Rogue SSL Certs Issued For CIA, MI6, Mossad

Orome1 writes with this excerpt from Help Net Security: "The number of rogue SSL certificates issued by Dutch CA DigiNotar has ballooned from one to a couple dozen to over 250 to 531 in just a few days. As Jacob Appelbaum of the Tor project shared the full list of the rogue certificates, it became clear that fraudulent certificates for domains of a number of intelligence agencies from around the world were also issued during the CA's compromise — including the CIA, MI6 and Mossad. Additional targeted domains include Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, Wordpress and many others."

Wow...

[fuzzyfuzzyfungus]

"*.*.com". I could really use a wildcard cert that wild...

Re:Wow...

[FriendlyLurker]

Related: Forget Rogue, Microsoft handed ability to intercept SSL on windows (Another Wikileaks revelation, translated) to Tunisian dictator Ben Ali, apparently in return for contracts, stifling open source competition etc etc in Tunisia and allowing them to intercept Facebook, Google,... before the Arab spring revolution took place.

Re:Wow...

[AVee]

And according to TrendMicro 'someone' make rather heavy use of the diginotar certificates on ~40 different networks in Iran: http://blog.trendmicro.com/diginotar-iranians-the-real-target

Re:Wow...

[yakatz]

Unfortunately (or fortunately, depending on your point of view), most browsers do not support nested-wildcard certificates.
(I have tried it).
The CA I usually use catches it and warns you, but some other CAs take your money and leave you with a mostly-useless certificate.

Re:Wow...

[Arancaytar]

Ben Ali should ask for his money back.

Re:Wow...

[BCoates]

Not really. Any government can get their state CA included in the windows root CA list just for the asking. OSX and Firefox are slightly more restrictive, but not in a useful way, they allow lots of state CAs as well.

This is a broad problem with the HTTPS system, too many unrestricted root CAs with no concern for realistic security scenarios.

This is not a good system, but it has nothing to do with Tunisia. The wikileaks cable you posted doesn't even talk about SSL, just about how using supported Microsoft software in the government will make the government more effective at everything, including domestic espionage.

Re:Wow...

[initialE]

Any government can get their state CA included, but any user can have the CA revoked on their own computer. The problem with the intercept is that you can remove the CA, only to have it magically reappear upon visiting a site signed by their certificate.

Re:Wow...

[Kalriath]

That doesn't even work, browsers would reject that as invalid.

Re:Wow...

[BCoates]

Is there any evidence that any attacker has used certificate update to do that, or do people just not know how it works?

On Windows, removing a CA from the CA cache does nothing, you have to add it to the untrusted list

PGP-based system?

[ksd1337]

I wonder. Would it be possible to create a system that used PGP instead of SSL/trust-hierarchy? I would think it'd be a lot more secure, not to mention easier to use.

Re:PGP-based system?

[GameboyRMH]

How would handing out PGP keys be any different from using self-signed certs? Although it's obvious now that self-signed certs would definitely be an improvement.

Re:PGP-based system?

[Dahamma]

How would using self-signed certs be an improvement? As long as the CAs that do this are revoked it seems like it would still be a more secure system than requiring the end user to manually trust every single HTTPS site on the internet. Most users would never know the difference from a spoofed web site with a self-signed certificate vs a spoofed web site with a CA-signed certificate...

Re:PGP-based system?

[GameboyRMH]

Self-signed certs are an improvement because they're harder to forge or steal. In case you haven't been paying attention over the last few years, we have this thing called Distributed Verification AKA an SSL Notary system to prevent MITM attacks.

The centrally controlled system of CAs relies on perfect security at the CA (which as we've seen, they don't have) and a constant game of whack-a-mole to revoke certs. Long story short we have to stop using certs for authentication, it was a stupid idea but we all crossed our fingers and hoped it could work, but as we can see now, it can't. It's better to just use a self-signed cert that can't be stolen or forged at your choice of a few convenient locations and use distributed verification to prevent MITM attacks. That way you know you have an encrypted connection between your PC and the web host using the same cert other people around the world are seeing, and that's the most you can hope for without sending out-of-channel information (which isn't the worst idea in the world, BTW) or relying on some idiotic system of "trust dealers" like CAs which are just a disaster waiting to happen.

Re:PGP-based system?

[iluvcapra]

PGP at least has a mechanism for webs of trust, so if two or three of your trusted friends trusted bankofamerica.com you would be able to trust it yourself, and if you wanted to verify it yourself you could go to a branch and witness the fingerprint, hopefully posted somewhere in plain sight but where it can't be easily tampered with, like behind the teller glass.

For most people the trust of three friends, or the trust gained by obtaining a fingerprint at the brick-and-mortar branch would be more than sufficient for most kinds of commerce. But it's not boneheaded simple, and it requires you to undertake your own trust process, so there's a stumbling block and most people wouldn't bother.

OTOH, The system we have now, where system software and hardware vendors promulgate trust is acceptable -- if you don't trust your hardware or OS vendor, you're screwed no matter how you look at it, because a hardware/OS vendor can always circumvent software security. The problem is when a root authority suddenly is discovered as untrustworthy, in which case people have to go through an manually revoke certs. But in PGP, if you suddenly found one of the agents in your web of trust was a malefactor, you just end up with the same problem.

Re:PGP-based system?

[GameboyRMH]

And how is this web of trust better than a distributed verification system like Perspectives / Convergence? I think asking Average Joe users to attend key signing parties is a bit much

Re:PGP-based system?

[avgjoe62]

Did someone say a key party? I'm there, as long as there are hot chicks too!

Re:PGP-based system?

[GameboyRMH]

Hot chicks? Oh yeah you bet!...most likely...probably...

Anyways, here's a pic of some of the hot action you might get to be a part of!

http://en.wikipedia.org/wiki/File:FOSDEM_2008_Key_signing_party.jpg

Re:PGP-based system?

[Kalriath]

Why, oh why, do "FOSSies" constantly suggest unworkable solutions that simply would not work for the vast majority of people on the internet? "Web of trust"? Really? Unless you plug that into some kind of by extension untrusted system (like Facebook, MSN, or something of the like) then noone except the "nerds" will bother to set up that web - resulting in the same security we have now. "Verify fingerprints at the branch"? Noone (not even most nerds) will bother with that - the very thought of expecting normal, average people to go "verify" a 64-character (or longer) SHA-1 thumbprint in the flesh is laughable. They'll just click "accept" like they do now, and wonder why someone in Zimbabwe stole all their money.

Re:PGP-based system?

[WNight]

Self-signed certs would be an improvement because they wouldn't implicitly promise anything they couldn't deliver.

Also, if we all used self-signed certs we'd know how to check them. The bank would have its cert fingerprint on its business cards. If you called up the receptionist would know what a key fingerprint would be.

The situation was a failure in concept alone, then they picked Verisign to implement it and it went from bad to intentionally criminal. Then they opened it up to everyone and their dog and it didn't change much, it only got cheaper, which is good I guess because snake-oil doesn't need to be expensive.

Re:PGP-based system?

