An Interactive Graph of the Certificate Authority Ecosystem

An anonymous reader writes "Researchers of the International Computer Science Institute in Berkeley have created an interactive diagram that shows root-CAs, their intermediates, the relationships between them and how many certificates have been signed by them. The graph was generated by passively monitoring the Internet uplinks of a number of (mostly) edu sites for SSL connections and their certificate Information. Among other things the graph shows that one GoDaddy intermediate signed more than 74,000 certificates and that a German CA uses more than 200 sub-CAs for administrative reasons."

Holy colorblindness, Batman!

I swear that graph looks just like one of those colorblindness tests.
Has Berkeley never heard of accessibility standards?

Re:Holy colorblindness, Batman!

[fibonacci8]

All I see is a Mandelbrot lake, it looks like the paths are just escape-time iterations graphed and random labels thrown on them afterward.

Not bad, but...

[drosboro]

they probably should have hired Randall of XKCD to actually do the graphics... Nobody does these sorts of visualizations as well as that. And I just didn't find the alt-text funny at all. :)

Re:Not bad, but...

[gagol]

Funny thing is, other human beings were born after you and are in that stage of their lives... and others will too!

Re:Not bad, but...

Oh get over it. XKCD stopped being funny shortly after most of us grew past our frustrated university phase. If you haven't, you have my pity.

Perhaps you should save some of that pity for yourself, there, sweetheart.

How is that useful?

[gagol]

How is that useful? Serious question here.

Re:How is that useful?

Well, it tells you the influence of all current CAs - it lists the number of signed certificates for each CA (among other things).

The graphic is a lie

[Dynedain]

The graph, while cool, sucks!

It implies a root signer, which isn't really there. By clumping all the various networks identified within a circle, they make it look like there are connections between the networks that don't really exist.

Look carefully around the edge between the inner and outer circles, there's nothing that bridges them.

Now look carefully around the outer circle, you'll see it isn't one continuous network, it's a bunch of small networks just sitting next to each other.

The whole reason for putting data in a graphic is so that you can draw new meaning from visual clues because the human brain is so good at interpreting visual information. However, if you force stuff into shapes like this, you imply meaning that isn't really there.

Re:The graphic is a lie

[at10u8]

Not a lie, just missing another essential component: What I want to see is another layer of graph that shows which browsers (have) trust(ed) which CAs, and (if only!) how many dollars flowed along each of those edges.

Re:The graphic is a lie

I don't see a single root at all. I see one root in the middle with a circle of subsidiaries around it but most of the certificates are associated in a bunch of less than 10 with a single root, each of which is spread all around of the middle circle. The one in the middle just happens to be a single root with a lot of subsidiaries and, as you would expect, it displays them in a circle.

Re:The graphic is a lie

[bill_mcgonigle]

That, and it makes me think there's probably a hidden '23' in the plot that I can't see because of the colors they chose.

Re:The graphic is a lie

You misinterpreted the "The graphic is a lie" in parent.

Reason it is a lie is cause it gives an impression they are all connected, whereas they are not. It should have been grouped in several circles.

Re:The graphic is a lie

You too? I was straining to find it!

Re:The graphic is a lie

[interval1066]

...they make it look like there are connections between the networks that don't really exist.

Hey, I'll be the first to say I probably don't understand this as well as I should, but isn't this a map of CA relationsips, and not "network connections"? Or by "network" do you mean the network of CA authorities?

Re:The graphic is a lie

[MartinSchou]

Truth: Most of the CAs are in tiny closed relationships and have no connection to others.

Graph: Huge lump of CAs, making it look like they are all interconnected.

Re:The graphic is a lie

[Kalriath]

Actual truth: Most of the CAs are Symantec, using multiple names to make it appear there is actually competition.
Graph: Huge lump of CAs making it look like they aren't all Symantec.

Re:The graphic is a lie

[Dynedain]

I meant the network of CA authorities.

If this graph was accurate, it would look like a bunch of individual unconnected clusters, with one particularly large cluster. But clearly the creator was too interested in forcing it to look like on of those color-blindness tests.

This is a godsend

[azav]

Such a great tool. Thank you Berkeley.

CAs are an extortion racket.

[Medievalist]

Set up a few servers and mint cash.

Best idea I ever heard was that the US Post Office should become a CA, I'd use them instead of the current bunch of swindlers who do the minimum acceptable job at the highest acceptable price.

Re:CAs are an extortion racket.

who do the minimum acceptable job at the highest acceptable price.

That's pretty much the strategy behind every business.

Re:CAs are an extortion racket.

[NJRoadfan]

Ask DigiNotar how well that worked out for them. Whats funny about the whole is that people are supposed to "trust" a private enterprise with a clear profit motive. Yet nobody seems to actually question that trust enough.

Re:CAs are an extortion racket.

who do the minimum acceptable job at the highest acceptable price.

That's pretty much the strategy behind every business.

If that's your belief, I won't be buying your product!

Businesses that excel make the best possible product at a price people can afford; people who work for those businesses take pride in their work and are happy in their personal lives.

You know, people will actually pay extra for high quality... but in swindles like the CA business, where you have to have your certs pre-loaded into the major browsers before you can really be in the game, it's just like any monopoly - high prices and minimum quality, screw the consumer and the society s/he lives in, and if you've got any twinges of conscience go home and drink your shame (and health) away.

Re:CAs are an extortion racket.

Or ask Comodo. Their certificates are still trusted, and subissued by many reputable orgs.

Zoom!

