suggest that "nationalization of certain industries" leads to mass murder, though. Perfect narrow-minded American stance, and a perfect example of the mind of delusions democracy tends to cause people to hold against their own interests.

The reason I took the time to point this out is simple: You *assume* that your views are moderate and that are shared by 99% of the western world working class, while in-fact, you'd be amazed at how many people will consider these views to be radical and dangerous - and I'm not talking extremely wealthy people who "rather maintain the current order".

Where do I do that? If you want to make a vague, wide reaching statement about me personally, pony up proof, and do it right away. I said nothing about what exactly should be done. The point of my post was that the majority probably do not agree with me, but that the current system isn't that different fundamentally from all those of the past. Note I did not say worse, but rather 'not very different.' Democracy gives people the power to change things, but also misleads them into thinking that things change without their direct action. Hence democracy is more stable, but not necessarily more just.

man-kind's worst totalitarian regimes (e.g. Nazi Germany, Lenin/Stalin's USSR) started by the nationalization of industry [...] I could only wonder how you view WWII and/or the cold war. (though I can easily guess).

Are you serious? You just in your last post called me an anarchist, now you're calling me a fascist and/or communist? How did I go from one extreme to the other in two posts? Don't you feel that's a bit suspect on your part? Bit of advice: if you want to mindlessly attack people, at least pick one and stick with it; otherwise you make your black and white view of the world obvious to everyone.

Re:This is considered surprising?

[bky1701]

Let me quote a video which I think makes my point better than I have; it isn't directly related, but it is very easy to see how the problem relates to the illusion of power a lot of people in the west have. David Mitchell on Consensus.

Stringent SSL verification process ... yeah right!

[phoxix]

The idea behind the "Stringent SSL verification process" is that customers will pay a brand-name-trusted CA company to verify the SSL request is from who they claim to be.

Even at *TEN THOUSAND* USD/EUR/GBP/etc per fake certificate, the price is too good for countries like Iran, China, etc for engaging in MITM attacks.

The whole process is a scam outright....

And thus you find out the real security weakness

Money.

It actually works slightly better than a wrench, and is more reliable than stupidity.

Maybe if you have gold-plated wrenches...if you have gold-plated wenches, you end up with a James Bond movie.

Penalty: instant deletion of the CA, surely?

[robbak]

Surely, if any a fraudulent certificate evert shows up, then the public keys for the issuing CA should be instantly removed? Even if they are Verisign themselves, if a fraudulent certificate exists, then trust is lost, and they cannot remain.

Re:Penalty: instant deletion of the CA, surely?

[arglebargle_xiv]

What, you thought "Too big to fail" was only for banks?

In this case the breach appears to have been serious enough that Mozilla have actually pulled the CA's cert. No matter how negligent a CA has been in the past, no browser vendor has ever done this before. Rumors on Mozilla lists are that it was a CA compromise, which would mean that no certs from Diginotar can be trusted at the moment. Whatever it is, it's pretty serious. Again.

Maybe this time the browser vendors will finally be incentivised to fix the PKI mess (CA protection racket) that they've created, although given the outcome of Comodogate (business as usual, nothing to see here, move along) I rather doubt it.

Re:Penalty: instant deletion of the CA, surely?

[jamesh]

Surely, if any a fraudulent certificate evert shows up, then the public keys for the issuing CA should be instantly removed? Even if they are Verisign themselves, if a fraudulent certificate exists, then trust is lost, and they cannot remain.

Who would do this? What is the 'parent body' of a CA? Is the CA business actually regulated in any way? And under what jurisdiction? The nature of 'root certificate' is that the keys are in Windows (or whatever operating system), so Microsoft (or appropriate vendor) would have to do it via an update, or the user would have to do it manually.

Re:Penalty: instant deletion of the CA, surely?

[Spad]

Mozilla, Google & Microsoft (at least, so far) have all now removed Diginotar from their list of trusted authorities in their respective browsers.

Re:Penalty: instant deletion of the CA, surely?

[fuzzyfuzzyfungus]

There is no specific regulation(aside from whatever body of generic business-practices regulation governs operations in that jurisdiction); but the major OS, browser, and email client companies effectively count as the regulators.

They can, and do, issue frequent updates(with fairly swift uptake across a good percentage of the userbase, these days) which can and sometimes do include changes to the trusted roots. If a CA gets removed, their customers' users start seeing scary, scary warning messages or just being blocked entirely. Game Over.

Historically, they've been pretty gutless about doing this punitively(presumably because of the risk that they will be blamed for being "broken" if a lot of sites suddenly stop working in their browser and not in the other guy's browser); but, architecturally, Microsoft, Mozilla, Google, and Apple are essentially in the position of being able to render any CA worthless in a month or less...

Re:Penalty: instant deletion of the CA, surely?

[Artifex]

Mozilla, Google & Microsoft (at least, so far) have all now removed Diginotar from their list of trusted authorities in their respective browsers.

Odd. Firefox 6.0 on my Mac still had it until I removed it manually tonight.
So did Google Chrome 15.0.865.0 dev on my Mac.
Haven't checked yet on my Windows box.
When I went to remove it from my Cr-48, I found that ChromeOS would let me uncheck trusting the certificate, but won't actually let me remove the CA.
Oh, and the best: I can't find an easy way to edit the CAs on my Android phone unless I wanna mess with adb. I can only add certs, not delete any that shipped with the ROM.

Re:Penalty: instant deletion of the CA, surely?

[Artifex]

Mozilla, Google & Microsoft (at least, so far) have all now removed Diginotar from their list of trusted authorities in their respective browsers.

Odd. Firefox 6.0 on my Mac still had it until I removed it manually tonight.
So did Google Chrome 15.0.865.0 dev on my Mac.
Haven't checked yet on my Windows box.
When I went to remove it from my Cr-48, I found that ChromeOS would let me uncheck trusting the certificate, but won't actually let me remove the CA.
Oh, and the best: I can't find an easy way to edit the CAs on my Android phone unless I wanna mess with adb. I can only add certs, not delete any that shipped with the ROM.

Ahh, now Firefox 6.0.1 is out, removing the cert. cool. Last night I checked for updates and it wasn't there yet.

Surprising?

[Mensa+Babe]

The only thing I find surprising is that stories like this are not more common. Various government agencies all over the world have been using fake certificates literally for years. Those are usually targeted at specific individuals being under surveillance so those are one-time stunts, limited in time and in network visibility, but all of those certificates in order to be useful have to be issued by certification authorities that are in the trust chain of the popular web browsers (Firefox, Chrome, Explorer, Safari, Opera). The problem with SSL/TLS certificates is that any certification authority from any country can issue a certificate for any domain, and they do occasionally. Most of those certificates are used only few times so they don't get any attention but sometimes they do. The trust model in SSL/TLS is fundamentally flawed and I agree with Dan Kaminsky and Bruce Schneier that we have to completely abandon it in favour of a trust model based on a secure DNS system, where there is only one authoritative source of cryptographic certificate for any given domain, instead of thousands like we have today. I have been telling this for years and I can only hope that people will eventually wake up and listen after stories like this one.

Re:Surprising?

You're obviously smart based on your nick. Are you also super hot with big tatas?

Pics pls thx.

Re:Surprising?

[John+Hasler]

...where there is only one authoritative source of cryptographic certificate for any given domain, instead of thousands like we have today.

And therefor a single point of failure.

I have been telling this for years and I can only hope that people will eventually wake up and listen after stories like this one.

Yes, once government has control of that "one authoritative source" you won't hear about this sort of thing any more.

