Google Researchers Propose Plan To Fix CA System

Trailrunner7 writes "The security industry has no shortage of hard problems to solve, but the one getting the most attention right now is finding a way to improve, or ideally, replace, the CA infrastructure. The latest in what has become a series of recent proposals to help shore up the certificate authority system comes from a pair of Google security researchers who have laid out a plan for providing auditable public logs of certificates as well as proofs for each certificate issued. The system proposed by Google's Adam Langley and Ben Laurie (PDF) comprises three separate ideas, but relies on the creation of a publicly viewable log of every public certificate that's issued by a CA. There could be any number of public logs of these certificates, but the logs will be structured so that they are append-only. The entries in the logs will be the end certificates in the issuance chain. In addition to the logs, the proposal includes the use of proofs that are sent with each certificate to the user's browser. Laurie and Langley haven't defined exactly what the proof would look like, but suggest that it could be an extra certificate or a TLS extension."

Re:Something To Think About

[kassah]

No it doesn't, with ssh you're generally not logging into a system and expecting to trust the security of a system based on it's name. SSH trust is based on have you been there before, and it having the same identity as before.

It's like that old saying about regexes...

"Bob has a problem requiring secure communication. He decides to use certificates. Now Bob has two problems."

True story

[aBaldrich]

The new certificate system will be invitation-only, and then will be shut down.

Re:Something To Think About

[XanC]

But that's exactly wrong. With DNSSEC (well, hopefully) becoming more popular, it WILL actually be possible to rely on DNS to store things like key fingerprints.

Doesn't Fix Anything

[sexconker]

The CA system is set up so that you can be reasonably sure that the host you're connected to is who they say they are.
You "trust" that a certificate they present is legitimate because it is cryptographically signed by a CA.
You trust the CA because you have a root list of CAs to trust, typically fed to you by MS.

The problem with the CA system is the fact that the CAs themselves are untrustworthy.
They don't do their due diligence in verifying hosts they issue certificates to, safeguarding their private keys, or revoking certificates when keys get stolen.
The entire idea is insecure because users want shit to work transparently, and CAs want to do shit as cheaply as possible.

You can have all the logs and auditing that you want, but when some soccer mom can't buy something on Amazon, your system has failed.
And when some CA fucks up and nobody knows because no one is actually monitoring those logs, your system has failed.
And if you DO have dedicated groups that monitor logs and do audits, it becomes the same fucking game of knowing which monitoring group to trust, how far to trust them, etc. 99.9999% of users will just be confused, and will think their next computer crash has something to do with the internet hacks Wolf Blitzer told them about.

The only way to trust a host is to verify their identity yourself. And if you're going to go and fucking verify the trustworthiness of CAs via analyzing their logs yourself, you may as well just verify the trustworthiness of individual sites yourself. Call up Amazon and ask them about their certificate. Maybe they should print it on the back of all their packing slips.

Re:Self signed certs.

[Spad]

Self-signed certs are just as secure as any other, they're just not much good for verifying the identity of the device you're connecting to unless they're your devices (or those of someone you know and trust); though given the laughable standards of proof required by most CAs before issuing a certificate for a given hostname (and yes, sometimes they *are* just hostnames that they're issuing for, for some stupid reason) it's probably not that big a problem even without the recent CA compromises.

Not a fix

[Todd+Knarr]

The proposed solution makes it easier to identify invalid certificates after a compromise is known. It doesn't do anything to stop the compromise, because the compromised certificates were issued correctly by the CA just like every valid certificate.

The problem is that the CAs aren't completely trustworthy and aren't completely impervious to attack, and never will be. Any solution needs to permit a compromised CA's root certificates to be revoked without instantly invalidating huge swathes of issued certificates that weren't part of the compromise. I don't see any way of doing that that doesn't involve changing the basic approach from one of "a single CA issues a specific certificate" to "one or more CAs certify the authenticity and validity of a certificate'. In short, CAs cease being the sole issuers of documents and become the equivalent of notaries public certifying that the person who created the certificate is really who the certificate says they are.

Re:Self signed certs.

[complete+loony]

Solve that problem via DNSSEC. Publish your self signed key via DNS, and at least someone connecting knows that the server they are talking to currently owns the domain name and the connection is encrypted end-to-end, which is all that CA certs seem to have devolved to.