[Dahamma]

It's a good point in theory, the problem is in practice it's an economic tradeoff between security and cost (cost being all of implementation, customer support, and general complication ie. online revenue for the majority of consumers who just "doesn't want to know").

Just look at the credit card companies for an example - the system is horribly insecure but they have calculated that the overhead in implementation costs (minor) + lost usage/revenue for customers having to do *anything* extra to buy shit online (major) isn't worth making it any better.

Re:PGP-based system?

Holy shit. I used to think that Ruby on Rails conferences were total cockfests, but at least there were one or two women there (usually organizing the event, since Railers can only do stuff when it's Rails doing it for them). This key signing "party" would make even the most flaming of homosexual males feel uncomfortable, due to the huge amount of penis that's present.

Re:PGP-based system?

[iluvcapra]

I'm not saying that people would actually verify fingerprints, but it's s solution of a sort, and really the only kind that is resilient to CA malfeasance. You're never going to be able to create a system where a user needs to know NOTHING about his chain of trust AND is immune to authority corruption. If people learned to remember people's phone numbers, something that must have seemed daunting and ridiculous to a telephone engineer in 1890, verifying a PGP fingerprint is on the same level of complexity.

I am so far from a FOSSie it's not even funny.

Re:PGP-based system?

[tibit]

I'm afraid the solution to this problem will be only reached when we enter a true information age. That must mean that kids in grade school will learn what the web of trust is and how to apply it, just as they learn how to fill out a check, calculate a tip, or write a formal letter. Our system of education has pretended the last two decades didn't happen. As an experiment, I've explained the basic concepts of encryption and how it relates with trust and MITM attacks to my 7 year old, and she understood it all. So yes, it can be explained, and explained early, and if you miss that at a certain age, you pretty much remain computer illiterate and vulnerable...

Re:PGP-based system?

[tibit]

Haha. Yes, people would need to actually verify fingerprints, that's what the heck they are for. Just as you would verify the ID of someone you're doing significant amount of business with. It needs to become a part of culture, something that everyone learns about in grade school, and only then will it be taken for granted.

Re:PGP-based system?

[WNight]

And the cost is nice and minimal, until there's - oh let's just say - an intrusion at a cert provider that let the attacker generate 500+ certs, and then a scripted attack hits and drains hundreds of billions before bringing the economy to a standstill for fear of fraud and/or locked accounts.

The problem with security flaws is that their potential cost is usually something like "an order of magnitude larger than our revenue for a decade" or some other absolutely unbearable cost.

Re:PGP-based system?

[Dahamma]

and then a scripted attack hits and drains hundreds of billions before bringing the economy to a standstill

Great for a movie plot, but luckily in the real world there are plenty of other safeguards guaranteeing these things don't pass a level those companies consider "painful".

Not that I'm not saying the system isn't a bit bizarre - my CC number was used just a few weeks ago to make a couple of fraudulent purchases before the account was automatically disabled. In the end it was both disturbing how easy it was for someone to use my credit card, and impressive how a couple of minor charges were so quickly and accurately detected as fraud...

Re:PGP-based system?

[FireFury03]

In the end it was both disturbing how easy it was for someone to use my credit card, and impressive how a couple of minor charges were so quickly and accurately detected as fraud...

On the other hand, the fraud detection systems on credit cards can often be a pain to customers because they get a large number of false positives. My cards have been disabled numerous times because the bank thought that I was making a fraudulent transaction, usually either when I made a card-not-present purchase over the phone, or when I was away from home and therefore not within my normal pattern of transactions and locations.

The bank's automated systems do phone me to tell me that they have detected fraud, but this isn't helpful if I'm away on holiday somewhere where I can't get a mobile phone signal - I could be left without access to any money for a week until I can get somewhere where there is a phone signal. Also, usually they require that I phone them back on an 0845 or 0870 phone number to confirm the transaction is ok, which is quite costly to me (but not to them - they get paid to receive calls on these numbers, which makes it not really in their interest to improve the system).

I'm also increasingly finding that the banks engage in security theatre, implementing systems that inconvenience their customers whilst providing no extra security. For example, to "increase security", one of my banks now requires me to remember about 15 random digits that can't be changed in order to log into the online banking system. They advise that I must not write down these digits... needless to say, I wrote down the numbers because I'm buggered if I can remember 15 random digits. Does this really increase security? If it were 4 digits then an attacker would require an average of 500 attempts to log in and I would hope the bank's login system would lock the account out long before that many attempts were made. In fact, making the login details impossible to remember actually decreases security because the user is forced to write it down.

Another example is the crazy 3Dsecure system, which involves the customer entering confidential details into a web page that is served from some random unrecognisable domain (it isn't the website they are purchasing from, it isn't their bank, it isn't visa/mastercard themselves, it is some random third party domain).

One thing I have found good is Santander's recent introduction of SMS OTP - if I make a money transfer via their web banking system, it will SMS me a one time passcode which I then enter before the transaction goes ahead. This works well for me because I pretty much always have my phone with me, and is much better than the other banks I deal with who have bulky "card reader" devices to generate keys, which are almost as big as my phone and I'm not going to carry them around with me so web banking suddenly becomes a lot less useful.

Re:PGP-based system?

[TheLink]

I don't know if it works for your bank, but I've let my bank know that I'm travelling to "Country X", so that they don't disable my credit card if I try to use it there. Nowadays I don't bother though...

Re:PGP-based system?

[WNight]

Great movie plot, sure. Like we all believed a virus could infect a computer here or there but there's no way anyone accepts the story of a worm owning a network of hundreds of thousands of computers. That's just too far fetched.

You don't understand scriptable attacks. This isn't just possible, it's probable. When a hole is found it'll be used all at once.

Flash-crash. Get used to it.

Re:PGP-based system?

[Kalriath]

Good to see some frank discussion there - many on this site would simply throw a troll mod or ad hominem insult because they disagree.

I agree on the topic of phone numbers there, but I think it's important to remember that an SHA-1 fingerprint is a buttload longer than a phone number, and I imagine that people would do business with a darn sight more companies for which they'd have to memorise their fingerprint for than they currently remember phone numbers for. This would lead to the rise of services like phone books and directory service websites for certificate fingerprints, which would re-centralise control of the authentication infrastructure again, completely defeating the purpose. No matter what, there is always going to be someone that we have to trust to say "yes, this domain and certificate are owned by this entity". The best we can do is ensure that the Authority is one that can be trusted to be truthful in exercising that authority.

Re:PGP-based system?

[Kalriath]

Very true, but then what do we do until that generation is the only one left? So long as our generation, and our progenitors, and their progenitors are still around, we still have generations that simply can't grasp the concept. Do we simply write them off and say "too bad, so sad"? Do we implement some horrific mongrel of a transitional system that only barely achieves the objective? I think this may well be one of those cases where inertia is the enemy. And noone beats inertia.

Re:PGP-based system?

[tibit]

We need to educate the adults, too. I think that ultimately the problem is that people don't care, they want things to be easy -- at least that's how the American society wants things. They don't want to care nor understand where that blasted pop-up came from, if it's official they just want it to go away, even if it means paying for a fake antivirus. The same caliber of people are ripe for indoctrination of various sorts: they don't want to understand, they just want to be told what to do... Perhaps we can indoctrinate them about encryption and trust.