Re:Surprising?

[SmurfButcher+Bob]

One authoritative source... per domain.

If you simply missed those two extra words when you first read them, then no harm done. But if you don't comprehend why those two extra words are significant... then you really need to not have an opinion on this topic.

Re:Surprising?

[Lehk228]

the problem is that software doesn't squawk when something changes unexpectedly, like when yourbank.com is suddenly using a chinese issued certificate

Re:Surprising?

[petermgreen]

And therefor a single point of failure.

Better a single point of failure than many points that can all cause complete failure of the system's security.

The current CA model where any CA can issue a cert for any domain is like storing your data on a raid 0 array.

Convergence

[unencode200x]

Another reason to take a good, long look at Moxie Marlinspike's Convergence system. Basically, it does away with CAs in favor of a trusted and anonymous notary-based system.

See him speak about it at BlackHat USA 2011 here .(a really great talk, as always).

Read about it here

The official Convergence website (http://convergence.io/). The plugin (AFAIK) is not compatible with FF 6 yet.

Re:Convergence

[jonwil]

Forget that, go with SSL certificates in DNS and DNSSEC to verify the records.

Re:Convergence

[GSloop]

And when the DNS servers are subverted to point to bogus SSL certificates, then what?

You do happen to know that you'll have to trust the government [ISP etc] not to mess with DNS, and a one-stop shop to subvert both your domain and your PKI is just what they'd like to have.

SSL certs authenticated/served by DNS is not a fix, IMO - because DNS isn't any more secure from powerful interests than SSL is. [And it may even be less secure.]

This truly is a hard nut to crack, and knee-jerk solutions like "tie it to DNS" won't solve the problem in any robust way.

-Greg

Re:Convergence

[jonwil]

with proper cryptographic protocols like DNSSEC, the only way to change DNS (and hence SSL certificates stored in DNS) without raising red flags is to actually change the DNS record itself. Any man-in-the-middle attacks by hackers, ISPs or foriegn governments (great firewall of china etc) will cause the DNSSEC chain-of-trust to fail.

Now it might be possible for a bad guy to convince the DNS provider or operator to accept new cryptographic keys, DNSSEC signatures or DNS data but that is a lot harder than convincing a dodgy CA to issue a fake certificate for PayPal or Google.

As for the US government, if the US government wanted to take action, they could use secret national-security apparatus to force a CA to issue a valid certificate just as easily as they could use it to force a DNS provider to change DNS

Are DNSSEC certificates the magic bullet? No.
But they do eliminate the possibility of rogue CAs being bribed or otherwise convinced to offer fake SSL certificates. And they eliminate the high costs of SSL certificates (dont like what your DNS provider wants to charge you to store certificates in your DNS record and sign it with DNSSEC? Just go to another provider, no need for it to be one of a handful of approved CAs)

Show me ONE example (real or hypothetical) where a DNS record has been altered (with or without the cooperation of the DNS provider) by someone other than the legitimate domain owner (e.g. hackers, government etc) where storing certificates in DNS would make things worse than if the site was using current CA-issued certificates and I will accept your arguments.

Re:Convergence

[GSloop]

Go ahead and actually read or listen to the talk.

If you won't trust the SSL authorities, and I don't - then one would assume that trusting the registrars/TLD's/root/or country TLD's would be even more crazy.

IMO, DNSSEC simply doesn't really solve the problem, and shouldn't be the "solution." We should look for and design something better.

-Greg

Re:Convergence

[Onymous+Coward]

Thanks for bringing this up. Every time we talk about SSL issues folks fail to bring up the notaries-based systems. (Even during the last /. article, which was really about Marlinspike's Convergence.)

Additional information: Convergence is based on Perspectives.

Network notaries let you see a diverse views of the public key(s) used by an HTTPS server over time.

As an example, here are multiple views of Google's SSL.

Re:Convergence

[Onymous+Coward]

The attack appears to have been targeting Gmail users specifically.

Okay, then, more relevantly, multiple views on Gmail's certificate.

That'll give you a good idea if someone's MITMing you.

Re:Convergence

[soundguy]

Any company where the validity of an SSL cert is even remotely important should be running their own DNS. If they aren't, they have no business being in business.

Re:Convergence

[GSloop]

Show me ONE example (real or hypothetical) where a DNS record has been altered (with or without the cooperation of the DNS provider) by someone other than the legitimate domain owner (e.g. hackers, government etc) where storing certificates in DNS would make things worse than if the site was using current CA-issued certificates and I will accept your arguments.

Seriously? Sex.com was totally hijacked. There are literally thousands of cases where domains get owned. [And once you own the domain its DNS is certainly available for tampering.]

Next, if you are willing to tamper with the whole chain, then nothing will help the user. Easily within reach for a government or serious party handling DNS - and there's no protection.

Why settle for a half measure at best. We're going to have to redesign a whole set of things - lets really try to do it right and make the replacement agile. As MM points out. "Who are you going to trust and for how long." If you can't easily/gracefully [or even ever] change who you trust, then you probably have a problem.

where storing certificates in DNS would make things worse than if the site was using current CA-issued certificates

Man, what a high bar you have there for a "better" solution. 'It's better than the totally broken current system.'
Your argument amounts to: "Well, yeah, rape sucks. We think you ought to get mugged and violently assaulted instead."

Huh? Really?!
Let's just assume CA's *are* worse than DNSSEC - just for the sake of argument.
In that case that DNSSEC would be better than the sketchy CA's. But simply being a little better than what's currently in place shouldn't be where we set our aspirations in coming up with something new and better.

How about, instead of aspiring to get violently assaulted, you work for something a LOT better.

Re:Convergence

[tomtomtom]

I've been using Certificate Patrol for a while alongside Perspectives and it's pretty useful. However, it has also brought to my attention the frequency with which Google/Gmail's certificates seem to change which the links given above also highlight in the graphs.

I'm still puzzled as to why this is (and why e.g. the Gmail IMAPS certs don't seem to change anything like as frequently - more like annually) but if the certs changes frequently it diminishes the usefulness of e.g. Perspectives quite a bit. Which is unfortunate for a site like Gmail which would seem to be highly likely to be targeted for MITM.

Re:Convergence

[swillden]

Another reason to take a good, long look at Moxie Marlinspike's Convergence system. Basically, it does away with CAs in favor of a trusted and anonymous notary-based system.

I think the best thing about Marlinspike's system is that it doesn't do away with the CAs. Rather, it provides a stand-beside certificate validation mechanism; there's no reason a site can't use both, and using both actually increases the security over using either one alone.

Re:Convergence

[GameboyRMH]

I wonder what the differences are between Perspectives and Convergence. I've been using Perspectives for a long time. As far as I can tell the only difference is that Convergence has some anonymization features built in.

Re:Convergence

[unencode200x]

Great point, thanks for the correction.

Re:Convergence

[Tomato42]

And how does that make it impossible to change glue records in ccTLDs or .com?

Re:Convergence

[Tomato42]

Anonymization of your browsing history is important. If you use Perspectives without CertPatrol it won't cache the certificates it got from the Notary. It will query the Notary every time it visits a HTTPS site.

Convergence also can use anything else as a source of certificates: DNSSEC records, CA cert store, list of certificates you checked yourself, your friend's list...
It's just far more extensible.

Or with "Dodgeball."

[bdwoolman]

" If you can dodge a wrench, you can dodge a ball."

