India's National Informatics Centre Forged Google SSL Certificates

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

Repercussions?

Will there be any repercussions for this?

The National Informatics Centre of India did abuse something.
Will the National Informatics Centre of India be able to continue with such abuses and do this again in the future?
Or will they lose this ability?

What will happen now?

They have shown that they can not be trusted. They must lose the power to do this.

Pull someones certificates or kill some CA. Someone needs to suffer because of this.

Re:Repercussions?

They must lose the power to do this.

No one can be trusted. The system/infrastructure must be designed to take into account untrustworthiness of all parties involved. WoT.

Re:Repercussions?

India is a very corrupt country.

I only see this as a good thing because it will reflect on companies that outsource to India and put the spotlight where it needs to be at - why do we trust these people with our customers?

As someone who has dealt with far too many indian "Customer service representatives" and actually had one attempt to charge my credit card $5000 to get a return flight from Ireland after the company cancelled my plane ticket (I was shanghaied and I live in the USA) I have no intention of dealing with any company in the future that outsources to India.

I lost 1300 euros that trip, It will never happen again.

Re:Repercussions?

Alternatives like namecoin and distributed trustless security is the only option that will work in the long term.

Centralized entities - from corporations to governments - will always be corrupted and used by someone to attempt to obtain an advantage over someone else. Centralized power corrupts.

Re:Repercussions?

I've always wondered if one could use large botnets to "pre-approve" rogue certificates in WoT models.

Maybe not for Google certificates which see billions of uses a day, but surely one could "outvote" lesser used certificates with enough hosts.

Re:Repercussions?

[Z00L00K]

This yet again highlights that the three-party trust system is broken.

There are ways around it, but there is no great solution - only workarounds.

Re:Repercussions?

If you do business with an Indian you are an accomplice, not a victim.

Re:Repercussions?

[INT_QRK]

“Power attracts the corruptible. Suspect any who seek it.” Frank Herbert, Chapterhouse: Dune

Re:Repercussions?

[INT_QRK]

The bargain lies in the relatively low cost of relatively skilled labor. Other considerations, where there might be awareness, are secondary, or less.

Re: Repercussions?

Wow is this not racism. I had similar experience dealing with Irish cs representatives

Re:Repercussions?

[Cajun+Hell]

If you think that might work, then keep learning. The botnets' "vote" only gets counted if someone decides to trust all of them. And if you can arrange that, then you don't need a botnet, you just need one node.

All that matters is how your fake node (or web of fake nodes) is connected to the victim.

Re:Repercussions?

[IamTheRealMike]

They have shown that they can not be trusted. They must lose the power to do this.

Pull someones certificates or kill some CA. Someone needs to suffer because of this.

What happens now is that there's an investigation. Depending on the outcome the CA may be revoked for good, or merely forced to reissue lots of certificates. The deciding factor is the reason for the screwup - for instance they may have got hacked, rather than been actively corrupt. In that case Microsoft will have to decide if they have patched things up enough to continue as part of their root store program or whether to pull the plug. I doubt many people have certs issued by this CA so the damage would be relatively minimal.

Unfortunately you can't just kill any CA that screws up. For one, if the CA was widely used it'd be disrupted. For another, nothing is unhackable, especially when you get the NSA involved. Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

Hard decisions ahead for browser and OS makers for sure ...

Re:Repercussions?

Maybe in a PGP style WoT, but in the case of the Firefox WOT plugin we have:

WOT ratings and reviews are powered by a global community of millions of users who rate websites based on their personal experiences. In addition, third-party sources are used to warn you about malicious software and other technical threats that you might encounter.

You can share your experiences by rating sites yourself and help make the Internet a safer place for everyone.

Sounds like a botnet using the plugin could have an impact on a site's reputation.

Re: Repercussions?

Yes, but only because the Irish one was drunk.

See? It works in all directions!

Re:Repercussions?

[sjames]

Never do business with anyone who outsources customer service at all. The 'representative' only has the power to read from the flip chart. They absolutely do not have the authority to fix the problem and they do not know who does or how to contact them.