This pisses me off

[cc1984_]

It pisses me off how I have to jump through so many damn hoops only to get a false sense of security. We might as well go to using self signed certs as the norm for all the added security CAs give us.

Can we move on now?

[ka9dgx]

We've now had proof positive that no centralized trust system is workable against a sustained attack. Can we start to get some distributed trust systems in place, instead? The idea of a single proof of identity has failed. It's time to move on to a system that allows multiple checks and balances.

Monocultures are great for creating massive failures, which is why nature wipes them out over time.

Re:Can we move on now?

Delete all your root certs. Add sites on an individual basis.

Re:Can we move on now?

[Ken_g6]

Can we start to get some distributed trust systems in place, instead?

I suggest getting some Perspectives on the whole issue. Not only does it bypass warnings about self-signed certs, it gives an extra warning if a secure site looks hinky despite a valid cert.

Re:Can we move on now?

[Junta]

The problem is not "centralized trust". The problem is a mix of x509 evolving but not mandating behavior (in the web context, CRL should be completely sunset and OSCP should be mandatory) and half-assing implementations today in the name of convenience (OSCP implementations are likely to ignore errors instead of failing validation, treating only an explicit 'invalid' as evidence of a problem. The root of the problem is a third party authority is used frequently without checking in with that authority. A system *more* distributed than x509 without changing any other characteristic would be trivial to suffer this sort of attack.

Re:Can we move on now?

How about you figure out a good way to do that? You'll get a PhD out of it and probably become pretty famous in the crypto/infosec fields. Or, you could just bitch about it from your computer while you eat Cheetos.

Re:Can we move on now?

[guruevi]

The idea of identity on the Internet does not work. People have to stop using SSL certificates as a form of identity. They're there to secure a transaction. There are plenty of other ways even with valid certificates to trick a client (or end-user) into trusting a host (slightly different domain name, unicode tricks, ...).

If you want to confirm identity between two parties you have to use 2 and 3-way, multi-channel authentication in both ways. That is more expensive than the current user-password and even user>-image because anyone can retrieve those images after a username is entered.

well managed self-signed certs are safer

[YesIAmAScript]

At least you know how many and which certs were issued from an authority that you run yourself.

The chain of trust is only as strong as the weakest link in the chain.

Re:well managed self-signed certs are safer

[elsurexiste]

That may very well work for you or your organization. Not so much for third parties or the internet, which is the case here. I mean... would you trust a bank's homepage if it's self-signed?

Re:well managed self-signed certs are safer

[Zerth]

If I could pick up the cert from a local branch or by taking a picture of a barcode on the screen of an ATM, probably.

Re:well managed self-signed certs are safer

[perlchild]

It's not havoc, it's just more work.
Just revoke all the "root" certs in current use, and you're back to the basic:
VERIFY (once, and then once they expire) every trusted cert you use, and sign them with your own key.
Others in this thread mention validating the keys offline, which, for your bank, might make a lot more sense than trusting a third party.

Re:well managed self-signed certs are safer

Self Signed certs are fine to encrypt traffic so that a third party can't see what is transmitted between you and the WWW site, but it does nothing to prevent man in the middle attacks, or give me trust that the WWW site I am talking to is really who I think it is. There will always need to be some sort of centralized "trusted org".

The problem is that Firefox now ships with more than 75 diffferent "builtin trusted CAs" any one of which can sign a certificate for mybank.com. Combine that with the DNS poisoning attack that just affected ups.com and theregister.com, etc. and there is no security what-so-ever.

The big question is how do I have 100% trust that the cert I have in my possession is really from mybank.com?

Re:well managed self-signed certs are safer

[GameboyRMH]

The big question is how do I have 100% trust that the cert I have in my possession is really from mybank.com?

A CA cert doesn't offer authentication either, when black hats and governments can issue themselves fraudulent certificates to impersonate those websites.

Re:well managed self-signed certs are safer

[Dahamma]

But that would basically limit all of your online transactions to businesses with a local office within driving range. Not many people are going to be willing to fly to Seattle just to get a cert to buy something online from Amazon...

Re:well managed self-signed certs are safer

[rtaylor]

How does manual verification help the bulk of the population identify fake certs?

Re:well managed self-signed certs are safer

[YesIAmAScript]

Then you talk to a bank agent over they phone and they read you the fingerprint of the self-signed cert. You verify it and if you believe this person works for the bank, you're done.

The problems with the system have been not within PKI, but the verification of trustworthiness. As a part of fixing this, each of us may have to work a little bit harder in order to establish that we trust a certificate. In fact many would say it is the unwillingness to make this effort that led us to this mess.

Re:well managed self-signed certs are safer

[grahammm]

It would help if the browsers warned if a site sends a different certificate than the previous time(s) you visited the site. To handle certificate expiry, a certificate could also be accepted if it is signed by the one already held by the browser. That way if someone did set up a MITM attack, anyone who had previously visited the site would be warned that something may be amiss. For the 'popular' sites like Google, facebaook, Amazon etc. it is very likely that a large number of people would have the certificate prior to the setting up of the MITM and the alarm would be quickly raised.

Re:well managed self-signed certs are safer

[elsurexiste]

I would rather say we rely on CAs to avoid the hassle. If I trust "X", and "X" says I can trust "Y", that should be enough. I think dropping the hierarchical scheme and adopting a distributed scheme is better than individual verification (most people don't understand what is good for them anyways).

Re:well managed self-signed certs are safer

[plover]

No, you don't need a centralized trusted org. That is the entire point between the "web of trust" of PGP. I sign my own key and rate it level 4. I sign the keys of my best friends, employer, and the banks where I do business and rate them a level 3. I sign the keys of retail stores where I'm a customer, and the keys of casual acquaintances level 2. I sign the keys of people I know only on the web and rate them no higher than level 1 or 0.

Now, when you are trying to evaluate the key of www.shadybank.com, you can look at their signers. You can say "I see that my good buddy Fred signed your key, and I trust him at level 3, therefore I'll trust you to level 2." You can say "I see that four friends who all trust you at level 2 have signed your key, so I'll trust you at level 1" or even "I see that I have a dozen friends at level 2 all signed your key, so I'll also trust you at level 2." You could say "I trusted this site at level 0 for a transaction last year, and I've used them three times since and didn't get my ID stolen, so I'm going to bump them to a 1." Or you could even happen by the offices of ShadyBank, examine the framed key they have posted on the wall, and decide to bump your trust level to 3 anyway.

The point is that you can establish your own criteria for figuring out whether or not you want to trust a third party. You assign levels of trust to people and organizations you trust. And you place your trust in those who you think deserve it. Today, you get whatever random crap the CAs sign. And you get all of the crappy CAs built into your browser, including diginotar, and who knows who else?

I'm thinking I'd like a "web of trust" of CAs. I have no idea which ones to trust, and I'm not sure I trust the Mozilla Foundation or Microsoft or Google to pick the trustworthy ones. Instead, if I could have ratings from my friends saying "GoDaddy is a good CA, but Diginotar is crappy", I could use that.

