Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Asks All CAs To Audit Security Systems

Posted by timothy on from the security-to-electronics-for-an-aisle-sweep dept.

Trailrunner7 writes "Already having revoked trust in all of the root certificates issued by DigiNotar, Mozilla is taking steps to avoid having to repeat that process with any other certificate authority trusted by Firefox, asking all of the CAs involved in the root program to conduct audits of their PKIs and verify that two-factor authentication and other safeguards are in place to protect against the issuance of rogue certificates."

17 of 77 comments (clear)

  1. why don't they do this already? by swan5566 · · Score: 3, Insightful

    This should be done on a regular basis anyway, and that by a third party.

    --
    In debates about Christianity, there are two groups: those looking for answers, and those looking to just ask questions.
  2. If you ask nicely enough... by dremspider · · Score: 5, Insightful

    If you ask nicely enough maybe they will do something about all their problems. What needs to happen is Mozilla needs to get with Microsoft, Chrome, Apple etc and say unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs. SSL has been destroyed, not because of protocol problems but because of the companies running the show. It was a race to the bottom from the beginning. Who could provide the cheapest service and make the most profit off of it. This model doesn't mesh well with Security and never will. Once one company operates their systems cheaply, everyone else must follow so as to maintain low prices.

    1. Re:If you ask nicely enough... by StripedCow · · Score: 4, Informative

      ...unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs

      In the case of Diginotar, Price Waterhouse Coopers was doing the audits.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
    2. Re:If you ask nicely enough... by ObsessiveMathsFreak · · Score: 5, Insightful

      What needs to happen is Mozilla needs to get with Microsoft, Chrome, Apple etc and say unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs.

      The recent "Too big to fail" CA == Bank comparision story was all too succinct a comparision, and this method won't work for the same reason an independent audit of the banks won't work. In short, most if not all CAs are likely security bankrupt.

      Investigation is likely to find that CAs are only one step above flight by night organisations, with slipshod practices, procedures and security at every possible level, from the main servers to the secretaries email inbox. Are you ready to deal with the fallout from such revelations?

      Are you ready to actually revoke security authentication from millions of sites across the internet? Are you ready to deal with every major browser throwing a blue screaming fit every time a user connects to a major web commerce login? Are you ready and able unclog a seized up system, signed up to by every major player on the internet, and which a substantial portion of the modern net itself now rests on?

      The major problem here is the browsers, and Mozilla's actions here--requesting the CAs to police themselves--are exactly analogous to how our international banking system was woefully mismanaged over the last decades. What Mozilla should be doing is moving away from reliance on the Certification Authority system altogether. It has failed. It has become dangerous to users and website. It must be replaced or abandoned.

      Removing the DEFCON 2 warnings for self signed certs will be the first step in the right direction. Until then, Mozilla is just continuing to be part of the problem.

      --
      May the Maths Be with you!
    3. Re:If you ask nicely enough... by ObsessiveMathsFreak · · Score: 2

      PWC were (are) the auditors for AIG and Bank of Ireland.

      --
      May the Maths Be with you!
    4. Re:If you ask nicely enough... by nedlohs · · Score: 3, Insightful

      And in this particular domain even the customer doesn't care.

      Sure I could spend more of my time and money finding and using the CA with the best security practices. But when the cheap-n-nasty is hacked to generate (or just hands out due to their lack of checking) a cert for my domain to someone else that the CA I chose wasn't hacked is completely irrelevant. I've gained nothing by choosing the more secure provider.

      So of course you have a race to the bottom...

    5. Re:If you ask nicely enough... by dgatwood · · Score: 3, Insightful

      And this is the reason that SSL certs (in whatever form they continue to exist) should be part of your DNS record, and that we should have a mandatory transition to DNSSEC over the next few years to ensure that those records cannot be tampered with during transit.

      By doing that, the only way to pull one of these stunts would be to take over the domain at the registrar, at which point it would then matter which provider you chose, and the race to the bottom would become a race to the top (or at least to the median).

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    6. Re:If you ask nicely enough... by guruevi · · Score: 2

      PWC from my experience don't do real audits. They're more like an insurance company. They may send out a drone that knows nothing about what he's supposed to be checking but the gross of the money you pay them probably goes to a fund in case you have a breach and sue PWC.

      I think that may be true of a lot of other audit companies. There are few audit companies that actually do penetration testing etc.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    7. Re:If you ask nicely enough... by heypete · · Score: 2

      Indeed, it does suck.