Re:Repercussions?

Will there be any repercussions for this?

The National Informatics Centre of India did abuse something. Will the National Informatics Centre of India be able to continue with such abuses and do this again in the future? Or will they lose this ability?

What will happen now?

They have shown that they can not be trusted. They must lose the power to do this.

Pull someones certificates or kill some CA. Someone needs to suffer because of this.

From TFS:

According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

Does that answer your questions?

Re:Repercussions?

[BitZtream]

Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

Yet that is exactly what they are supposed to do. Its not even really that hard.

Every CA hack to date has been preventable as was the fault of the CA simply not putting the required effort into doing their job or being flat out malicious. Stop trying to make it out like its an uber hard job, its not.

Re:Repercussions?

[Cajun+Hell]

Oops, didn't realize we were talking about something like that.

That plugin is a kind of neat idea (I approve) but it's very poorly named and doesn't seem to have anything in common with a real "web of trust." I'd probably be madder about the atrocious name if I didn't happen to like the plugin.

That gives me an idea: I should make a program for X11 users, where the five hundredth and ninth time someone opens a new window, it generates a PDF containing an extravagant statement of the accomplishment. Then I could call the program "X.509 Certificate Authority" just to fuck with everyone.

I also have an idea for an internet communications protocol which provides the social verification (the "proof" I think he called it) of Metcalf's Internet Teranodes Metric, but I'm trying to think of a concise way to explain that to people.

What's interesting about my MITM-proof thing is that it was computer-generated. I just had to provide the right seed (the "key" according to the software's docs) to the Pseudorandom Generated Proof engine. If you don't want me to explain how the MITM-proof works, I can just give you the PGP key and you can study the output yourself, in your own Virtual Information Monitor window, or Enhanced Markup Automatic Correlation Searcher if you prefer that approach.

Re:Repercussions?

[shaitand]

What makes you think it's any different with internal customer service at any sizable company?

Re:Repercussions?

[shaitand]

Seriously? How hard is it to put the actual root certificate on an offline internal network? You have to actually have a human being move a thumb drive between two machines to generate a cert. OMG, the horror! It's india for god sake, don't tell me they can't afford all that manual labor.

Re:Repercussions?

[sjames]

They do know who the boss is and who his boss is. They know who signs their paychecks. They may not tell, but they know.

With internal CS, there is at least a chance that it is supposed to be more than an impenetrable barrier between the customer and someone with authority.

Re:Repercussions?

[david_thornley]

Outsourced customer service is generally paid by the call. This means that the ideal call is a short one where the customer is satisfied enough not to raise a ruckus, but will run into problems and have to call back. Even if there is any way to pass feedback to the software vendor, it isn't in the customer service's interest to provide it, as clarifying a confusing thing in the software could lead to serious loss of revenue. That also means that the software vendor doesn't have the information to either fix things or even figure out what team is making confusing things.

This is also effectively true when a badly run software company runs its own customer service. A well-run company, however, can get useful information out of customer service, and has the ability to actually solve problems. It has incentive to fix difficult problems and data to find them. It's more expensive up front, but if you can reduce the number of calls, by reducing the number of customers with problems, you can save money in the long run.

If a company actually cares, it can also use excellent customer service to keep customers. I still have warm feelings for Apple based on a customer service call several years ago, in which I was quickly talking to somebody who understood what I was talking about, proposed a solution that worked, and provided useful supplementary information. You don't get that from outsourced service from Bangladesh.

Who do they think they are?

[Required+Snark]

The NSA?

Re:Who do they think they are?

[cold+fjord]

Who in the world do you think gathers intelligence?
Only the NSA?
Need a bridge? I have one for sale.

Re:Who do they think they are?

[oodaloop]

Nice strawman. So does the NIC have a legal mission to gather intelligence? Does forging certificates constitute legitimate intelligence collection?

Re:Who do they think they are?

[INT_QRK]

All countries conduct espionage to the extent that they prioritize their capabilities, and against targets where they perceive threats and/or opportunities.

Re:Who do they think they are?

Need a bridge?

Nope, but you apparently need a funny bone.