Re:well managed self-signed certs are safer

how would that work if I change CAs? My current certificate is signed by GoDaddy, and I get a new certificate from NetworkSolutions. The certificates are valid, they get installed properly, and your detector still says there's a problem because I changed CAs.

Unless there's field in the certificate that I don't know about that allows you to tie a replacement certificiate to the one it's replacing.

Re:well managed self-signed certs are safer

[Dahamma]

if you believe this person works for the bank, you're done.

Which still means there is plenty of room for social engineering/hacking. It's still about trust, and talking to someone on the phone doesn't change that.

It's debatable whether this would result in better or worse security, but it's not debatable that the costs in time and money over the current system would skyrocket. Every company on the planet wanting to do online transactions needing customer service reps available any time someone wants to verify their certificates? And besides, 90% of Internet users don't understand and don't want to understand how it all works, anyway.

It's the same sort of issue as with credit cards - the whole system is amazingly unsecure and prone to fraud, but the credit card companies don't have incentive to improve it because the reduced fraud that would result in a better system doesn't outweigh the costs (in development, as well as - more significantly - convenience to the customer, ie. extra revenue) involved.

Re:well managed self-signed certs are safer

[X.25]

That may very well work for you or your organization. Not so much for third parties or the internet, which is the case here. I mean... would you trust a bank's homepage if it's self-signed?

Yes, I would.

If bank can safely keep my money, you don't think they can safely/securely deliver me their self-signed root certificate which I can import into the browser?

Re:well managed self-signed certs are safer

but you can confirm the thumbprint over the phone with a real human you feel confident is not actually tapping your phone.

Re:well managed self-signed certs are safer

They can be mailed with some assurance.

Re:well managed self-signed certs are safer

[Dahamma]

Mailed? How is that secure at *all*? That would be the easiest way to forge something official-looking.

Re:well managed self-signed certs are safer

If I could pick up the cert from a local branch or by taking a picture of a barcode on the screen of an ATM, probably.

Not a terrible idea, but I would imagine a lot of the people using bank services over the Internet might be doing so because there isn't a branch nearby. Then, that would obviously work better for banks than most other business too.

Re:well managed self-signed certs are safer

[Dahamma]

Part of my point - a company like Amazon is NOT going to hire operators to call 100 million+ customers. They'd much prefer an insecure system with occasional fraud.

Re:well managed self-signed certs are safer

I'd say that a chain of trust is even weaker. Weakest link is the upper bound though. I would think about the probability of deception, which will get close to certainty as we include sufficient number of only partially trustworthy links. What this DigiNotar case implies is that increasing the number of chains that must remain intact will have similar consequences.

Re:well managed self-signed certs are safer

[Kjella]

So how many people do you really trust to certify that your bank is really your bank? PGP is no better than the gullibility of the people signing and the security of the certificate and signing keys is no better than your average desktop. Revocations are a huge mess in a system with that many actors. What happens when one of those you've signed with level 3 has their certificate compromised? You're not likely to hear about it and even if you do you're not likely to get a revocation out there. And with people losing their keys all the time (backups? what backups?) there'll be a constant flow of new keys.

Maybe it'd improve security for the 2% of the people who actually can, want and understand how to use it right. The other 98% would just put their trust in some organization to verify that hey, this is the real company. Just like most people expect the phone book to give the right phone number, they don't verify in a PGP web of trust that yes, that number really is their number. The tools have been there for ages now, but it's like scalpels have been there forever. It's not going to turn everyone into a surgeon.

Re:well managed self-signed certs are safer

[TheLink]

Given the crappy CAs (and banks[1] out there), it really makes no difference.

The difference is with self-signed certs your vulnerability is the first time you connect to the bank's home page. And if you're paranoid you could try to connect to the bank's home page via different ISPs on different days. If they're the same over a few days and there's no "hacker pwns bank" news, things should be OK.

Whereas with the current state of CA crappiness, your vulnerability is ANYTIME.

The main reason why certs change is because there is artificial scarcity - the certs expire very regularly. So you get all these changes that make it hard for you to know whether something has gone wrong or not.

Yes you can have stuff like Certificate Patrol telling you that the cert's CA has changed. But even then, how would you know if that's OK or not? I've had sites keep alternating certs with different CAs. And I've still had to email a bank to ask whether their cert was good or not (because the cert changed from a one site cert to a cert for multiple sites for multiple countries signed by a different CA - so how would you know whether it's OK or not? Just because other people have the same problem (Convergence's approach)?.

Yes employees change companies, but do companies change/revoke their CA signed server certs the very moment "someone" changes jobs? So what's the big difference?

If the certs rarely changed, and the banks stuck to their CA and got CAs to revoke their certs when "stuff happens", and browsers warned users if the cert changed for no good reason even if signed by a valid CA, then sure the CA method would be better than self-signed certs.

But meanwhile self-signed certs could actually be safer in many scenarios.

[1] Attackers could just hack the bank via social engineering or other means.

Re:well managed self-signed certs are safer

[Zerth]

How did your ATM card reach you? Transmit the cert at the same time.

Re:well managed self-signed certs are safer

[Zerth]

True, but the internet banks have some channel to deliver your account credentials to you initially. Piggybacking the cert delivery onto that method would be as secure as your account is. Which isn't necessarily very secure, but you've already trusted it, so why not the cert delivered at the same time.

Re:well managed self-signed certs are safer

[Dahamma]

I shredded and threw away the papers that came with my ATM card years ago. Are you suggesting banks send out new ATMs cards to everyone who wants a cert so it looks more official? And then do the same every time their cert is updated? That seems like a major strike against physical security as well as the "it just costs too much to implement" argument...

shadow Internet

[Gothmolly]

Who really trusts any of the "free" sites like Google and Yahoo mail with anything secure? There's an entire separate network, of loosely coupled sites, often IP only, running on cable modems, etc where people can communicate - IRC, MUDs, private hosted sites, all with self-signed certs and the trustworthiness of the operators is all you have to go on. Thing IP version of the original BBS days. It's all a cycle.

Way past time...

[Frosty+Piss]

Time to drop DigiNotar from trusted cert list?

Re:Way past time...

[maxume]

Uh, it pretty much already happened.

(That is, Microsoft, Google, Mozilla, etc., have dropped them, the various logistics are shaking out as we speak.)

Re:Way past time...

Uh, it pretty much already happened.

(That is, Microsoft, Google, Mozilla, etc., have dropped them, the various logistics are shaking out as we speak.)

Is that true? I heard that they only blacklisted the 200+ specific certificates that were publicly known to have been breached.

Re:Way past time...

[Nick+Ives]

I've just checked my certs in Chrome and DigiNotar isn't there. I've got the "check for server certificate revocation" option ticked, which I guess must be on by default.

Re:Way past time...

[Inda]

I deleted mine a few days back, when we were all told to.

Just checked FF6.0.1 and they're back. What's happened?

Re:Way past time...

[pootypeople]

I believe that's only for Vista+ -- XP would have to have a patch.

Re:Way past time...

