Rogue SSL Certs Issued For CIA, MI6, Mossad

Orome1 writes with this excerpt from Help Net Security: "The number of rogue SSL certificates issued by Dutch CA DigiNotar has ballooned from one to a couple dozen to over 250 to 531 in just a few days. As Jacob Appelbaum of the Tor project shared the full list of the rogue certificates, it became clear that fraudulent certificates for domains of a number of intelligence agencies from around the world were also issued during the CA's compromise — including the CIA, MI6 and Mossad. Additional targeted domains include Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, Wordpress and many others."

Can we move on now?

[ka9dgx]

We've now had proof positive that no centralized trust system is workable against a sustained attack. Can we start to get some distributed trust systems in place, instead? The idea of a single proof of identity has failed. It's time to move on to a system that allows multiple checks and balances.

Monocultures are great for creating massive failures, which is why nature wipes them out over time.

well managed self-signed certs are safer

[YesIAmAScript]

At least you know how many and which certs were issued from an authority that you run yourself.

The chain of trust is only as strong as the weakest link in the chain.

Re:well managed self-signed certs are safer

[elsurexiste]

That may very well work for you or your organization. Not so much for third parties or the internet, which is the case here. I mean... would you trust a bank's homepage if it's self-signed?

Re:well managed self-signed certs are safer

[Zerth]

If I could pick up the cert from a local branch or by taking a picture of a barcode on the screen of an ATM, probably.

F-secure has a partial list

[nweaver]

It may not be complete, but, F-secure has a list of the ones created, including *.*.com, *.*.org, www.cia.gov, addons.mozilla.org, *.torproject.org, etc...

Re:F-secure has a partial list

[AVee]

I'm kind of perplexed by the *.*.com certificate, is there any use in having such a cert? Realistically there is no (legitimate) reason for such a certificate to exist. Is there any software around that will actually accept certificates which are that broad? I mean, if there ever is a clear giveaway for a MITM attack it would be a certificate like that.

But its NOT centralized trust...

[nweaver]

The root of the problem (pun intended) is NOT that the SSL/TLS certificate hierarchy is a centralized trust, but that there are hundreds of roots of trust, any one of which may be compromised, and all of which are considered equally valid by the browser.

Who outside of the Netherlands even heard about DigiNotar before this happened?

This is why some people like the idea of using DNSSEC for distributing key material: there exists only a single valid path of trust to a single root for a key associated with any given name: its actually more centralized than SSL/TLS, which is what is desired.

Re:But its NOT centralized trust...

[mellon]

The trouble with this is that it makes the root cert *insanely* valuable if we start using it in the way you describe. As a practical matter, there needs to be some additional system in place to provide a backstop for the root, so that merely compromising the root is not enough to successfully spoof every domain. DNSSEC + SSL CA is actually not a bad idea. But I am really worried about the push to use DNSSEC as the new single point of failure.

Re:But its NOT centralized trust...

[Sancho]

its actually more centralized than SSL/TLS, which is what is desired

Centralization only works if you place a high amount of trust in the central organization. Do you trust ICANN? Do you trust .us? .ir? .uk?

The CA system is only broken because there are weak links. The client trusts 200 CAs, and any one of them can sign for any domain. But what if we required 2 CAs to agree? 5? 10? It would be up to the admins of the server to decide how many CAs they wanted to use, and users could decide for themselves how many are required to agree in order to consider the cert valid.

Moxie Marlinspike has some other ideas that sound pretty neat. Unfortunately, at first glance, his techniques seem to also rely on SSL, creating a chicken-and-egg problem. I may have been misunderstanding him, though.

Re:Wow...

[FriendlyLurker]

Related: Forget Rogue, Microsoft handed ability to intercept SSL on windows (Another Wikileaks revelation, translated) to Tunisian dictator Ben Ali, apparently in return for contracts, stifling open source competition etc etc in Tunisia and allowing them to intercept Facebook, Google,... before the Arab spring revolution took place.

Re:Wow...

[AVee]

And according to TrendMicro 'someone' make rather heavy use of the diginotar certificates on ~40 different networks in Iran: http://blog.trendmicro.com/diginotar-iranians-the-real-target

Re:PGP-based system?

[GameboyRMH]

Self-signed certs are an improvement because they're harder to forge or steal. In case you haven't been paying attention over the last few years, we have this thing called Distributed Verification AKA an SSL Notary system to prevent MITM attacks.

The centrally controlled system of CAs relies on perfect security at the CA (which as we've seen, they don't have) and a constant game of whack-a-mole to revoke certs. Long story short we have to stop using certs for authentication, it was a stupid idea but we all crossed our fingers and hoped it could work, but as we can see now, it can't. It's better to just use a self-signed cert that can't be stolen or forged at your choice of a few convenient locations and use distributed verification to prevent MITM attacks. That way you know you have an encrypted connection between your PC and the web host using the same cert other people around the world are seeing, and that's the most you can hope for without sending out-of-channel information (which isn't the worst idea in the world, BTW) or relying on some idiotic system of "trust dealers" like CAs which are just a disaster waiting to happen.

Re:Draw the consequences

[xororand]

For a start, webbrowsers should notify users if a certificate was replaced, even if the replacement is signed.

Certificate Patrol for Firefox.
"This add-on reveals when certificates are updated, so you can ensure it was a legitimate change."
The UI is good too. Certificate Patrol, along with NoScript and Cookie Monster, is a major reason to use Firefox.

X.509 handling is largely neglected by UI designers, not just in web browsers.
Sometime clients actually have options like "[x] Accept all certificates".

Re:Wow...

[BCoates]

Not really. Any government can get their state CA included in the windows root CA list just for the asking. OSX and Firefox are slightly more restrictive, but not in a useful way, they allow lots of state CAs as well.

This is a broad problem with the HTTPS system, too many unrestricted root CAs with no concern for realistic security scenarios.

This is not a good system, but it has nothing to do with Tunisia. The wikileaks cable you posted doesn't even talk about SSL, just about how using supported Microsoft software in the government will make the government more effective at everything, including domestic espionage.

Alternatives

[autocracy]

There has been a lot of push at the recent DEFCON conferences, and associated conversation since, to look at alternatives to the current CA system. Moxie Marlinspike has been pushing a remote-view notary system called which is currently a Firefox plug, and Dan Kaminsky has been pushing for DNSSEC.

There has been an awful lot of discussion about the technical details of SSL certificates on the Security StackExchange (Stack Overflow cousin) website, including the related blog post I penned: A Risk-Based Look at Fixing the Certificate Authority Problem.