Re:Who do they think they are?

Your bones are pretty funny.

Re:Who do they think they are?

[cold+fjord]

Strawman? Not so much.

So does the NIC have a legal mission to gather intelligence? Does forging certificates constitute legitimate intelligence collection?

Who can say? Do you have any thoughts on the matter?

Re:Who do they think they are?

[ultranova]

All countries conduct espionage to the extent that they prioritize their capabilities, and against targets where they perceive threats and/or opportunities.

All countries keep an eye on their neighbours, just like all people keep a general awareness of their surroundings. All countries don't tap the phones of their neighbours's leaders, or install malware on equipment sold to them, or even spies over. Morals aside, taking hostile action tends to backfire, as the US is learning. Reputation is a resource, and it's stupid to waste it.

The problem with Machtpolitik is that even if you win a few rounds, you can't stop playing without giving away all your ill-gotten gains, and sooner or later you lose. And when you do, you don't get back what you've lost, even if you quit. And sometimes the house wins and everyone loses big time. And the Devil's the dealer.

The US is a good case study: the country is hopelessly in debt and the infrastructure is crumbling, yet it's going to be spending $ 1 trillion for a new fighter. It's madness, but that's the price US pays for the way it fought the Cold War. Ruthlessness doesn't go away and leave you alone just because whatever enemy you conjured it up to win has. That's why it's foolish to ignore morality, even in international politics - especially in international politics, since there's no nice constable to run to if you manage to get in over your head.

Re:Who do they think they are?

[viperidaenz]

Name one intelligence agency that doesn't use other government agencies to assist its endeavours.

Re:Who do they think they are?

[INT_QRK]

I was making an observation, not an apology. Notice that I never added, "...and this is always good thing." That said, neither is it always a bad thing.

Typical

Good old Indian "ethics".

Re:Typical

[Himmy32]

The whole world is filled with people with dubious ethics. Some regions just have slightly more effective means of controlling them.

Re:Typical

[djupedal]

+1 Mod this comment up

All about trust

[Himmy32]

The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again. They should know better.

Re:All about trust

[currently_awake]

So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

Re:All about trust

[gstoddart]

So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?

India already forced BlackBerry to allow them to access BBM and the like.

Uncle Sam is causing as much disruption to US businesses abroad as anything, because people are realizing that American companies are effectively just extensions of the US spy apparatus -- because the PATRIOT act means they can demand whatever data they have, and you more or less have to assume they're doing it and being prevented from telling you.

Which means Indians are already being spied on by (at least) their own government AND the USA.

Do you expect there to be sympathy for an American company when a foreign government taps into them? Because I hear an awful lot of people saying they think it's perfectly OK when the US does it to foreigners.

Re:All about trust

[Himmy32]

Let's be honest the outrage in India over this is going to be small. The current furor is over people getting raped and hanged while defecating in the open. The US doesn't really have a leg to stand on with the Snowden revelations and espionage in Germany. Nor do too many people want them to be the Internet World Police. It's a complex world with every country playing the spying game. No one is really shocked when someone else gets caught.

The only thing that will come out of this is lack of trust for some Indian certs, and hopefully some awareness that these attacks are happening.

Re:All about trust

No one is going accept a cert from them again.

Yeah. Just like no one trusts Comodo CA. Oh wait.

Re:All about trust

[Himmy32]

Deliberately giving out bad certs and being hacked are a little different. But as your comment shows their reputation has suffered because of the breach even 3 years later.

Re:All about trust

[OhPlz]

As a US resident, I'd be perfectly content to see the heads of various rights-invading federal agencies put away in prison.

So no, it's not ok. Not for the US, not for India.

Re:All about trust

Remember DigiNotar ?
They went bankrupt because nobody trusted them anymore.

Re:All about trust

Everyone is spying on everyone else, and most nations are spying on their own citizens. This does nothing to excuse the NSA violating the terms and limits of their authority, but you have to be an idiot to think that it's only the USA and USSR (ok, idiot with a bad grasp of recent history) involved in spying.

