Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Researchers Propose Plan To Fix CA System

Posted by Soulskill on from the put-a-plus-one-button-on-it dept.

Trailrunner7 writes "The security industry has no shortage of hard problems to solve, but the one getting the most attention right now is finding a way to improve, or ideally, replace, the CA infrastructure. The latest in what has become a series of recent proposals to help shore up the certificate authority system comes from a pair of Google security researchers who have laid out a plan for providing auditable public logs of certificates as well as proofs for each certificate issued. The system proposed by Google's Adam Langley and Ben Laurie (PDF) comprises three separate ideas, but relies on the creation of a publicly viewable log of every public certificate that's issued by a CA. There could be any number of public logs of these certificates, but the logs will be structured so that they are append-only. The entries in the logs will be the end certificates in the issuance chain. In addition to the logs, the proposal includes the use of proofs that are sent with each certificate to the user's browser. Laurie and Langley haven't defined exactly what the proof would look like, but suggest that it could be an extra certificate or a TLS extension."

25 of 91 comments (clear)

  1. Not a bad idea by Anonymous Coward · · Score: 2, Funny

    Did anyone else read this as "Google plans to fix California"?

    No? Oh well.

  2. Re:Something To Think About by kassah · · Score: 4, Informative

    No it doesn't, with ssh you're generally not logging into a system and expecting to trust the security of a system based on it's name. SSH trust is based on have you been there before, and it having the same identity as before.

  3. Re:Not Impressed by quasius · · Score: 2, Insightful

    What are you talking about re: Google censoring the Internet? Also, what convinces you that the UN would do a better job? What large nation isn't putting corp interests first that would influence a UN body to behave differently?

  4. Re:Something To Think About by Score+Whore · · Score: 2

    Which is exactly what browsers should do. But that doesn't solve the problem of CAs that can't keep their root keys secure.

  5. It's like that old saying about regexes... by Anonymous Coward · · Score: 5, Funny

    "Bob has a problem requiring secure communication. He decides to use certificates. Now Bob has two problems."

  6. True story by aBaldrich · · Score: 5, Funny

    The new certificate system will be invitation-only, and then will be shut down.

    --
    In soviet russia the government regulates the companies.
  7. Self signed certs. by syousef · · Score: 3, Interesting

    Let's all just give up and use self signed certs. Sure it's not secure but at least you don't have to pay for them then go through all the security theatre to pretend they are. You could change your web page to "Welcome. All our base are belong to YOU. We give up."

    --
    These posts express my own personal views, not those of my employer
    1. Re:Self signed certs. by Spad · · Score: 5, Informative

      Self-signed certs are just as secure as any other, they're just not much good for verifying the identity of the device you're connecting to unless they're your devices (or those of someone you know and trust); though given the laughable standards of proof required by most CAs before issuing a certificate for a given hostname (and yes, sometimes they *are* just hostnames that they're issuing for, for some stupid reason) it's probably not that big a problem even without the recent CA compromises.

    2. Re:Self signed certs. by complete+loony · · Score: 4, Insightful

      Solve that problem via DNSSEC. Publish your self signed key via DNS, and at least someone connecting knows that the server they are talking to currently owns the domain name and the connection is encrypted end-to-end, which is all that CA certs seem to have devolved to.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    3. Re:Self signed certs. by John.P.Jones · · Score: 3, Insightful

      This is essentially what I proposed in my paper in 2005, only it adds a level of indirection to reduce the amount and volatility of data being added to DNS.

    4. Re:Self signed certs. by MSG · · Score: 2

      DNSSEC is signed by CAs. If an attacker can compromise a CA, they can compromise DNSSEC.

    5. Re:Self signed certs. by Anonymous Coward · · Score: 2, Insightful

      Are you sure about that? My understanding is that it is signed by the parent domain, all the way up to the root.

      As an example, if we take shop.example.dk, it is signed by the owner of example.dk, which is then signed by dk-hostmaster, and the .dk domain will be signed by the root key.

      Sure, all this will verify is that the FQDN you are connecting to is actually the FQDN you are trying to connect to, but as this is (or should be) part of the buying process, it's still way better than the current system where a CA will give a key to anyone.

      Example: When a CA gave a fraudster a certificate to microsoft.com, Microsoft didn't have anything to do with it. In the system I'm talking about (which is my understanding of how DNSSEC works), the only one able to sign keys for a host under the microsoft.com domain would be Microsoft.

  8. Re:Something To Think About by XanC · · Score: 4, Informative

    But that's exactly wrong. With DNSSEC (well, hopefully) becoming more popular, it WILL actually be possible to rely on DNS to store things like key fingerprints.

  9. Re:Not Impressed by korgitser · · Score: 3

    The UN is not some world government for some happy hippie peace dream. It is a machine to legitimize the ends and means of select superpowers. You certainly do not want any of them to have power over the internet.

    --
    FCKGW 09F9 42
  10. Doesn't Fix Anything by sexconker · · Score: 4, Interesting

    The CA system is set up so that you can be reasonably sure that the host you're connected to is who they say they are.
    You "trust" that a certificate they present is legitimate because it is cryptographically signed by a CA.
    You trust the CA because you have a root list of CAs to trust, typically fed to you by MS.

    The problem with the CA system is the fact that the CAs themselves are untrustworthy.
    They don't do their due diligence in verifying hosts they issue certificates to, safeguarding their private keys, or revoking certificates when keys get stolen.
    The entire idea is insecure because users want shit to work transparently, and CAs want to do shit as cheaply as possible.