[mzs]

They are in the list so that you cannot allow them to do anything. Look at the properties, all the check boxes will be untitcked, try to enable any one and then go back to that dialog, they will still be unticked. Also visit an https address that uses a diginotor cert and try to allow it, it will not let you.

Re:Way past time...

[Amarantine]

Uh, it pretty much already happened.

(That is, Microsoft, Google, Mozilla, etc., have dropped them, the various logistics are shaking out as we speak.)

Except... in the Netherlands, where DigiNotar is operating from. The government has demanded Microsoft in the Netherlands to delay the rollout of this patch, because it would cause too many problems for users, and because they need more time themselves to get all certificates replaced.

Dutch article about this, including a link to the preliminary report about DigiNotar, here: http://tweakers.net/nieuws/76587/overheid-dwingt-bij-microsoft-vertraagde-windows.html

Re:Way past time...

[maxume]

I would file that under the various logistics shaking out. Especially since the Dutch government took over DigiNotar.

Can them!

[simpleguy]

There is no reason for this company to keep operating after such gross negligence. Any criminal liability here?

Re:Can them!

All browsers and the Dutch gov ditched them. They'll soon be bankrupt. Well deserved.

Re:Can them!

[plover]

I'm concerned about Vasco, their parent company. They sell hardware and software authentication systems like DIGIPASS and IDENTIKEY, things that are used to protect bank accounts, transit systems, etc. Is there or could there be any cross pollination attack? Were DigiNotar certs used to sign any of the DIGIPASS hardware or software? Do any of the existing DIGIPASS solutions have the DigiNotar certificate baked into them?

F-secure has a partial list

[nweaver]

It may not be complete, but, F-secure has a list of the ones created, including *.*.com, *.*.org, www.cia.gov, addons.mozilla.org, *.torproject.org, etc...

Re:F-secure has a partial list

Even more reason to nuke the Mushie bastards off the face of the planet

Re:F-secure has a partial list

[AVee]

I'm kind of perplexed by the *.*.com certificate, is there any use in having such a cert? Realistically there is no (legitimate) reason for such a certificate to exist. Is there any software around that will actually accept certificates which are that broad? I mean, if there ever is a clear giveaway for a MITM attack it would be a certificate like that.

Re:F-secure has a partial list

[Jeremy+Erwin]

There may be add-on for mozilla that supports wildcard certificates. And since addons.mozilla.org is associated with an alternative certificate, well...

Re:F-secure has a partial list

[rtfa-troll]

including *.*.com, *.*.org, www.cia.gov, addons.mozilla.org, *.torproject.org, etc...

err.. forget all those. There's only one you need to know: www.update.microsoft.com

Ownage.

Re:F-secure has a partial list

You don't need a list of domains, just invalidate the compromised root certificates. Because there are so many roots, this shouldn't affect more than a small portion of the Internet.

Re:F-secure has a partial list

[BZ]

> Is there any software around that will actually accept
> certificates which are that broad?

There has been in the past; those were considered bugs and fixed. But maybe some users are still running 6-year-old web browsers.

Consider me naive...

I would like to think the CIA, MI6, Mossad certificates being rogue isn't that big of a deal. *Surely* such organizations don't rely on 3rd party certificate creation for anything other than their public facing data (web sites only).

The commercial certificate issue is quite worrisome however.

Re:Consider me naive...

[anglico]

According to this article:
"Actually I think the secret service domains are the least alarming part. It's sexy, and will probably lead to a lot of questions and interest from government agencies. Of course, nobody wants to get caught with their pants down, but there's really no classified information on these domains. Those are on separate, secured internal networks. So the practical security impact of the Iranian government getting a certificate for the CIA is nill. It's really just very embarrassing, that's all," said Soghoian in an interview with Webwereld.

Re:Consider me naive...

[Mateorabi]

obligatory

But its NOT centralized trust...

[nweaver]

The root of the problem (pun intended) is NOT that the SSL/TLS certificate hierarchy is a centralized trust, but that there are hundreds of roots of trust, any one of which may be compromised, and all of which are considered equally valid by the browser.

Who outside of the Netherlands even heard about DigiNotar before this happened?

This is why some people like the idea of using DNSSEC for distributing key material: there exists only a single valid path of trust to a single root for a key associated with any given name: its actually more centralized than SSL/TLS, which is what is desired.

Re:But its NOT centralized trust...

[mellon]

The trouble with this is that it makes the root cert *insanely* valuable if we start using it in the way you describe. As a practical matter, there needs to be some additional system in place to provide a backstop for the root, so that merely compromising the root is not enough to successfully spoof every domain. DNSSEC + SSL CA is actually not a bad idea. But I am really worried about the push to use DNSSEC as the new single point of failure.

Re:But its NOT centralized trust...

[Sancho]

its actually more centralized than SSL/TLS, which is what is desired

Centralization only works if you place a high amount of trust in the central organization. Do you trust ICANN? Do you trust .us? .ir? .uk?

The CA system is only broken because there are weak links. The client trusts 200 CAs, and any one of them can sign for any domain. But what if we required 2 CAs to agree? 5? 10? It would be up to the admins of the server to decide how many CAs they wanted to use, and users could decide for themselves how many are required to agree in order to consider the cert valid.

Moxie Marlinspike has some other ideas that sound pretty neat. Unfortunately, at first glance, his techniques seem to also rely on SSL, creating a chicken-and-egg problem. I may have been misunderstanding him, though.

Re:But its NOT centralized trust...

ROOT only signs top level domains. Like .COM, .NET and country level domains. There is actually very little need for root cert to be anything remotely connected to anything.

It would be much simpler to hijack .COM or another top level domain in DNSSEC scenario than the ROOT. But then a new .COM could be generated and every registrar would re-issue. Actually, key rollovers are something that's been thought up as very important part of DNSSEC, while many CA roots have keys that do not expire for decades.

Re:But its NOT centralized trust...

How about instead of re-centralizing, we decentralize more.
Right now, trust originates with the user, flows to the OS or browser maker that specifies their trusted CAs, and from there is multiplied out to hundreds of certificate authorities. So we have hundreds of single parties that can break the whole system.

Instead of multiplying the trust and distributing it to each of them, we should divide the trust and distribute it over all of them. So, in order to be trusted, a site must have certificates from some significant fraction of the CA's trusted by a given piece of software. That way we'd still have hundreds of parties, but none of them could break the system without conspiring with many others.

All the infrastructure is already there, browser makers just need to start displaying the fraction of CAs a site has certificates from in some obscure corner or the UI and warn sites that that obscure number will turn into a big yellow pop-over warning in x months so that they can get their additional certificates in order.

Re:But its NOT centralized trust...

[AlXtreme]

But what if we required 2 CAs to agree? 5? 10? It would be up to the admins of the server to decide how many CAs they wanted to use, and users could decide for themselves how many are required to agree in order to consider the cert valid.

Interesting, but all that would do is spur companies to automatically obtain multiple certificates from multiple CAs. If such a system were compromised we'd be in the same situation as now.

Perhaps both avenues are required: Each CA may only service one tld (so a compromise at a .nl CA would not put Iranians at risk via bogus .com certificates, partitioning the trust each CA can give) and extra security by having certificates signed by multiple CAs. You could even image browsers expanding their current flawed color-coding: 2 CAs = yellow, 5 = half-green/half-yellow, 10 = full-green.