Re:All about trust

[cyberchondriac]

Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it. Every other country does it's sharing of spying too, let's not be naive. Wrong is wrong, no matter who does it. This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.
It's only fair that you either get to protest when every and any country pulls something like this, or not at all.

Re:All about trust

[gstoddart]

Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it.

I don't disagree with you, but the hypocrisy of "but that's the job of the NSA" that I hear when someone points this out is maddening.

This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.

And one which was doing business in their country. Like it or not, Google in India is subject to India's laws.

How many corporations and people in foreign countries have been targeted by the NSA? How many people think that is wrong?

There are an alarming number of people who basically say it's OK when the NSA does it, because that's their mandate.

It's only fair that you either get to protest when every and any country pulls something like this, or not at all.

Oh, I agree, and I disagree with the practice in general. But, as I said, it's appalling just how many Americans keep saying "it's fine when we do it, it's wrong when you do it".

I'm just reminding people of the apparent double standard which gets applied here and in the news.

Me, I think for a country to decide that their laws/desires trumps the rights of people in other countries, you lose some credibility when someone does the exact same thing to you.

Re:All about trust

[INT_QRK]

...and that's good. Loss of trust and confidence is the price one pays for getting caught breaching same.

Re:All about trust

[cyberchondriac]

Honestly, I don't think I've heard but a handful of americans saying that it's fine when we do it.. Pretty much everyone is up in arms over the NSA. What I hear people say - if unapologetically- is that the NSA isn't the only one doing it. And you'll probably never hear much about what the KGB does (I know that's more an equivalent to the CIA than the NSA but I'm not sure if Russia sets up their organizations like the US does).

Still, Google may have a presence in India but it's not an Indian company, per se.

At this rate, it seems like someday in the future we may have to deal with possibility that being on the Internet is like being a celebrity: no expectation of privacy.

Re:All about trust

[cellocgw]

The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again.

Sounds like what we need is a cert-issuing protocol based on Bitcoin security. Everyone (plus or minus epsilon) trusts that Bitcoins can't be forged.

Re: All about trust

Wow, I guess you never heard of the 50% attack then. Bitcoin-based is not the answer.

Re:All about trust

[sjames]

Agreed. They might or might not put the bodies in prison with the heads, I'm good with it either way. :-)

Re:All about trust

I don't disagree with you, but the hypocrisy of "but that's the job of the NSA" that I hear when someone points this out is maddening.

There are an alarming number of people who basically say it's OK when the NSA does it, because that's their mandate.

If I were to play D&D, I would not be surprised if the NE rogue tries to steal some treasure - you expect it and try to monitor it. I don't expect the Father Shamus O'Healin the LG Cleric to bludgeon me from behind. Unless he's Catholic, but that's different. Hey-O!

India Spy agency doing Spy stuff, bad, but unsurprising. India Weights and MEasures group putting a thumb on the scale, bad, very surprising.

Re:All about trust

Can you name a single US news broadcast where they have been equally "up in arms" over spying on foreigners as they have been "up in arms" over spying on Americans?

I do not think so.

Re:All about trust

And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?

The difference is simple. The statist apologists in America aren't dumb enough to say, "How is it any different than the USSR, Nazi Germany, or Red China?".

We don't look to those role models, don't look to us.

So SSL is nothing more than an honor system?

[bazmail]

So SSL is nothing more than an honor system? Fuck that. Security , such as it was, is utterly fucked now that any tin-pot government quango can start intercepting.

Re:So SSL is nothing more than an honor system?

[bunratty]

Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.

Re:So SSL is nothing more than an honor system?

[Desler]

You're just figuring this out? Have you been living under a rock for the past ~20 years or are you just incredibly naive?

Re:So SSL is nothing more than an honor system?

[gstoddart]

So SSL is nothing more than an honor system?

This is nothing new.

And, let's face it, I bet the NSA et al have demanded more private keys be handed over to them than you'll ever know about. Where's your outrage over that?

The five eyes all use each other to spy on their own (and others) citizens, and share the information among themselves. Where's your outrage over that?

I see this as a symptom of a greater problem, but no different from what a bunch of other countries are already doing.