Patches O'Houlihan

More acronyms, please

[mmarlett]

So, besides more Californias (CAs) offering more martinis-in-the-morning (MITMs) to confuse more octogenarians/septuagenarians (OSs), what does the Chicago Public School System (CPS) have to do with anything? Or is this one of those "hacker" things I've heard so much about?

Re:More acronyms, please

[mmarlett]

Ah, yet you fail to understand that the parent (and the post itself) obscure everything unnecessarily and that I mocked them accordingly. And I see why you posted anonymously. (Adverbs are big this time of night.)

Re:More acronyms, please

[Tacticus.v1]

http://onefte.com/2011/07/19/its-not-jargon-if-its-your-job/

Re:More acronyms, please

[mmarlett]

Actually, this is real news if presented properly. I don't fault mysidia for that, really, but I do fault timothy. I mean, you are talking about international fraud that could affect billions of people, but the article is presented in such a way that it is only instantly readable by a few hundred people. I've been reading Slashdot since 1996, so I'm totally used to the jargon. And I figured it out — so have thousands (or millions) of others ... but there is no real burden on the poster to spell out a few acronyms that make no sense to even a general audience (of nerds). This is more egregious than usual is all.

Re:More acronyms, please

[mysidia]

The Californians provide a document specifying their chosen Chicago Public School System, which is digested by THE POWERS THAT BE to decide if the Californian is trusted to introduce UAs (Utah and Alaskans) to servers and vice versa (partially based on their record of providing the proper tip amounts to their servers).

The problem is, this particular Californian has taken to introducing fake servers to the UAs (Utahns and Alaskans).

Re:More acronyms, please

[mmarlett]

See, now that's the smartassery I really enjoy. ;)

Re:More acronyms, please

[pseudotensor]

Whoever responded to mmarlett and complained he contributed nothing is dead wrong. I have no idea what CA's are. This is the first article in like 2 years of reading slashdot that I've been stumped on acronyms or initialisms. Bad summary for a major website -- end of line.

Re:More acronyms, please

http://lmgtfy.com/?q=ca+ssl
http://lmgtfy.com/?q=mitm+ssl

WOW! This newfangled google thingie is SOOOO COOL!

Re:More acronyms, please

[Tsingi]

Dear Mr. Coward:

i'm glad you didn't post anon so it can be known you're another one of those who thinks that people would agree with you if only they were as smart as you

It's a trivial bit of humour. And since it seems to have been modded up as funny, I'd suggest that there are some people who think it contributes.

OTOH, you did post anonymously. I'm sure you understand that no one gives a flying fsck about insults tossed up by a coward that can't stand up for what he says by signing his posts. In fact, you may have been the reason that it was modded up in the first place.

At the end of the day, he may not have contributed much, but you are an ass.

Re:More acronyms, please

[Dog-Cow]

There are between 6 and 7 billion people in the world. How many of them are using an Internet connection that routes through an Iranian-controlled network? This may affect millions, but hardly billions.

Re:More acronyms, please

[mmarlett]

It depends on if you think the effect of such an attack from such a country would only affect the computer traffic passing through. That is, the attack in this case could actually spill over into the real world where you have serious political unrest and violence that could actually affect billions of people — and not just "oh, my computer got hacked," but actual "someone bombed my house, can I stay at yours?" type effects. Given the provocative and sensitive nature of the nation in question, people who don't have computers could feel the effect of this particular MITM attack. It's not likely, of course, but it _could_ affect them. Billions of them.

I mean, I have never tried to get a pilot's license, but apparently if you don't have good enough security in Florida then you can wind up teaching the wrong people how to fly. And then you take a few of those guys and you put them on sufficiently insecure planes. And even though I haven't flown in or out of New York or D.C. in 15 years, three flights that did nearly a decade ago managed to affect (and continue to affect) billions of people. The planes only held a few hundred people and only 10,000 or so were in the buildings, right? Only eight million people live in NYC. The security around a commercial pilot's license in Florida couldn't possibly affect billions of people, right? Again, it's not likely, but ... really, it could be billions.

Re:More acronyms, please

[jd]

Yes, but how does this relate to Southern State Lobbyists (SSLs)?

English

[oldhack]

"Timothy", dutchman, learn to write in English.

Re:English

[X10]

I like to think that I'm fairly competent at English, thank you

Think so?

Re:English

[X10]

Total Fertility Rate? Temporary Flight Restriction? Traffic Film Remover?

Re:English

[X10]

6 digits, that's a lot, isn't it? and wtf does tf mean?

Idealistic?

[Gothmolly]

Did anyone really assume that SSL certs were legit? YOU'RE BUYING THEM - someone will always sell them to you. Suddenly self-signed, homebrew certs aren't so bad anymore are they?

Re:Idealistic?

[jamesh]

Did anyone really assume that SSL certs were legit? YOU'RE BUYING THEM - someone will always sell them to you. Suddenly self-signed, homebrew certs aren't so bad anymore are they?

If you can deliver the key (or even just the thumbprint) to me in a secure manner then i'm quite happy to use it to trust my connection to you. Otherwise I need to trust a third party to tell me that your certificate is actually your certificate and not someone else pretending to be you, which is the whole point of SSL. Well... and encryption of course, but that aspect is somewhat overrated in comparison.

Mozilla wants to blacklist the CA it seems.

[wvmarle]

I just looked through the bug report listed; at the end two very interesting comments:

So it seems Mozilla is basically going to blacklist that CA. I think that's an appropriate response: the CA has proven that their methods are flawed, and that there certificates can not be trusted. This one has been found out; who knows whether there are more out there? I surely hope this is a one-off incident but better safe than sorry. And it sends the message nice and clear to other CAs that they have to be really careful.

As of 9:26pm PDT this bug report has made the frontpage of slashdot.org [...] Please address this issue immediately.

A Slashdot side-effect :)

Re:Mozilla wants to blacklist the CA it seems.

[wvmarle]

For some reason the first quote went missing... I should have checked the preview of course:

It is my understanding that the patches that are being created will blacklist all DigiNotar-issued certificates based on "CN=DigiNotar " in the certificate issuer.

Re:Mozilla wants to blacklist the CA it seems.

[Co0Ps]

100% correct. They can no longer be trusted and should be instantly removed. If they come back with a full post mortem study, including the steps they have implemented for it to never happen again, plus a full list of all fraudulent certificates they have issued they should be reconsidered again, but only after sufficient penalty time has passed, say one year. This is to prevent other CAs from doing the same mistake.

Oh and the CA system is utterly broken. This is the scenario all security researchers anticipated and failed to be surprised by. When can we get a standard based on DNS-SEC instead?

Re:Mozilla wants to blacklist the CA it seems.

[fatphil]

Where can I see the proof that that weird Turkish CA, whose root cert is by default trusted by Firefox, has all the steps in place to ensure this kind of thing could never happen to them?

And that Hungarian one. And that Network Solutions one. And bloody all of them.

Re:Mozilla wants to blacklist the CA it seems.

[isorox]

As of 9:26pm PDT this bug report has made the frontpage of slashdot.org [...] Please address this issue immediately.

A Slashdot side-effect :)

Sorry, 1999 called. Slashdot used to have power and respect, but that was years ago.

Re:Mozilla wants to blacklist the CA it seems.

[Rich0]

Oh good, so I get to reinstall multiple browsers on multiple machines as a result of a single failure of a system destined to generate these failures twice a year.

Can we come up with a better way of managing trust than hard-coding a list of CAs in every single software package I install that uses SSL? Why should Mozilla be in the business of deciding who is trustworthy? Why not just have your software reference a single CA list at the OS level? For OSes that don't support it the list could be distributed as a software package that has its own update mechanism.