But even then the skeptic in me knows that the DigiNotar's of such a system will still be able to screw it up...

Re:But its NOT centralized trust...

[Sancho]

Good additions/modifications to the idea.

Re:But its NOT centralized trust...

...Who outside of the Netherlands even heard about DigiNotar before this happened?...

I'm dutch. I never heard of them before this event. Though, now they went from being one of the many unknown (to the general public) service companies to being a very well known and very badly managed company.

Re:But its NOT centralized trust...

[Junta]

Interesting, but all that would do is spur companies to automatically obtain multiple certificates from multiple CAs. If such a system were compromised we'd be in the same situation as now.

Uhh, no, a single CA being compromised would be meaningless, you'd have to compromise as many authorities as is required to trust a cert, and do so within a time period short enough to avoid at least one of those being revoked/removed from browsers.

Re:But its NOT centralized trust...

[Junta]

: its actually more centralized than SSL/TLS, which is what is desired.

The key is not the centralization or de-centralization (though a system without well-defined roots of trust or in which the end-user is responsible for tracking the validity of the roots of trust would be bad). The issue at hand is DNSSEC has no concept of validation beyond DNS cache lifetimes. If an authority key is compromised, then you push out your fixed keys and the threat ages out of the system in relatively short order. 100% OSCP with unforgiving clients would be the most trivial fix to this mess. If you think that can't be accomplished, then DNSSEC is certainly never going to pan out as the same people not doing it right with x509 today aren't going to do it right with DNSSEC either. DNSSEC is only promising now because it is not ubiquitous. The people doing it are intrinsically interested in security and therefore no one is yet watering down the security for various 'practical' concerns.

Re:But its NOT centralized trust...

[incense]

The root of the problem (pun intended) is NOT that the SSL/TLS certificate hierarchy is a centralized trust, but that there are hundreds of roots of trust, any one of which may be compromised,

The problem is the consequences when a centralized trust is broken. In principle, the number of roots does not matter (even if in real life, it makes it easier to find a viable attack route), because the root of the evil is that it will suffice to break a single point.

A proper design would make sure that even in the case of successful hackers, rogue employees, silent break-and-entry by foreign intelligence agencies or hostile government take-overs, the consequences would not be dire.

This is why some people like the idea of using DNSSEC for distributing key material: there exists only a single valid path of trust to a single root for a key associated with any given name: its actually more centralized than SSL/TLS, which is what is desired.

Even though based on false premises (IMHO), your conclusion is intriguing. Would you kindly explain which threats dnssec will remove?

Re:But its NOT centralized trust...

[parlancex]

A better idea might be to segregate trust based on jurisdiction. We need to do away with the generic TLDs (.com. .net, .org, etc.) and use a national CA system in which a CA is only trusted for it's associated national TLD. Just a thought.

Re:But its NOT centralized trust...

[Lennie]

The current protocols, OCSP and CRL, don't even help to solve the CA-compromise problem.

They don't even work properly to revoke just one certificate.

There is a lot that needs to change and it needs to be backwardcompatible enough that a transition can be made.

Which doesn't make it an easy task.

But if you have a multi-CA system, you have to have a secure way to single the browser or other application how many that should be. How will you do that ?

What if you have a website with 4 CA's, would that be good enough ? What if you visit that site a day later and it only has 3 valid CA's. Would that still be enough ?

Do we want to give more money to more CA's ?

Lots of questions.

Re:But its NOT centralized trust...

[mellon]

The trick to hijacking a TLD is to do it without being detected. If you can pull that off, you have something extremely valuable. If you can't, what you have is still useful, but only to a limited degree. But that degree is only limited to the extent that certificate checkers do their jobs correctly, and don't have polluted caches, or have access to good data. If you can hijack the root, and everybody's bank account security depends on the root, then you can do a lot of damage before you're detected. You've seen Battlestar Galactica (reimagined), right? It's like that. You're creating a single key that gives the Cylons access to your entire defense grid.

Draw the consequences

[jeti]

You can't trust the root CAs. The whole infrastructure is broken and needs to be replaced with something else.

For a start, webbrowsers should notify users if a certificate was replaced, even if the replacement is signed. And browsers shouldn't go into full panic mode over self-signed certs. They're still safer than using an unencrypted connection.

Re:Draw the consequences

[mellon]

YES. User interface is at least as important as tech in security: if you have a bad UI, it doesn't matter how secure the infrastructure is, because people will use the bad UI to bypass it.

There are some problems with self-signed certs, but they can be addressed by a better UI. You don't want users to get into the habit of clicking through self-signed certs. But an intelligently thought-ought security model here would be a huge win, because as you say, self-signed certs do add value, particularly in a world where HTTP authentication sends passwords in the clear (or effectively in the clear, depending on which model you use).

Re:Draw the consequences

[xororand]

For a start, webbrowsers should notify users if a certificate was replaced, even if the replacement is signed.

Certificate Patrol for Firefox.
"This add-on reveals when certificates are updated, so you can ensure it was a legitimate change."
The UI is good too. Certificate Patrol, along with NoScript and Cookie Monster, is a major reason to use Firefox.

X.509 handling is largely neglected by UI designers, not just in web browsers.
Sometime clients actually have options like "[x] Accept all certificates".

Re:Draw the consequences

> And browsers shouldn't go into full panic mode over self-signed certs. They're still safer than using an unencrypted connection.

No they aren't.

Encryption without authentication simply means that you are able to communicate securely with your attacker.

MitM isn't some theoretical attack solely of interest to cryptographers. It's by far the most likely form of real-world attack against data in transit.

Re:Draw the consequences

[X.25]

For a start, webbrowsers should notify users if a certificate was replaced, even if the replacement is signed. And browsers shouldn't go into full panic mode over self-signed certs. They're still safer than using an unencrypted connection.

I wonder how many more years it will take until people start realizing that self-signed certs are MUCH safer.

Sigh.

Re:Draw the consequences

[nedlohs]

You can perform a MitM attack against an unencrypted connection just as easily - so nothing has changed there.

You can snoop an unencrypted connection without being a MitM but you can't do so on an encrypted connection. Hence clearly the self-signed cert is safer than an unencrypted connection.

Clearly safer - the attacks against it are a subset of the attacks on an unencrypted connection - it removes some vectors without adding any new ones.

Re:Draw the consequences

[AtomicJake]

Absolutely true.

We should have a hierarchy of different levels of trust. E.g. if my bank trusts a CA for credit card payments, I should be able to see in my browser that a secure Web site for payments is trusted by the payment trust chain. I will trust this site, because my bank trusted it (and will reimburse me, if the trust was not merited).
For emails, e.g. I only trust my two email providers, and I got there certs pushed to my mobile phone for enhanced security.
Etc.

The whole "One CA is trusted for everything" is insane.

Re:Draw the consequences

[Vegemeister]

The most likely real world attack against data in transit is passive listening. MitM attacks are far more expensive.

time to fix it.