    You can have all the logs and auditing that you want, but when some soccer mom can't buy something on Amazon, your system has failed.
    And when some CA fucks up and nobody knows because no one is actually monitoring those logs, your system has failed.
    And if you DO have dedicated groups that monitor logs and do audits, it becomes the same fucking game of knowing which monitoring group to trust, how far to trust them, etc. 99.9999% of users will just be confused, and will think their next computer crash has something to do with the internet hacks Wolf Blitzer told them about.

    The only way to trust a host is to verify their identity yourself. And if you're going to go and fucking verify the trustworthiness of CAs via analyzing their logs yourself, you may as well just verify the trustworthiness of individual sites yourself. Call up Amazon and ask them about their certificate. Maybe they should print it on the back of all their packing slips.

  11. Re:Not Impressed by masternerdguy · · Score: 3, Funny

    Age verification is censorship.

    --
    To offset political mods, replace Flamebait with Insightful.
  12. Re:Something To Think About by John.P.Jones · · Score: 2

    In 2005 I published a paper that proposes essentially this, along with providing an entry for DNS to delegate key query for a domain to a secondary key server (so that only a small number of key fingerprints need to be added to DNS for a domain) and key certificates are signed with these keys and available along with key metadata in an XML format.

  13. Not a fix by Todd+Knarr · · Score: 4, Interesting

    The proposed solution makes it easier to identify invalid certificates after a compromise is known. It doesn't do anything to stop the compromise, because the compromised certificates were issued correctly by the CA just like every valid certificate.

    The problem is that the CAs aren't completely trustworthy and aren't completely impervious to attack, and never will be. Any solution needs to permit a compromised CA's root certificates to be revoked without instantly invalidating huge swathes of issued certificates that weren't part of the compromise. I don't see any way of doing that that doesn't involve changing the basic approach from one of "a single CA issues a specific certificate" to "one or more CAs certify the authenticity and validity of a certificate'. In short, CAs cease being the sole issuers of documents and become the equivalent of notaries public certifying that the person who created the certificate is really who the certificate says they are.

  14. Re:Great news by Khyber · · Score: 2

    Google couldn't fix California. The problem is beyond the capabilities of the Ph.Ds at Google, because this is a problem involving the common man, and corruption. Even some of my tech and advances aren't going to help much without other changes.

    No doctor in the world could fix that.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  15. Re:Something To Think About by errandum · · Score: 3, Insightful

    How do you propose to verify someone's (or some site's) identity without having a trusted third party telling you that you should? What you say is kind of utopic, it might work to connect to somewhere you know, but it'll fail on a larger scale.

    And don't forget that it's not just you having to verify the website's identity, sometimes it is also the website asking to verify yours. Even if they used their own CA to hand you a certificate, they still needed a trust based system.

    Yes, I see your point, on a basic level ssh only relies on an asymmetric key exchange and sygnatures and not on CA's, but the problem is way bigger than that.

  16. An extra certificate sent to the browser by Megahard · · Score: 3, Funny

    So eventually it will be certificates all the way down.

    --
    I eat only the real part of complex carbohydrates.
  17. Re:Not Impressed by shentino · · Score: 2

    Age of majority IS arbitrary.

    It's whatever the law of the nation that is sovereign over the citizen in question SAYS it is.

    The government telling you what you can or cannot do is pretty much the definition of what a law is.

  18. Re:Something To Think About by shentino · · Score: 3, Interesting

    DNSSEC is unpopular with governments because it breaks censorship.

  19. Re:Something To Think About by John.P.Jones · · Score: 2

    Current protocols that agree on a public key do so via certificate chains signed by a CA, which we don't necessarily trust (or wish to fund) and we would like to have the option to remove them from the chain, but then we need somewhere else to root trust. DNS is the natural place to do that in today's internet (who has the authority to assign me a gmail.com address, why the owners of that domain do of course, if they wanted to give that name to someone else only they could, once you own a registered domain you have rights to subdomain it to whomever you please and they have to trust you not to revoke it).

    The proposal is to have this certificate chain rooted at a per domain CA (or the domain can choose to use an existing CA) so that both the fingerprint of the CA's signing key and the authority of the CA to vouch for this domain are both leveraged from DNS not some arbitrary out of band trusted party. The protocol would agree on keys just as it does today but when the certificate chain is being validated it would then verify the CA with the proper domain (for e-mail, ftp, http, ssh etc the owning domain is well understood from context) before accepting the key. No real change is needed to the underlying protocols (although the implementations need to be changed slightly just as they would for accepting a CA's new signing key), essentially every key validation would end in a couple additional DNSSEC resolution queries.

    Of course this is a chicken-egg problem in that it then ties back into DNSSEC and root level trust in DNSSEC needs to be solved (through CAs for now) but it decouples the problem and leverages the architecture of DNSSEC (we really do need it anyways) to provide arbitrary certificate trust without putting undo burden on DNS. If we are going to have to have DNSSEC to fix DNS we may as well use it for more than just name to IP resoultion. There is no reason to solve the trust problem more than once since and as long as we use DNS based hierarchies to specify machines or end users (e-mail accounts) we have to trust DNS. The fact that today pre-DNSSEC we blindly trust unsigned DNS replies is the only reason the parallel certificate hierarchy exists at all.

  20. Maybe no Doctor in this world... by SkimTony · · Score: 3, Funny

    But that would admittedly be a pretty boring episode. And not the sort of thing he usually worries about.