Until someone creates a new encryption system which isn't susceptible to MITM attacks, this will always be the case. And governments will always unashamedly insist on spying on their people, and anybody else they can find.

Re:So SSL is nothing more than an honor system?

[gweihir]

Anybody that looked into the SSL certificate system has known that for a very long time. Quite a few people used to use self-signed certificates, as as least there somebody that bothered to find out could be sure it was secure.

I think the fundamental brokeness of the SSL certificate system is because of deep naivety with regard to the trustworthiness of governments and because of active sabotage of by said governments way back. I hope at least that issue is fixed after Snowden. Governments are even more evil than any of their members and cannot be trusted for any purpose.

Re:So SSL is nothing more than an honor system?

[bill_mcgonigle]

There are two TLS extensions that fix these problems - one is including your certificate fingerprint in DNS and the other is multiple signatures. Both have good standards and the industry is painfully slow to adopt them.

Re:So SSL is nothing more than an honor system?

[Rich0]

SSL goes beyond the naivety of government trust. It also suffers from what amounts to a global namespace/trust/etc issue.

Any CA can issue a certificate for any domain, a domain generally can only have one certificate, and the trusted CA list is managed by the browser, not the user.

So, if you trust your government (naievely), and distrust everybody else, it won't work. Your browser will constantly be wanting to add CAs you don't trust, and might not include ones you trust. Then, if you drop a bunch of CAs then a bunch of websites won't work. A website doesn't have the option of getting certificates from 14 different CAs so as to be trusted by everybody - they have to pick one and everybody has to trust them.

So, users are basically forced to accept CAs they've never heard of, and the whole system is a mess as a result.

Re:So SSL is nothing more than an honor system?

SSL should be adopted to be an optional configuration of DNS:

where if i own a domain i decree what are valid webservers, mail servers, etc.

i want it so that can have DNS state what certificate authority is trustworthy for my domain. Oh, my OWN Self-Signed SSL host is listed as trustworthy for MY DOMANI? GREAT, don't spam me with a warning popup now. thanks. No paying the SSL man, no worry about a Man in the middle.

of course, we need still something akin to a list of trusted root DNS certificates (for root DNS servers), and of course Secure DNS (DNSSEC) setup on my hosts and root DNS-- to prevent MITM--but that seems manageable.

I feel there could be an from for a dns option for web of trust, too. if someone wants to pay money to advertise themselves as super-secure or something.

Re:So SSL is nothing more than an honor system?

[jandrese]

x509 is as strong as the weakest signing authority, and there are many many signing authorities now.

It's a shame that browsers have such freakouts over self signed certs, because there is really little difference between them and officially signed certs. IMHO SSH did a better job of this by simply having you inspect the certs the first time you log on to a site and storing the result, only freaking out if the cert changes. It eliminates the complex chain of trust that in the end comes down to just trusting people you don't know anyway and hoping that none of the thousands of people involved are corruptible or incompetent.

Re:So SSL is nothing more than an honor system?

[sexconker]

Until someone creates a new encryption system which isn't susceptible to MITM attacks

Uh, some of the earliest encryption algorithms ever created are immune to MITM.
The core of the MITM issue is that anything sent over it could be intercepted or spoofed.
So ALL your communication must be encrypted.

All you need a pre-shared key to initiate the connection. Whether that's a password or a certificate or something else makes no difference. What matters is the pre-sharing. You have to fucking know and trust the source of that key. If you're just using a list of certs issued by people you don't know and trusted on your behalf by other people you don't know, then your shit isn't secure.

In an ideal world I'd walk into a bank branch, verify that it is my fucking bank, ask them for a certificate for web access, they'd generate a unique one for me, and I'd copy it to my devices and trust it. I would also give them my own unique certificate, though a username and password is essentially a weaker version of that.

Re:So SSL is nothing more than an honor system?

Until someone creates a new encryption system which isn't susceptible to MITM attacks

Uh, some of the earliest encryption algorithms ever created are immune to MITM.

Name one. Just one. Robust MITM protection did not even start until Mr. Diffie and Mr. Helman were introduced to each other.