Also - rather than having 500 root CAs, you could just have one, and that CA could have a CRL (that fails-safe). So, to trust Thawte Mozilla (or better yet the distro) would sign Thawte's CA and distribute that certificate. Then if they no longer trust them they'd just revoke that signature.

We need to get away from hard-coding certificate white/blacklists in software.

And while we're at it, can we just ditch the CAs entirely and use DNSSEC and make the certificates a record at the domain level?

Re:Mozilla wants to blacklist the CA it seems.

[Co0Ps]

That's why we should have a standard based on DNS-SEC instead, just as I said.

This sounds and smells like a kdawson post

[uofitorn]

To two links to forum-type sources?

At the rate these CAs are doing this crap

[antifoidulus]

Maybe I should tell my browser to just accept certs signed by Bob's SSL Certs and Taco Stand, probably no worse than anyone else.(Bonus points if you get the reference)

Re:At the rate these CAs are doing this crap

[arglebargle_xiv]

Maybe I should tell my browser to just accept certs signed by Bob's SSL Certs and Taco Stand

Or Honest Achmed. I know his cousin Osman, he's OK.

bit of a red flag?

[slashmydots]

I'm not that informed on how certs work but if someone goes to a dutch CA and says they want a cert related to Google, wouldn't that be the one they'd double or triple check just in case it's not really Google? I mean, it's Google. Nobody doesn't know them and they wouldn't just randomly pick up a cert from a random foreign country, right? Or do they need muliple certs around the world or something so it wasn't that unusual? Either way, it's not that hard to make sure a google certificate isn't being requested from Iran...I mean, they're kinda different and easy to follow up on over the phone.

Re:bit of a red flag?

[ESD]

I think the easiest explanation for this would be that that would be a manual intervention in an automated process, which is expensive, so they won't do that. (The Dutch would rather throw a couple of millions at improving efficiency rather than accept a couple hundred thousands of losses because things aren't quite as great as they could be. Apart from that it commonly also happens at big companies, it's also a cultural thing. I've lived there for over a quarter of a century; fortunately I was able to get away from it a bit ;-p )

Re:bit of a red flag?

[wvmarle]

To debunk the last bit: it's not that hard for a spy operation to ask some friends in the US, possibly friends that are actually Google employees, to apply for such certificates. To have at least the request coming from a plausible source.

And on the rest... sure, should have raised plenty of red flags. Why would a US company ask a Dutch CA for a certificate? Why would an established site need a new or an extra certificate - a wild card (*.google.com) cert to boot? Now I have no idea how a CA certifies that the requester is actually the owner of a certain domain, it certainly failed badly in this case.

Re:bit of a red flag?

[jimicus]

And on the rest... sure, should have raised plenty of red flags. Why would a US company ask a Dutch CA for a certificate? Why would an established site need a new or an extra certificate - a wild card (*.google.com) cert to boot? Now I have no idea how a CA certifies that the requester is actually the owner of a certain domain, it certainly failed badly in this case.

Go buy a certificate some time. There are LOTS of CAs out there who will complete the transaction and give you a certificate in seconds. We'd like to believe that such CAs have some sort of process in place that flags up potentially fraudulent requests for human verification, but as this sort of thing demonstrates that's obviously not the case.

Re:bit of a red flag?

[mvdwege]

The problem is that this transaction should have failed even basic Domain Validation.

A validation request for *.google.com should have landed at a technical contact inside Google. So how did this come into the hands of the Iranian government?

The only thing I can think of is that Diginotar has fallen for the 'Domain Validation is not secure enough' scam, and has therefore used another out-of-band validation technique that was easily socially engineered.

Mart

Re:bit of a red flag?

[X10]

I think the easiest explanation for this would be that that would be a manual intervention in an automated process, which is expensive, so they won't do that.

The reason CAs charge so much is the security they have in place to prevent certificates going to the wrong people. Diginotar has spent a fortune on their building in Beverwijk, as if they were planning to store the country's gold there. Now they know that whatever the security of your building, if the people you employ are stupid, or worse, malevolent, there's no point in spending the money on a building.
I'll just stick with my own CA. If I trust you, I'll mark your cert as trusted. You do the same with my certs. No cost, everybody happy.

Re:bit of a red flag?

[wvmarle]

A validation request for *.google.com should have landed at a technical contact inside Google. So how did this come into the hands of the Iranian government?

Nothing states it didn't. Google has many technical people working for them - who says none of them are spies for foreign governments? OK running into conspiracy theory/paranoia terrain here of course. But in this kind of cases, particularly when dealing with popular domains like google.com, you'd better be paranoid.

Re:bit of a red flag?

[mvdwege]

As it turns out, the cert was issued by hackers during a break-in in July.

Something tells me my boss is very happy we didn't go with Vasco for our identity solution.

Mart

Re:Hooray for corporate control

[Jiro]

I believe Iran is run by a government. Whether they bribed the CA or hacked into the CA, it's certainly not free market capitalism.

Re:And thus you find out the real security weaknes

[tftp]

if you have gold-plated wenches, you end up with a James Bond movie.

The sad fact is that you don't even have to buy them gold-plated. They happily do that on their own, at your expense.

Anyone with a full list

[utkonos]

Can anyone add to a list of CAs that have been involved in anything like this?

I had already disabled all Comodo CA certs and and all COMODO certs in my browser after the comodogate incident. After I did that, I submitted complaints to any site that I noticed that use those certs (mainly Amazon's payment system). Other than all diginotar certs, which others should be deep sixed?

I am a firm believer that once there is a loss of trust, anything that company touches should be black holed.

Re:Anyone with a full list

[TheLink]

I am a firm believer that once there is a loss of trust, anything that company touches should be black holed.

Really? Do you still trust Verisign and Verisign owned companies (e.g. Thawte)? Verisign have screwed up, and worse also do ethically dubious
stuff ( http://en.wikipedia.org/wiki/Verisign#Controversies ).

BTW Symantec now owns Verisign's CA stuff not sure how much you trust Symantec but they certainly have screwed up before.

How about Mozilla? Or the other browser makers who have bundled CNNIC's (China Gov) CA certs in their browsers.

How about Entrust? They have signed CNNIC's CA cert, so even if you remove CNNIC's cert, an MITM by China might still work as long as your browser trusts Entrust.

I personally use Certificate Patrol, so if something is signed by CNNIC and it's a Chinese Gov site, it's no big deal, but if google/gmail is signed by CNNIC I'd get warned.

BTW I'm not that worried about the Chinese Gov - since I don't live there or work there, just using China because it's a popular bogeyman (with some justification since they certainly do bad stuff ;) ).

Non-sequitor

[Mathinker]

Everyone accepting self-signed certificates without checking who created them is going to make us all more secure against governments?

The problem is with the current trust model itself, as others have noted here. Changing it to blindly trusting everything isn't going to improve the situation (and that is what you are proposing, for Joe Sixpack, anyway).

Re:Non-sequitor

[Mathinker]

OK, I start to understand a bit more. One would have to provide some way for the browser to add exceptions for when you want to explicitly trust a particular self-signed certificate (and therefore have the connection be indicated as secure).

But face it, the reason no one encrypts the vast majority of web traffic is because it is totally uninteresting, and such encryption carries a cost (higher energy bill, higher maintenance cost, higher probability that a viewer will fail to be able to view your data). Yes, I know that this makes encrypted transfers "stand out" more --- but I don't think it's going to change in the near future.