[emho24]

If I zoom in close enough I can see my house.

sub-CA hell

[cratermoon]

DFN-Verein "creates a unique sub-CA for each institution for which it issues certificates"

I feel sorry for the technical folks who have to implement and maintain such a fucked up idea as per-institutional sub-CAs.

Re:sub-CA hell

[Let's+All+Be+Chinese]

And why is that? This is actually exactly how the CA structure was designed to work, not that commercial "we'll protect you from anyone we don't take money from"-crap, involving RAs and other unchecked entities that can use a CA to vouch for something that they haven't even checked themselves, a practice that somehow made it into the gold standard.

The DFN is the german academic research network, and so the guys running that network can vouch for every organisation connected to it. Each organisation is supposed to be able to vouch for the certificates they issue. What's your problem with that?

Personally, I think the whole PKI thing is FUBAR, since only one super is allowed to vouch for a sub and you're effectively forced to trust someone else's CA collection (down to a certain vendor silently undoing your changes to the store on your operating system come every update check). To make digital trust workable I, end user, have to be able to choose whom to trust, a choice I currently do not have, in fact cannot have lest my intarwebz stop functioning!

But in the case of the DFN, the hierarchy is exceptionally clear and one of the few places where it actually makes sense. And maintaining 200 sub-certificates is a lot less work than maintaining millions upon millions of certificates issued on a couple bucks and a grainy copy of your passport. What does that prove anyway?

Re:sub-CA hell

[cratermoon]

OH I definitely agree that the system is broken. Just looking at the site should make anyone on the internet ask themselves, "who the hell all these CAs are and do we really trust them with our most personal data"?

Yes, I think that encrypting your traffic securely is the right thing to do, and using public-private key pairs with cryptographically strong algorithms is the right way to do it, the trust model was broken the first day that money started to change hands as a surrogate for "trust"

Re:sub-CA hell

[heypete]

Personally, I think the whole PKI thing is FUBAR, since only one super is allowed to vouch for a sub and you're effectively forced to trust someone else's CA collection (down to a certain vendor silently undoing your changes to the store on your operating system come every update check).

If you're referring to the Windows utility to update root certificates, that can be easily disabled.

To make digital trust workable I, end user, have to be able to choose whom to trust, a choice I currently do not have, in fact cannot have lest my intarwebz stop functioning!

Why not? It's quite possible to remove all root certificates from your system and only install those that you trust. If you're concerned about the trustworthiness of a root, you can install a certain server cert (though you may lose such benefits like OCSP or CRL checking, as those are signed by the roots).

Re:sub-CA hell

[dkf]

Just looking at the site should make anyone on the internet ask themselves, "who the hell all these CAs are and do we really trust them with our most personal data"?

You are very confused. Alas, you are spreading your confusion around.

The whole design of SSL and public key infrastructures means that you don't trust the CAs with your personal data. Indeed, you hardly ever need to communicate with the CA directly at all. You just trust them to make accurate statements about hosts of websites. You then have to decide whether to trust that site with your personal data. Thus, no matter who signs the SSL certificate for Facebook, I'm not trusting them with my personal data...

There's no technical reason you couldn't run your own CA, in which case it could be as trustworthy from your perspective as you like. This is very close to what you do with a self-signed certificate. The only tricky part is persuading other people to trust that CA; they don't know it from a hole in the ground. The value of the big CAs is that they've coordinated with manufacturers of browsers (and a few other pieces of software) to ensure that their public certificates are already in place: browsers can already do the technical parts of identity and trust management for you. Still doesn't tell you if the company is shady or not; just that they are who they say they are.

Re:sub-CA hell

[cratermoon]

No, I'm fully aware we don't trust the CAs with our personal data. We're trusting the CAs to vouch for the organizations to whom they issue certificates. But now there are hordes of CAs, some of whom may not be particularly trustworthy, but the browser makers don't descriminate (much).

As a result, we have CAs that we're supposed to trust because our browsers accept them, but those CAs are passing out SSL certs like candy to anyone with a few bucks.

While we're not directly giving our personal data to the CAs, we're trusting the organizations they vouch for on the basis of the supposed trustworthiness of the CAs, when in fact most of them are utterly opaque and unknown to us, thus indirectly trusting them to protect our personal data.

Again I say, anyone on the internet should look at the diagram, look at the list of signing authorities their browsers trust, and ask themselves, "who the hell are all these people and why do I trust them?"

The ICSI Certificate Notary

[Onymous+Coward]

So this graph is publish by the ICSI. They're getting into the "notary" game: http://notary.icsi.berkeley.edu/

They reference Perspectives as the pioneer of this scheme and also mention Convergence.

ICSI's Certificate Notary offers itself as different: "our notary collects certificates passively from live upstream traffic at multiple independent Internet sites, aggregating them into a central database in near-realtime." I'm not sure this is an improvement.

I'm Colorblind!

I'm colorblind you insensitive clod!

Octave

[troll+-1]

GNU Octave is a very handy program to know: http://www.gnu.org/software/octave/

Re:ELem school shooting in Newtown, CT

[cgimusic]

Yes, we know. It is horrible and incredibly sad but why did you feel the need to post a comment about it on this story?

Re:ELem school shooting in Newtown, CT

Berita Unik dari Wanita Tercantik Di Dunia. Bisa di baca disini

Redundancy, Robustness and Hubs

[m.shenhav]

I don't know much about certification. I do know something about networks though. What we see here is a graph whose connected components seem to have a one or two hubs. So let me ask anybody who knows anything about CAs: What happens if we take down those hubs?