Re:So SSL is nothing more than an honor system?

[nyet]

It's a shame that browsers have such freakouts over self signed certs, because there is really little difference between them and officially signed certs

Exactly. Especially since you can get a "real" cert from one of many, many, free cert signing services. What is the point?

Re:So SSL is nothing more than an honor system?

[gstoddart]

Uh, some of the earliest encryption algorithms ever created are immune to MITM.

Yes, and they were built for communications between two parties, who knew they'd be communicating, and could exchange keys in advance.

Now, tell me one which is applicable to the problem of a large number of potential users, all unknown up front, and coming from random devices.

The problem with modern public key encryption (and its strength as well) is that you don't need to pre-exchange keys. But this opens you up to MITM attacks.

Key exchange is hard. Managing all of those keys is really hard. You think a bank can maintain a list (and keep it secure) of the private keys of every individual customer?

The thing which holds the keys (and every vendor you deal with would have a separate copy) then becomes the next attack vector.

I think the generalized problem of establishing, trust, and a secure exchange of keys, is far harder and more complex in a world where you deal with lots of entities, who deal with lots of entities. This isn't things your average person are going to be willing to spend hours doing.

Re:So SSL is nothing more than an honor system?

[jandrese]

Originally it was supposed to be a cash cow for Verisign, but they screwed up and didn't assign a "trustworthiness level" to each CA so there's no reason to spend the big bucks on a Verisign cert over Joe Blow's Free Cert Shop now. Browsers treat both the same.

Re:So SSL is nothing more than an honor system?

Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.

You have to write your own chips, logic and firmware too. More practically, is there an easy way to mass remove all the certs from the DB so you can enter a few you do trust? i.e. anything needed to buy on amazon, newegg and your webmail provider of choice...

Re:So SSL is nothing more than an honor system?

[chihowa]

That's a cop-out, though. Yes, there is always an element of trust in whatever you do. That's unavoidable, though it's smart to minimize the amount of trust you must put in others. Taken to the extreme it's ludicrous, as you've pointed out. But, that doesn't mean that there's no merit in limiting the amount of trust you put in third parties. Just because you can't completely trust your OS or compiler, doesn't mean that you should throw the entire concept of limiting trust out the window. It's dishonest to suggest that the risk is the same between trusting (your compiler), (your compiler + your OS), and (your compiler + your OS + the CA system).

The CA system is truly an honor system by design. It requires you to put your complete trust in a large, and growing, list of opaque and unfamiliar third parties and the decision to trust them is made by others though an opaque and unaccountable process. It's putatively a "security system", but is insecure by design. It depends entirely on unaccountable, secretive, and self-selected "authorities" to determine who should trust who.

Look at your OS's list of trusted CAs sometime. Any of these organizations, or anyone delegated by any single one of them, are implicitly trusted by your system. Completely trusting Microsoft, Apple, or various Linux devs is naive, but completely trusting everyone in the root CA list is absolutely insane!

Re:So SSL is nothing more than an honor system?

[gweihir]

Indeed. That is why I wrote "governments" as in the sum of all of them. One corrupt one is enough to break things.

Re:Anybody else think posting AC should be abolish

Says the random turd hiding behind a pseudonym. Sign your post with your real name, address and SSN and then you can call for "anonymous" posting to be abolished.

Re:Anybody else think posting AC should be abolish

[Desler]

Funny, I looked up "Assmasher" in the White Pages and various international name lookup services and didn't get a single hit. It's almost as if you're hiding your identity no differently than the very ACs that you proclaim to want to be abolished. Man up and give us all your personal details or STFU.

Re:Anybody else think posting AC should be abolish

[bill_mcgonigle]

I was gonna say set your preferences to -5 AC posts, but I can't find the setting at the moment - did they get rid of it for beta? Somebody probably can post the link to the scoring prefs.

Re:Anybody else think posting AC should be abolish

[Assmasher]

Wow, I guess the guys who built /. who thought AC should stand for "Anonymous Coward" didn't know that "Desler" knows best and that and AC and a registered user are exactly the same thing. Wonder why they bothered with creating the AC system? Idiots. Really. I mean, they should have just asked you obviously.