Re:Non-sequitor

[GameboyRMH]

Good point, I say the same thing all the time. A self-signed cert is, at worst, no worse than an unsecured connection. So why raise an alarm? Treat it the same as unsecured, so that anyone who doesn't see the blue browser bar or whatever knows they can't trust the security of this connection.

Oh Good

[thegarbz]

Oh Good. We can visit something such as Gmail.com with a fraudulent certificate and no one would notice. But god forbid I self sign my home webserver certificate, that must be met with a wrath of a bright red page warning me about the dangers of a possible man in the middle attack and that no one should visit my site under any circumstances!!! /rage

But on a more serious note shouldn't this right now be a clear indication to those in defense of using SSL / TLS to establish identity that their system is horrendously flawed and that maybe self signed certificates are in fact not any worse then any certificate verified by a picture of Ben Franklin?

Re:Oh Good

[John+Hasler]

> ...system is horrendously flawed...

Is it? The fraud was discovered and the registrar has been blacklisted. Furthermore, you could be using Perspectives if you wanted to: it would have detected this.

Don't be too quick to exchange a tough system for a brittle one.

Re:Oh Good

[Rich0]

The fraud was discovered more than a month after it happened. In the meantime who knows how much havoc was caused.

SSL as it is presently implemented has a number of key problems:

1. It doesn't allow encryption without authentication. An encrypted and unauthenticated connection to a server is considered LESS safe than an unencrypted and unauthenticated connection.

2. Every software package out there has its own trust database. Do you think that every instance of this bad certificate is really going to get purged? How do you know that some random piece of software you have doesn't download updates using it and thus allows for remote execution of arbitrary code?

3. The trust database is just way too big. Do we really know that ALL of those CAs are secure?

4. The scope of trust is unlimited. If you trust a CA they can issue a certificate for anybody.

5. CRLs tend to fail-unsafe. No connection means everything is fine. So, we can't even use those when things go bad.

6. CA certification tends to be more about paperwork, process, and audits (one time, usually), and a hefty fee, and I haven't seen any evidence that this really promotes security.

There are a number of ways that most of these issues could be eliminated. DNSSEC comes to mind as a big one.

Re:Oh Good

[thegarbz]

Blacklisted has it? In what way? Are they simply not allowed to issue new certificates or did Mozilla release a silent update removing their certificate from the trusted authorities list?

Hint: It's not the latter.

Also I'm interested in how you turn this into a tough vs brittle system debate. I am talking about the benefits of using encryption to prevent snooping. You're talking about encryption to form a trust. Two quite different things, and your supposedly tough system has now on several occasions been shown to be untrustworthy.

Re:Oh Good

[unencode200x]

What is brittle about Perspectives or Convergence? I'm genuinely interested since I'm by not an expert in this field, but I it seems to be getting a lot of attention lately. I'd love to hear some counterpoints to the notary-based systems (especially since they can still coexist with PKI using CAs).

No need to wait

[sjames]

There's no need to wait for a patch. In Firefox, under preferences->advanced->encryption, select view certificates. Just select digi notar and either click delete or edit and then uncheck everything.

CAs must understand that they will be erased from existence by browser providers, security admins and end users if they violate the public trust in this way. They don't have enough bribes, threats, or lies to get out of the hole they dig for themselves when they sell out.

Re:No need to wait

[Greyfox]

Ooh that's neat. While I'm in there, how much do I trust Chunghwa... really?

Re:No need to wait

[wvmarle]

Trolling because that name sounds Chinese? And why would you trust Verisign and all the others?

The answer is: because trust is what their business is built upon. Break that trust, break your business, like what's now happened to diginotar. And that's why you can trust them: because they need you to trust them, and that's a good reason for such a business to be and to remain trustworthy.

That said of course we should remain vigilant. Trust is just that - trust. It needs independent verification, and how we can do that properly well I don't know yet. Other than staying vigilant, and reporting issues like this one as soon as they are found.

Re:No need to wait

[sjames]

And there's the real problem with the current structure. Too many CAs nobody's ever heard off, practically all of which consider profit to be the only thing that counts in the world.

Re:No need to wait

[Greyfox]

Well mostly due to the widespread rumors of Chinese corporate espionage and VERY widespread allegations of Chinese hackers actively employed by the government. Having a CA in their pocket would undoubtedly make that easier. Just speculation on my part, of course. If the life of my business is on the line, I'd really rather not find out after the fact that any particular CA was corrupt.

I doubt I'd be inclined to trust a CA in Iran or North Korea either, given the tense relations between our countries. If I were in China, Iran or North Korea I would no doubt be suspicious of companies based in the USA as well.

Re:No need to wait

[wvmarle]

Well I'll be the last to admit that China isn't a secretive country, with a lot of corruption going on as well. So for that part you're right. Yet the problem is - as proven with the diginotar case - that being found out just one time may put an end to your complete business, and invalidate any other certificates you issued. A very heavy punishment, one could call it a corporate death penalty, but it's the only thing we have to keep them in line.

This automatic trust we have to put in the registrars is an issue, definitely. And there'd better be some third parties (if only competing registrars) that check on issued certificates.

Mozilla, Google, MS all agreed to remove the CA

[yuhong]

http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
http://www.microsoft.com/technet/security/advisory/2607712.mspx

Liability

Question for lawyers. If I bought a certificate from DigiNotar, can I sue them for damages? My certificate is unchanged so I have not been directly damaged. However, their business model is based on trust and once they are blacklisted, my cert while not be useful.

Re:Liability

[plaukas+pyragely]

For starters just contact them and ask for a refund + switch to other provider.

Good!

[robbak]

Now all we need is for that to be an automatic response.
Then, the only way back in would be to fix the procedural issues, get properly audited, then generate a new root cert and reissue everyone fresh certs.
The huge cost of this might get them taking security seriously. And even saying "no"to governments.

That explains this pic on their site

[plaukas+pyragely]

From the front page: http://www.diginotar.com/Portals/0/Skins/DigiNotar_V7_COM/image/home/headerimage/image01.png

Re:That explains this pic on their site

[GameboyRMH]

Is that supposed to be Steve Ballmer in the background?

lovely

[roman_mir]

I love how every time when the discussion is brought up that browsers need to stop treating https with self signed certificates worse than they treat plain http (just don't show the lock icon, show an icon for the fingerprint, which would make it easy to display the fingerprint for comparing it to a known one), some fool immediately starts talking how browsers must treat https with self signed certs worse than http because https without CA means that your session is vulnerable to the MITM.

Of-course when it is pointed out that CA does not guarantee that there is no MITM either, the discussion dies out but the opinions never change.

Well how much longer will the opinions can stay the same with all the evidence that CAs do not in fact guarantee that there is no MITM?

More importantly: who is talking about browser being responsible to figure out whether there is MITM or not with a https and a self signed cert?

This cognitive dissonance needs to be eradicated.

Re:lovely

[fgrieu]

CA does not guarantee that there is no MITM either

Can you please explain, preferably with a link to a reference?
Common wisdom is that good CA + SSL should protect against MITM, including if the DNS service is comprimized.

Re:lovely

[roman_mir]

Are you saying the story that we are in is not good enough a reference on why you can't trust CAs selling certs? This is where you are replying right now, a story on why CAs cannot be trusted and how they can design MITM against you specifically, and you are asking me to provide more reference?