[markhahn]

the SSL industry is a nasty piece of work - typical extort-what-the-market-will-bear flavor of non-equilibrium capitalism.

all DNS should be PK-signed and encrypted, and SSL should just use pubkeys found in DNS. a domain owner should be able to establish their own keys, signed by the domain key (which is in turn signed by their registrar as part of registration.)

Re:time to fix it.

[fuzzyfuzzyfungus]

Trouble is, what semblence of decency the CAs possess is preserved largely because of the fact that there are so many, more or less completely interchangeable, competitors out there. As long as you don't want some gold-embossed-hologram-edition Verisign EV cert, you can always find some shoddy CA who is far more user-friendly than security would desire.

The registrars, by contrast, are no less sleazy; but the more you reduce their interchangeability, in the pursuit of security, the less incentive they have to even pretend to care about dealing pleasantly with customers.

Re:time to fix it.

[Billly+Gates]

SecureDNS has been in the RFC stage for awhile. But guess who is in charge of the DNS servers? The american government. If they became a CA as well they would have immense powers that other countires would not like.

Also DNS cache poisoning attacks could put in fake CA and fingerprints redirecting users to fake bank sites and things of that nature. True you can do that today and man in the middle attacks have been done successfully before but a CA is used as a weapon agaisnt this. I remember 6 to 8 years ago that one site with the correct URL would look funny. I would do a IPconfig /renew all and then the correct site showed up for the url! Most ISPs have better security but still that is an issue that a CA can help with. Now it is one source and would get a fake CA on top of that.

Re:time to fix it.

[Kalriath]

The US government only controls the root zone, . (yes, fullstop). ICANN operates them under contract. com, and net are controlled by Verisign, org is controlled by some other lot - Public Domain Registry or something. I've yet to encounter a DNS server which actually queries the root zone regularly, and I've certainly never seen one query the root zone for anything other than a referral to the corresponding TLD's zone.

Extended validation certificates

[sakdoctor]

Extended validation certificates were definitely a step in the right direction, with a pretty green favicon background.
But that wasn't enough. So we went to Ultra-yotta-analprobed-extented-validated-certificates with a plaid favicon background, thus fixing the problem forever.

Facebook

[royallthefourth]

Joke's on them since Facebook still doesn't support SSL!

Re:Facebook

[mellon]

Yeah it does. Go look at your account settings again. I've been using SSL on facebook for several months now.

Why is Mossad listed together with CIA and MI6?!

Why is Mossad listed together with CIA, and MI6?!

What is the cultural connection, today?!

For CIA, I can see the NYC connection... ;)

There is NO apparent connection between The United Kingdom and today's Israel, beyond courtesy.

Why does this undercover crap even exist?!

It surely cannot be in the interest of Britains, can it, seriously? The Murdochs? Well, the daughter is still in charge of her businees, the old man, and the son... Oh, nothing happened! So, there is an apparent connection between The United Kingdom and today's Israel, beyond courtesy. Sad day, again.

..and now you know:

[kheldan]

..that the Mossad has a website on the public Internet.

Couldn't find Ziva's picture, though; I'm SO dissappointed!

Re:..and now you know:

..that the Mossad has a website on the public Internet.

Couldn't find Ziva's picture, though; I'm SO dissappointed!

Agreed. A sad day indeed when Israel's intelligence agency (Mossad) fails to post a photograph of their single greatest asset in the Western World. Heck, she managed to openly infiltrate a US government intelligence agency (NCIS) and even become a US citizen while having a father as the head of Mossad. Damn, where is my photograph of Ziva Davide.

capitalism isn't the answer

[YesIAmAScript]

This is capitalism. Digitnotar screws up so they won't be able to charge money anymore.

What you've described is exactly what we have right now except for the pubkeys in DNS part.

A domain owner does establish their own keys, you generate a key pair and send it to the registrar to be signed.

The problem right now isn't lack of capitalism. It isn't that you can't establish your own key.

The problem is that there 150 registrars you might trust to certify a site. One of them is valid and the other 149 are just opportunities to get fooled by bogus certs. And the system doesn't even try to make it easier to figure out which is which.

Trust noone

[udachny]

You cannot trust a single point of failure to handle security. Trust cannot be assigned it must be earned. If we are to move forward, we must admit past mistakes. self signed certificates + distributed verification system Who can be against more security but those who stand to lose if more security is implemented?

Re:Trust noone

[GameboyRMH]

This. We need to get distributed verification systems into all the mainstream browsers. Once the popular free browsers have it the commercial browsers will follow suit so they don't lag too far behind. Then we can transition from CA certs to self-signed certs. The CAs only had their good industry record to stand on and now that's gone, there's no possible reason to stay with them.

Sound crazy? HTTPS as we know it today started as a feature some dude tossed into Netscape Navigator.

Spy agencies

[Billly+Gates]

My guess is this is not a hacker out to steal credit cards, but rather a foreign government like North Korea, China, or even Israel if they are targeting such sites.

North Korea in particular is known to steal money too with World of Warcraft gold scams to give money back to Kim Jong Ill. Facebook and Twitter targeting also indicate spying. China would have a keen interest in this.

Either way this is dangerous and could have been going on for awhile. I agree we need some sort of key pair trusted relationship that is more secure. A CA wont work and my fear is the government (American) would love to be this new authority for a secure DNS like system.

Re:Why is Mossad listed together with CIA and MI6?

[fuzzyfuzzyfungus]

Umm... because they are all clandestine entities that Iran has togetherness problems with?

Here we go again

[Mensa+Babe]

I have written many times about it (here and here in just the last week) and usually my messages get ignored for some reason but the point is that it shouldn't be surprising at all that intelligence agencies are using false certificates just like I am not surprised that they are using false passports. This is the way such agencies work. They have been doing this since the Gutenberg and there is no reason they should stop now. If you don't like it then just use hard-coded certificates for the most important sites that you use and get over it.

Re:Here we go again

[Kagura]

I believe the CIA, Mossad, MI6, etc. are ALL using fraudulent SSL certs when they require it. However, there is no proof that these specific organizations are involved in the Diginotar mess. It's not good to throw around speculated information like it's the truth.

Vasco is scared shitless and rightfully so

See this statement:
http://www.4-traders.com/VASCO-DATA-SEC-USD-11275/news/VASCO-DATA-SEC-USD-VASCO-DigiNotar-Statement-13782237/

Re:Vasco is scared shitless and rightfully so

Why do they only talk about their own revenue and do not even mention the lives they have put in danger?
They even issued a release saying they want to work with the Dutch government to restore the trust in their organisation...

Forget it! Diginotar is gone, finished. The best Vasco can do is quickly close it before it becomes too widely associated with this mess.

Re:Vasco is scared shitless and rightfully so

[fatphil]

DigiNotar may only be 2% of Vasco's revenue, but it looks like july 19th was responsible for 50% of the perceived value of the shares. For magically making that value disappear, of course:
http://uk.finance.yahoo.com/q/bc?s=VDSI&t=3m&l=on&z=l&q=l&c=

Security and convenience

Security, in any shape or form, never has been and never will be about user convenience. Simple logic and some reading is all it takes. You don't need a computer science degree to figure that one out.