Ignoring the rest of the stupidity of what you posted, maybe you could come to realize that the difference between AC and a registered user is that registered users can develop a reputation for their behavior; i.e., a user that posts stupid things like

Man up and give us all your personal details or STFU

can become known for being an ignorant hothead.

They're called "Anonymous Coward" for a reason.

Re:Anybody else think posting AC should be abolish

[Assmasher]

Pseudonyms exist to protect people from the rabid - like yourself.

Think about the stupidity of comparing the establishment of a pseudonym to posting your SSN? LOL.

Re:Anybody else think posting AC should be abolish

[gweihir]

The difference between India and some other countries is that India is 2nd-rated enough to be caught immediately when they do something like this. That makes them more stupid, but less of a threat than, say, the US.

Re:Anybody else think posting AC should be abolish

[Desler]

How does having a registered account mean anything? You can register one with a throwaway email account. Plus many registered people do use AC from time to time.

Re:Anybody else think posting AC should be abolish

[Assmasher]

Because it's a pain to do so. It helps cut down on the DB anonymous posting. You can quickly discern if they're schills, flametards, et cetera.

I agree, I post on occasion as AC when I'm on another device, and like I said, I never had any problem with people posting AC until the past few years when people seem to be using it to simply spam /. with total garbage, or hatred, et cetera.

Indaina Certs

And these are our "friends"? How much IT and other activities have we sent off to China and India? And what do we, our government and and our corporations get in return? Intellectual theft, data theft, subversion. And the we spy on our supposed allies.

Re:Anybody else think posting AC should be abolish

Pseudonyms exist to protect people from the rabid - like yourself.

So does AC since it is also a pseudonym.

Think about the stupidity of comparing the establishment of a pseudonym to posting your SSN? LOL.

What is stupid about it? You appear to hate anonymity yet use a fake name to hide your identity. Sign your work and stop being a hypocrite.

Scoped certificates

It sounds like we need the ability to limit the scope of certificate authorities to signing for only certain domains.

While it isn't a perfect solution to the broken CA model, it would prevent cases like this one and limit the damage that could be done.

Re:Scoped certificates

[DERoss]

That is an existing capability within the SSL process. NIC will be restricted to issuing certificates only for a set of domains that are specific to India. Just be careful if you want to have financial transactions over the Web with institutions based in India.

Re:Scoped certificates

[jonwil]

There are any number of proposals out there to replace or augment CA certificates for SSL purposes (the EFF has Sovereign Keys, there is the DANE proposal to store certificates in DNS with DNSSEC security and there are other proposals out there designed to make it much harder for these kinds of "bogus certificate" type attacks)

Why aren't any of these proposals actually gaining any traction?

Re:Scoped certificates

[Antibozo]

It sounds like we need the ability to limit the scope of certificate authorities to signing for only certain domains.

http://tools.ietf.org/html/rfc...

Re:Anybody else think posting AC should be abolish

[JesseMcDonald]

Somebody probably can post the link to the scoring prefs.

https://slashdot.org/users.pl?op=editcomm

Or you can click on one of the "edit" links in the score details window.

Re:Anybody else think posting AC should be abolish

[Desler]

Because it's a pain to do so

Yeah clicking a button and typing a couple dozen characters is sooo hard. Registration takes less than 5 minutes in total.

Internet Explorer IS vulnerable though

[dwheeler]

This is a big deal. If you use a browser on Windows that does NOT counter this, such as Internet Explorer, then you ARE vulnerable. I imagine Microsoft will come out with a special-purpose patch, but still, this is a pretty nasty issue.

Untrustworthy CAs have been a problem for a long time; we need mechanisms to address them. The terrible cert revocation system makes it even worse; you can't be sure that the certs are checked in many cases. Chrome's CRLSets are not the answer; they are not even the beginning of an answer. We need to fix the whole revocation system. Sadly, there hasn't been enough work or enough urgency on these problems; maybe this will light a fire under those efforts. I doubt it, but it's worth hoping.