Re:lovely

[roman_mir]

Actually have you ever heard of MITM attacks against sites using self signed certs? Sure, it may come up, but where is any evidence? OTOH CAs selling certs is a much more likely vector of attack, as you are trusting somebody else with your certificate. I think a self signed certificate with a way to verify fingerprint is safer than a CA created certificate, there you go. I think it's not a hurdle, it's a very dangerous false feeling of security, and you don't know if CAs haven't been compromised and are not selling compromised certs actually even to banks, so that later somebody could cash out quickly and disappear with a bunch of money.

Banks and others need to think twice who their CAs are.

Re:lovely

[fgrieu]

I now see your point: a CAs does not guarantee against MITM in the same way a safe does not guarantee against robbery.

Re:lovely

[roman_mir]

I wonder if it's any better than what BadAnalogyGuy would say, but I don't trust CAs, people who work there have motive and opportunity to sell you certificates that are compromised. Give me a self signed certificate and a fingerprint any day and keep your certificates sold to you by CAs.

Re:lovely

[roman_mir]

TOR based certificate comparison is a possibility, of-course this is OK if the MITM attack is against your client and is not against the server.

If the attack is against the server, so what ISP is involved somehow, then it's a much more serious issue, if all your requests/responses to that server are always modified, regardless of where the requests are originating from. This type of attack cannot be solved actually if the same ISP is used by the server for all requests. In this case it is absolutely necessary to have the correct fingerprint on hands before connecting to the server.

One way of fixing this with current technology, is to have a white list of fingerprints that is constantly monitored by the site admins who are issuing the self signed certificates to make sure that nobody modifies the list.

Re:lovely

[archen]

http://monkey.org/~dugsong/dsniff/faq.html#How%20do%20I%20sniff%20/%20hijack%20HTTPS%20/%20SSH%20connections

Re:lovely

[itsdapead]

Well how much longer will the opinions can stay the same with all the evidence that CAs do not in fact guarantee that there is no MITM?

Total straw man. Nobody who remotely understands the system thinks that CAs guarantee no MITM. You could go and see the webmaster in person, shake their hand, look them in the eye, meet their parents, run a background security check, ask for three forms of photo ID and proof of address and then ask for their certificate fingerprint. That would reassure you that, if you are being scammed, you are at least being scammed by the professionals, but it would still represent the weakest link in any chain using decent strong encryption.

So, it boils down to risk. CAs are a million miles short of being a perfect, secure solution but they are far, far better than self-signed certificates. There may be better solutions in theory, but they're not available in practice - and none of them are going to be perfect. In a perfect world, banks and credit card companies would have stepped up to the plate and created a better secure system for banking and ecommerce, but they haven't. What the clients and customers want is a "transparent" identity verification system - and that is impossible to make totally secure. CAs are the best game in town.

More importantly: who is talking about browser being responsible to figure out whether there is MITM or not with a https and a self signed cert?

If they're ever going to display "the padlock" they need to perform both encryption and identity checking to check off on the "due diligence". That's de-facto established practice for browsers. If the ID check is invalid because of a corrupt CA, its not their fault.

Browsers aren't written for you - they're written for non-technical users who will mostly be visiting professional websites, and who certainly aren't qualified to judge whether a MITM attack is a significant danger to whatever they are doing. The best advice to such people is to avoid websites with self-signed certificates like the plague. If you tried to log on to your bank, and were warned that it was using a self-signed certificate, you'd run a mile - someone's personal blog, maybe not so much. The browser can't distinguish those scenarios so it offers its user the "least worst" advice.

If you run a website with a self-signed certificate, it means you are asking your users to unconditionally trust your identity. If your users know you personally, fine, but if you are dealing with strangers then that is a bloody irresponsible thing to do: thank the browser writers for covering your back. Either get a proper certificate; create your own CA and persuade your users to add the root cert to their browsers; or - when users call you to ask why their browser is warning them - smile and talk them through checking the fingerprint.

If you can dream up a better solution than CAs and get it widely adopted then the world will thank you. Currently, though, they're better than nothing.

Re:lovely

[swillden]

I agree, with the caveat that I think browsers should do ssh-style key history tracking. For all certs, not just self-signed, but it's especially important for self-signed certs. If I visit a site every day for a year and it always has the same certificate, that is actually a much stronger statement of trust than a signature by some random CA, but if that certificate suddenly changes there should be big red warnings. Further, I like the ssh model wherein the user is recommended to do some additional verification the first time they see a particular cert. It needn't be scary, and most users won't bother, but the offer should definitely be made and the user should have to make a deliberate choice to bypass it without verification.

It might also be good to allow the user to confirm if they have actually validated the fingerprint. If so, then the lock icon can be displayed. This might add too much UI complexity for most people, however.

Such an approach would play very nicely with Marlinspike's distributed notary system, BTW. A newly-seen cert (self-signed or not) should definitely be checked against all the notaries, but one that the browser has seen before, especially many times before, doesn't need the same level of checking. In fact, if a cert has been seen before, the browser should probably go ahead and display the site and then check with some notaries in the background.

Re:lovely

[roman_mir]

Total straw man. Nobody who remotely understands the system thinks that CAs guarantee no MITM

- how about you talk to them, before talking about 'straw man'?

So, it boils down to risk. CAs are a million miles short of being a perfect, secure solution but they are far, far better than self-signed certificates.

- bullshit. I mistrust every single CA signed certificate and I want a fingerprint. In fact I mistrust CA generated certificates specifically because they are CA signed certificates - they are not the site operators, why are they relied upon to be honest and trustworthy in the first place? I didn't go to their site, I went to a bank site or wherever else. I don't trust the CAs and I think they are paying off the browser development teams to make it look like self signed certs are a virus.

If they're ever going to display "the padlock" they need to perform both encryption and identity checking to check off on the "due diligence"

- "due diligence" is just another way to say CYA. I am not interested in their idea of what due diligence is, I want to see the fingerprint immediately and simply to be able to compare it to a known number.

Browsers aren't written for you - they're written for non-technical users who will mostly be visiting professional websites

- and it doesn't do them any good to give them this false sense of security. It is no better than the TSA "security" theater.

If you run a website with a self-signed certificate, it means you are asking your users to unconditionally trust your identity.

- nonsense, I am providing the fingerprint information and instructions on how to compare the data when accepting the certificate.

Either get a proper certificate

- the only "proper" certificate to connect to my resources AFAIC is the one created by me and not by some untrustworthy third party.

Currently, though, they're better than nothing.

- they are worse than self signed certificates. They are masking the problem, hiding it away instead of exposing the reality to the user.

There needs to be a distributed public directory of fingerprints that is available to all for verification.

Re:lovely

[tgd]

There needs to be a distributed public directory of fingerprints that is available to all for verification.

I'll avoid commenting on most of your comments. I'm sure others will tear them to shreds, if anyone particularly cares enough.

However, how do you suggest validating that public directory of fingerprints? You are subsituting one weak-but-better-than-nothing chain of trust with another means-absolutely-nothing chain of trust.

Re:lovely

[roman_mir]

Oh, please, do comment. I am not presenting a full solution, I am presenting the need. The need is in having a public and a free way to keep fingerprints and whether there are multiple copies with hashes that are checked one against another, whether the lists contain fingerprints as well as public certs, whether there is a way to see how long a fingerprint was in the list and if it changed at all and when and who changed it, all of it is just details.

The need is to have a distributed public and open way to keep fingerprints so that all parties - certificate owners and clients can verify those lists.

Re:lovely

[GameboyRMH]

For once I agree with you completely. I've been saying the same thing for a long time.