      Nevertheless, if the CA fails an audit, they *should* be removed (perhaps after a reasonable time to resolve the problem and get re-audited, if the problem is not too serious).

    8. Re:If you ask nicely enough... by Ja'Achan · · Score: 2

      CAs are about trust. SSL is about encryption.

  3. This is fine, but solves nothing by bhingque · · Score: 2

    Good security practices are fine (and should be absolutely requisite for CAs), but do nothing to address the real problem with CAs, which is anchored trust. I hope that all of the browsers move to implement Convergence.

  4. Two factor, three factor by roman_mir · · Score: 5, Insightful

    Who can trust a CA? Why would you trust a CA? How did a CA earn your trust?

    Mozilla, it's time to own up. This is a bunch of nonsense. Stop treating self signed certificates like cancer, provide a way to see the fingerprint clearly, don't bother with the 'lock' icon and start working on some real innovation - how to do trust by having distributed lists of fingerprints, signatures, whatever. Something that doesn't rely on a signing authority at all.

    You want to do real innovation instead of looking at hiding address bar from the users? Do this instead.

    --
    You can't handle the truth.
    1. Re:Two factor, three factor by Kalriath · · Score: 2

      Because the organisation should be expected to have offices in every single city of every single region of every single country on the planet. And on top of that, the customer has to keep track of a post-it note or something storing these fingerprints. Screw that. Face it, it's a bad idea.

      You know what would really happen? A market opportunity would open and we'd have companies start up which store and list all the fingerprints of big organisations who pay them money. Let's call them "Certificate Authorities". Users would just go look at the fingerprint on that site (if they don't just say "oh, fuck it" and just click OK) and those Certificate Authorities (CAs for short) would become the new targets.

      Oh wait. I just described the current system.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  5. Perhaps this will be the first positive change by inviolet · · Score: 4, Insightful

    "Mozilla [...is...] asking all of the CAs involved in the root program to conduct audits of their PKIs and verify that two-factor authentication and other safeguards are in place to protect against the issuance of rogue certificates."

    This may be the first REAL change in the CAs' assessments of the risk versus reward of building and maintaining good layered security systems. Until this week, the idea of a breach leading to delisting and the demise of the organization was an abstract idea. Now it is concrete, which makes all the difference (even though it shouldn't).

    Perhaps some mid-level geek will finally, successfully make his case that the issuance process should be airgapped (or other similarly expensive measures).

    Unfortunately, we haven't yet seen a change in the economics of issuing a certificate without proper vetting of the requestor. Right now it costs the CA almost nothing to issue a single certificate to somebody who isn't actually who they say they are. And vetting is a real-world activity involving meat and paper, so the MBAs in charge will never put money behind real vetting... until the economics change, anyway.

    --
    FATMOUSE + YOU = FATMOUSE
  6. Security theater - brought to you by the CAs. by DarkFencer · · Score: 4, Informative

    It really is security theater now. I've had to get certs from various vendors for the .edu I work at. They need 'official' documents from 'someone important'. Like a letter on official looking letter head with a copy of a photo ID faxed to them. Yeah. Real secure. Lemme break out my copy of photoshop.

    How about at the very least the verifications some sites use to show that you control a domain? For example, the CA says that in order to verify 'somesystem.somewhere.com' we're going to need you to put this arbitrary string in a TXT record on your DNS server for that host.

    When setting up a domain on Google Apps or MS Live (or other places) they ask you to do this as one of the things to do to prove domain ownership. Yes - obviously if your DNS is owned this isn't a problem, but its a heck of a lot better than the process now.

  7. Re:Mozilla can't be trusted either by LordLimecat · · Score: 3, Informative

    I was going to reply point by point to your complaints, but then I realized:
    A) youre an AC, and probably trolling, and know that if you posted under your real handle your karma would tank because..
    B) most of your complaints are garbage because...
    C) they have all been addressed before in about a zillion threads, and
    D) your entire post is off topic anyways.

  8. They do this already. by mcrbids · · Score: 2

    My software company was in line to provide signature validation services for the State of California. Although we didn't land the contract, finding out what it took to become a legally recognized CA for California was part of the process. California (and by extension, most governments) requires a SAS70 audit. Performed once, and then re-performed annually. The audit itself cost about $25,000, we estimated the actual cost of compliance at $250,000.

    That's an approximation of what it costs to become a legally recognized CA.

    The hardware/software combination for generating the certificates is $50 for a used computer on EBay and a download of a Linux ISO. Most of the cost isn't in the technology, but the operational processes in making sure the certificates are managed properly.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.