Re:Security and convenience

[JamesTRexx]

And this is why I feel Diginotar should be red with shame.
Missing virusscanners on servers, easy passwords, unpatched software. There's no way in hell I'd let such negligence take place in a company responsible for such an important piece of security.
Why hasn't the CSO been frothing at his mouth with anger at this?

I love it !

[ianare]

We're finally living in the future : "Iranian cyber-agents have compromised the secure communications link of Western Powers, partly as an effort to monitor activities of their own cyber-citizens and also as retaliation for an earlier Trojan horse computer virus attack which destroyed Iranian nuclear processing equipment".

Flying cars and Linux on the desktop anytime now !

Re:I love it !

Don't be unreasonable, Linux on the Desktop is at least 10 years out.

Presumably the CIA, NSA, et al generate own certs?

[kfogel]

Presumably the Three Letter Agencies generate their own cert chains themselves, and employees manually confirm the fingerprints and tell their browsers to trust those custom certs? In other words, their internal sensitive data shouldn't be at risk of exposure due to the DigiNotar problems, because they'd be crazy to depend on a cert root that they didn't generate anyway. I can see how this whole fiasco might make a difference for some non-employee accessing a CIA (or whichever) web site, but other than that, it shouldn't be significant for the TLAs... right?

-Karl Fogel

The Mossad's web site is unclassified

[HonestButCurious]

It's just a front end for their recruiting staff. They post wanted ads there - and then advertise the same ads in Israeli newspapers.

Re:The Mossad's web site is unclassified

[PPH]

So when somebody applies for a job at Mossad, there's a change that they went in through a phony site that collects their identities before directing them to the legit job listings. The operators of that phony site now have a list of potential employees.

(De)Centralization isn't the problem

[ilsaloving]

How centralized/decentralized the system is, isn't the problem. The problem is the lack of verification. Every one of the issuers is trusted to operate independently, with no overside or validation. What boggles my mind is that they are even able to issue certificates for domains that have already had certificates issued by someone else.

I'm not surprised that that an issuer got hacked. The only unhackable computer is one that is shut off and physically disconnected from the electrical outlet (you can't trust PDUs either, after all...). What does surprise me is that there is no peer review mechanism in place.

Joke's on you

Joke's on you. Not only have you missed a slashdot article or two on the subject, but you also failed to discover it through simpler means.

First investigation report now public

Published on Dutch government website: http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/fox-it-operation-black-tulip/rapport-fox-it-operation-black-tulip-v1-0.pdf

Re:Presumably the CIA, NSA, et al generate own cer

[rtfa-troll]

The Three Letter Agencies generate their own cert chains themselves (except those outsourced by the Shiva program), and employees used to manually confirm the fingerprints and tell their browsers to trust those custom certs plus those of their Sri Lankan support agency; Chinese contractors and another 5375 certificates from old contracts that nobody can remember which ones matter any more? In other words, their internal sensitive data shouldn't be at greater than commercially acceptable risk of exposure due to the DigiNotar problems, because they'd have been be crazy to depend on a cert root that they didn't generate in the days when they could afford to spend time defending the USA and not just chasing down evil anti-globalisation and other protesters anyway whilst having to spend hours a day listening to whining from prisoners they're torturing. I can see how this whole fiasco might make a difference for some non-employee accessing a CIA (or whichever) web site, but other than that, it shouldn't be significant for the TLAs senior management... right?

-Karl Fogel

FTFY. Sorry about the loss of conciseness.

that needs to be a slashdot story

[decora]

... im trying to google around a little bit to write one, but im frankly exhausted.

Alternatives

[autocracy]

There has been a lot of push at the recent DEFCON conferences, and associated conversation since, to look at alternatives to the current CA system. Moxie Marlinspike has been pushing a remote-view notary system called which is currently a Firefox plug, and Dan Kaminsky has been pushing for DNSSEC.

There has been an awful lot of discussion about the technical details of SSL certificates on the Security StackExchange (Stack Overflow cousin) website, including the related blog post I penned: A Risk-Based Look at Fixing the Certificate Authority Problem.

Diginotar's responses: irritating

[AaronLawrence]

On Diginotar's site you can barely tell anything happened, except for a small "security incident" press release.
They are still trying to minimise it when it seems likely the whole company will be shut down for complete failure.
Cowards.

Re:Diginotar's responses: irritating

The problem is for all of the truly innocent companies that have certifictates issued by DigiNotar.

Is is feasible to get a certificate for www.thisexample.org issued by multple CAs?

If I generate 4 CSRs for www.thisexample.org and send each of them to a different CA to be signed, will I end up with 4 equivalent certificates that differ only in the certificate chain?

if I then pick one to use, and that CA then gets hacked, I can simply install a different CAs certificate and continue operations and let the certificate signed by the offending CA.

Yes, it increases my cost by a factor of 4, but would keep me online even if three of the CA's were removed from all browsers.

Unfortunately, this only works properly if all browsers verify all certificate chains all of the time.

Certificates try to solve 2 issues.

[spudgun]

Certificates serve two purposes:
1. 2 Way Encription. (Security)
2. Verifying the Site's (Identity).

Microsoft and Mozilla's Brain dead Idea of putting HUGE warnings up for "Self Signed Certificates" means that people cannot just choose security. IMHO a certificates primary use.

By using "Authority" signed Certificates people are "Trusting" someone else to secure their data. - and paying a large(ish) sum of money for this service.

I would Prefer if every site had a self signed certificate. and a Separate name verification. - which did not require my stupid browser to click on BIG WARNING MESSAGES. before getting to the site.

Re:Certificates try to solve 2 issues.

[pantaril]

The fun part is, firefox displays huge security warning for my self-signed certificate, but displays just litle red cross in url bar for websites using certificate signed by DigiNotar (see https://loket.amsterdam.nl/ for yourself), which i explicitly removed from the list of trusted autorities.

Re:Certificates try to solve 2 issues.

[heypete]

The red "x" is the site's favicon, not an SSL indicator.

Re:Certificates try to solve 2 issues.

[heypete]

Microsoft and Mozilla's Brain dead Idea of putting HUGE warnings up for "Self Signed Certificates" means that people cannot just choose security

And "security" is meaningless if one is connecting to a MITM with a self-signed cert. That's why CAs (or other validation schemes) exist: to show that a third-party has also verified that the organization presenting the cert is the intended organization. It's not perfect, but it beats having no third-party validation.

By using "Authority" signed Certificates people are "Trusting" someone else to secure their data. - and paying a large(ish) sum of money for this service.

GoDaddy charges about $13/year for domain-validated certs with a discount code. StartSSL doesn't charge anything for DV certs. I'd hardly consider that a "large(ish)" expense.

Re:Presumably the CIA, NSA, et al generate own cer

ROTFL. That was beautiful; thank you.

Re:Presumably the CIA, NSA, et al generate own cer

[Mr+44]

Yes, the DoD (and other parts of the government) run their own CA's, and appropriate people have added those root keys to their system.

However, that doesn't help here. A big part of this problem is that ANY CA trusted by your system can issue a cert for any domain.