Re:lovely

[GameboyRMH]

Perspectives and I would assume Convergence, but Perspectives at least is broken in FF5+ (even if you override compatibility). The onyl bug is it doesn't override unsigned certs automatically (tjhe exact function you want :-( )

Give Convergence a try.

Re:lovely

[Thiez]

Because to many users, https implies a secure connection to a trusted (by the standard of at least some CA) website. If you want encryption without authentication, please give it another name, such as 'httpe' ('e' for 'encrypted'). Httpe could be exactly the same as https with the exception of blindly accepting self-signed certificates.

Re:lovely

[roman_mir]

well, that same fucking guy is trying to take away my dope. That's why I am for Ron Paul 2012.

Re:lovely

[Rich0]

I've posted to the same effect for years here.

I think you're looking at it from the wrong angle though. CAs do provide a higher degree of security from MITM. However, SSL without a CA is no more vulnerable to MITM than http without SSL.

That is my gripe - we sound alarms at self-signed certificates, but we don't sound alarms at plain http connections. If we really cared that much about authentication then we should get rid of non-SSL http entirely, as it is LESS secure than self-signed SSL.

And, rather than doing either of those, I'd prefer to just see SSL use certificates embedded in DNSSEC-protected DNS records. Maybe have a notation in WHOIS (also signed) as to whether the contact info was verified. So, for all sites you'd have strong assurance that you're connecting to the person who registered the domain, and then for an extra cost when registering a domain you could have assurance that the person who owns the domain is who they say they are. For most cases, just the lower level of security provides all the assurance you need.

Re:lovely

[itsdapead]

how about you talk to them, before talking about 'straw man'?

Seriously? From the first link: "I have no seen anyone say it's impossible to launch a MITM attack with a certificate that is verified, but it's much harder.". All the rest are saying that, without a CA, https: offers no protection against MITM. That is not remotely the same as "guaranteeing" (your words) that there is no MITM.

Perhaps people shouldn't bother locking their doors: a locked door is no guarantee that you won't get burgled.

- bullshit. I mistrust every single CA signed certificate and I want a fingerprint.

Hurrah for you. Now, how do you know that the fingerprint is valid? Did your bank send you a fingerprint by mail when you signed up to their online banking service? No? Complaints on a postcard to your bank - not Mozilla. How do you think online shopping would go if the store had to snail-mail you a fingerprint on headed paper before you could buy anything? You'd do background checks on the store to check that they weren't a bunch of phishers with a room over a fish shop in Somwherzistahn and a big box of letterhead, of course,

If you run a website with a self-signed certificate, it means you are asking your users to unconditionally trust your identity.

- nonsense, I am providing the fingerprint information and instructions on how to compare the data when accepting the certificate.

Dear Mr Reman Mur,

At Megabank we are valuing your continuing security. Please logging in immediately to your acnount at [a href="www.phisherland.xxx?url=www.megabank.com"]www.megabank.com[/a] to confirming your status.

To value your scurity we are use a "Self Sined Certificat" which is more scure than usual. You should checking the Certificate Fingerprint as A6:16:23:91:16:91:BE:82:F3:9A:22:45:C7:19:37:19:CC:AF:11:44 to ensuring it is validated.

Yours
NBWANGI ONITALI
Megabnak Online Scurity Officer

...yeah, that works. The most reliable security feature should be the crook's inability to spell and/or not spam people with phishing attacks for banks they don't use. Somehow, that doesn't seem to be the case.

(Since I've had emails from perfectly legitimate companies who thought it would be a jolly good idea to send out emails with URLs redirected via some sort of analytics company - so the URLs looked pretty much like that - and my bank regularly cold-calls me and asks me to answer security questions - its hard to be too critical of people who can't spot bogosity).

Its the banks and major e-commerce sites' job to fix this situation, not the browser authors who have to adapt to what is out there. However, if you're looking for a usable identity verification system that doesn't rely, at some stage, on people paying an intermediary to vouch for their online identity, you'll have a long search.

Re:lovely

[roman_mir]

I distribute a document on a disk to the users of my systems (chain stores and suppliers), there are instructions on the disk as well as printed out on paper. This is not going to work for everybody, that's why I am leaving these comments here.

Re:lovely

[itsdapead]

I distribute a document on a disk to the users of my systems (chain stores and suppliers)

So anybody could send a fake message to one of your users giving them a new fingerprint. Or, if someone MITMd your site they could route people through a page that told them the fingerprint had changed. I've no idea whether your line of business involves sufficiently valuable information to make you a viable target for such effort and, critically, neither do the browser writers. Your system still doesn't guarantee anything - your users have to trust that the document really is from you, and you have to trust your users not to fall for simple social engineering and you add the disadvantage that you have to physically distribute fingerprints (with some sort of physical anti-counterfeiting arrangement, and all the contingent arrangements for when people lose/forget them or if you have to change your server certificate). The current CA system could doubtless be improved, but ultimately you have two choices: distribute key fingerprints with appropriate physical precautions or use a trusted third party to verify identity. Both are imperfect.

Re:Try asking him in Dutch

[FormOfActionBanana]

Er staat een paard in de gang.

We work for cash, not for fun; we want our cash...

[rts008]

Make an appointment and come to our office.
Oh yeah, bring money. Preferably, a lot of money.

          signed, your lawyers:
Dewy, Cheatem, and Howe

It's also pointless in this case

[Chuck+Chunder]

Someone capable of doing a MITM attack with a dodgy cert is almost certainly going to be in a position to stop you hitting a CRL.

Re:It's also pointless in this case

[LazyBoot]

Wouldn't that be a good time to throw up some sort of warning?

What's with you retards and "references"?

What's with you fools always screaming about "references"? Why the hell can't you open your own eyes and critically analyze a situation or a claim yourself? Why do you need some "reference" to some bullshit paper spewed out by a no-name academic, or some article published by some for-profit mainstream news outlet, or even a shitty web page put together by some crazy-ass redneck?

It's no wonder that you have trouble seeing the flaws with CAs and the chain-of-trust. You hold this vague idea of "references" above all else, even when it's clear to everyone else how obvious the flaws are. Replace "reference" with "CA" and you've still got the same broken system. The low-quality, quasi-bullshit "references" you request constantly, and blindly depend on, are no different from the many scumbag CAs out there.

Re:Try asking him in Dutch

[rickb928]

Well. That well.

Apparently you did not, either.

Extra four characters in headline :P

[mauri]

Hi all.

The headline has some spurious characters, namely the last four.
Iran is red herring here...

just my 0.0001 ounces of Aurum

Re:DUTCH ?? DOPERS MORE LIKE IT !!

[X10]

There are no alligators in polders in Holland.

Related: Facebook pure HTTP tracking system

[GameboyRMH]

Did you notice that you're getting a lot of HTTPS certificate changes from Facebook when browsing sites with Like buttons over the last week or so? I'm running a fully locked down Firefox (NoScript, Flashblock, CookieMonster 1.5, BetterPrivacy, CertPatrol, Perspectives, HTTPS-Everywhere) and I'm getting these warnings even though I haven't whitelisted Facebook anywhere.

I was curious so just as I was writing this I inspected the source of a Wired page I had open. Look at this gem:

<iframe src="http://www.facebook.com/widgets/like.php?href=http://www.wired.com/autopia/2011/08/no-public-transit-no-job/&amp;layout=button_count&amp;show_faces=false" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:450px; height:25px;" allowTransparency="true"></iframe>

So even if you were browsing with Lynx they would still track you using this iframe. But this isn't an HTTPS link. So I checked my HTTPS-Everywhere list and sure enough, it will force any connections to Facebook over to HTTPS connections, triggering a bajillion cert change warnings from CertPatrol.

Fun fact: I got these warnings on my home laptop which I'm pretty sure has Do Not Track enabled, will have to double check that though. What's the status of the "Do Not Track" legislation?

So now if you want to block Facebook tracking you may have to resort to a HOSTS file (please don't chime in APK). Anyone know of a Firefox plugin that works like a browser-specific HOSTS file? Because HOSTS files are a last-resort hack IMO.

This is pretty new, I knew it was technically possible but I thought all Facebook's tracking systems relied on JS, maybe I'll write a journal entry about this and submit it.

Re:Related: Facebook pure HTTP tracking system

[GameboyRMH]

And yes I realize it's really a *pure HTML* (at least as far as the client is concerned) tracking system. Have a million things going on at work right now.

Re:Related: Facebook pure HTTP tracking system

[tomtomtom]

That's for the Facebook "Like" button but this technique is also commonly used by Ad networks - I suspect you only noticed it here because HTTPS-everywhere will force the facebook connection to SSL (and AdBlock Plus won't block the Facebook "like" button normally). Certificate Patrol will then alert you to the certificate changes.

Look into using something like the RequestPolicy extension if you want more control over which off-site content gets loaded - it lets you implement a deny-by-default type policy in a similar way to NoScript; however you quickly find that a lot of sites put CSS and/or images on different domains which can be annotying - so it's worth checking out Ghostery instead (or as well as a more permissive default policy) if that bugs you.

Re:Related: Facebook pure HTTP tracking system

[Tomato42]

Google offers most javascript libraries (like jQuery) on their servers.

Allegedly it does speed up the 'net because the browser can use the cached version of the script.

Re:instant deletion of the CA: O RLY?!?

[jlebar]

This does nothing for all the 3.6.x series firefox users.

We released 3.6.21 yesterday to remove the Diginotar root cert.

http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

Re:instant deletion of the CA: O RLY?!?

[Gerv]

Justin: sadly not so, 3.6.21 is not released yet. It will be in the next 48 hours, though.

They are indeed comparable

[Burz]

How else can a gov't jail 1% of its adult population at any given moment? Any government with a "war-on-something" at home is in the business of nullifying civil rights and should be considered at least an honorary member of the totalitarian club.

The main difference here in the USA which helps keep the 'freedom' charade going is that we have a great deal of material and cultural excess to indulge (and to drown out discussion of serious issues). Once that abundance dries up, even conversations such as this one will meet with repressive tactics.

Re:Paranoid seeks confirmation from other paranoid

[GameboyRMH]

Hashes at first use? AKA what the guys at the Perspectives project call the "prayer method?" (Pray you're not getting MITM'ed the first time).

Re:CA site hacked?

[GameboyRMH]

Getting a 404 on that URL.

Upside?

[TheCarp]

I am pretty happy to see this. Why? Because, come on, who didn't know this would be a problem eventually?

This is the biggest Achilles' heel in all of PKI... the need to trust the CA! Yet, there are WAY too many of them, all trusted by default. We have known the Department of Homeland Stupidity has had their own trusted CA, should we be surprised that any national government is capable of shopping around for one that will give them the certs they claim to need and should have for some reason?

The ONLY answer is.... burn the default trusted CA list. Give users more and better tools for accepting certificates. It has to be more explicit and open, less closed and controlled. Personally, I would like to never trust this CA again....there is no tool to help me with that. I can pull it from my system CA lists, but then I have to do that everywhere... and i have to remember to keep it up, and remember any others that I don't trust.

I would much rather a personal trust list that I can work with....shit... maybe even sync though a service like firefox sync or UbuntuOne or some such... it needs to be easy to use, transparent etc. Even better would be to see this handled at a system level, and let all apps get their trust list from there.

This would even allow smaller CAs like CACert to be on more equal footing....if nobody is just "allowed by default" then nobody is inherently harder to use.

-Steve

google considered harmful

[Thud457]

http://letmebingthatforyou.com/?q=ca%20ssl
http://letmebingthatforyou.com/?q=mitm%20ssl

DNSSEC bad idea for total cert trust

[psyclone]

Each ccTLD operator is not necessarily limited to just the domains under that ccTLD. If China maintains a root server, and they have the private keys for the root, they can then sign their own .com keys, and then sign domains under .com. (And even if they only have the .cn private keys, and SSL trust was solely implemented in DNSSEC, now you can't trust your SSL connection to any .cn domain!)

Using DNSSEC for publishing certs and extra identity information is a cool idea, but it's not a good idea to replace all other trust mechanisms. Granted, the current CA model is broken, but there are good ideas out there for distributed models where we don't have to trust governments.

Marlinspike makes some good points here.

Statement released

[lochii]

http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

Dutchman

[lbmouse]

Am I the only one here who always puts "Flying" in front of "Dutchman" whenever I see that word?

Hard-coded CRL?

[bill_mcgonigle]

Why hasn't mozilla or someone else made a simple addon for maintaining/importing CA CRL lists

CRL's are being supplanted by OCSP <WP:Online_Certificate_Status_Protocol>.

The patchset has details, but, I don't get why Mozilla's OCSP service isn't sufficient here. Mundanes aren't allowed to view this bug:

// Bug 682927: Do not trust any DigiNotar-issued certificates.
// We do this check after normal certificate validation because we do not
// want to override a "revoked" OCSP response.

Here they're hard-coding a CN check:

if (strstr(node->cert->issuerName, "CN=DigiNotar")) {
    isDigiNotarIssuedCert = PR_TRUE;
// Do not let the user override the error if the cert was
// chained from the "DigiNotar Root CA" cert and the cert was issued
// within the time window in which we think the mis-issuance(s) occurred.
    if (strstr(node->cert->issuerName, "CN=DigiNotar Root CA")) {
      PRTime cutoff = 0, notBefore = 0, notAfter = 0;
      PRStatus status = PR_ParseTimeString("01-JUL-2011 00:00", PR_TRUE, &cutoff);
      NS_ASSERTION(status == PR_SUCCESS, "PR_ParseTimeString failed");
      if (status != PR_SUCCESS ||
          CERT_GetCertTimes(serverCert, &notBefore, &notAfter) != SECSuccess ||
          notBefore >= cutoff) {
        return SEC_ERROR_REVOKED_CERTIFICATE;
      }
    }
  }

And, this is quite interesting:

// By request of the Dutch government
  if (!strcmp(node->cert->issuerName,
              "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") &&
      CERT_LIST_END(CERT_LIST_NEXT(node), serverCertChain)) {
    return 0;
  }
  }

I wonder what the Dutch government knows - it would imply more than a 1-off problem since the chain should provide a level of isolation.

Nonetheless, there should be code changes required for this sort of problem. Maybe Mozilla doesn't have an OCSP responder running for its roots certs yet?

Re:Hard-coded CRL?

[bill_mcgonigle]

Argh.

- Nonetheless, there should be code changes required for this sort of problem.
+ Nonetheless, there shouldn't be code changes required for this sort of problem.

Re:Try asking him in Dutch

[hendrikboom]

You're just horsing around in the hall.

Re:Try asking him in Dutch

[FormOfActionBanana]

of the neighbor, Mrs. Jansen.

Re:CAs Need To Go

[Lennie]

Because DNSSEC hasn't been widely deployed yet (think like IPv6) and because many believe DNSSEC is the same as the single CA-system but indirectly controlled by the US-gov (the DNS-root is handled by http://en.wikipedia.org/wiki/ICANN ).