Re:Corrupt Indians? You don't say!

They preach everyone is all the same because in reality the truth is embarrassing.

Calling the corrupt as honorable as someone with honor is actually an insult to the honorable. We put effort into being good people and maintaining our cities. Here in Detroit where it's segregated you can really tell just by looking at yard maintenance.

Why should I paint my house, replace siding, mow my grass regularly, if some religious tool will simply tell everyone that the other idiots who let their city rot are just as good as me?

No, I work hard to maintain my upper class image. I deserve to be able to use it!

Old-media contact info

[tepples]

Some people have a "Homepage" link at the top of each of their posts that points to old-media contact info.

Re:Anybody else think posting AC should be abolish

If you're juding the message by the source, you are generalizing. Perhaps that generalization beneifts you, but keep in mind that it's not always what you know that is most damaging, it's what you don't know. Heavy filtering based on assumptions of the message concoted by who originated it is something that can easily backfire.

Re:Anybody else think posting AC should be abolish

[Assmasher]

Doesn't it require a valid e-mail address and confirmation first? It certainly used to.

Re:Anybody else think posting AC should be abolish

[Assmasher]

5 minutes is a lot of time for the people who go around spouting hatred and ugliness all over internet forums. This is why the don't register, because it's not worth the effort - especially when they get banned - especially if that ban is by IP.

US Department of Commerce

The United States Department of Commerce has been doing this for years.

If they devoted as much effort...

...to sanitation as to the myriad of silly, pissing contest undertakings they seem to have a penchant for, India would be a better, less stinky place.

Corruption is cultural

[tepples]

It's not the race as much as the culture. A culture that doesn't value honest dealings with outsiders will produce crooks. I lack the experience to name any names, so is there anything specific in the culture of India or the Jewish diaspora that might produce such dishonesty?

Re:Anybody else think posting AC should be abolish

[Desler]

No it's not.

Trust but Verify is broken

This is why I do not trust any CA's included in any browser, instead preferring to validate those few sites I actually use HTTPS with. The other advantage is that none of the god damn advertisers can use an https connection to pass on malware since the certs aren't trusted by me. Blocks em right at the source.

captcha=despised

Isn't it time we apply name constraints?

[Antibozo]

I think intermediate CA certificates issued to certificate vendors, ISPs, governments, should all have name constraints so that they can be used to sign only certificates for an appropriate part of the namespace.

http://tools.ietf.org/html/rfc...

Not a Problem with Mozilla-Based Applications

[DERoss]

This is not a problem with Firefox, SeaMonkey, or other Mozilla-based applications. They use a certificate database separate from Microsoft's, a database that does not contain the certificate used in the forgery.

The certification authority at fault (NIC) has an open request to have its root certificate added to Mozilla's database. However, NIC has failed to respond to requests for further information, requested over a year ago by the Mozilla person who is in charge of the process of approving certificates. Furthermore, Mozilla persons -- both staff and users -- are aware of NIC's problem; some have suggested that NIC's request be rejected and NIC be permanently banned from the database.

To see the discussion, see https://bugzilla.mozilla.org/s....

Some certification authorities and some of their subscribers complain that Mozilla takes too long to approve root certificates and then to add those certificates to Mozilla's database. At least in this case, delay served to protect users. The delays are significantly caused by Mozilla's requirement for independent audit reports and for a period of public review and comment on each request. Hooray for Mozilla!!

All about trust

Re: "No one is going accept a cert from them again."

Really? I mean, at an administrative level, well some admins might kick up a fuss. Lots of others won't though.

At a personal level software regularly asks me if I want to "Accept all trusted certs" or "Just this cert". I've tried individual acceptances but it's slow and I never have any sound basis for rejecting one. Even the certs with problems, have you ever dealt with that? I get that all the time.

Most of the time cert problems are expired certs and how do you evaluate that? Most of the time it's just an admin who didn't renew in time. Or a name change. And the names, they are often terrible. And you never get any information beyond the internal system name. Where is the name and address of the applicant? How about an e-mail address and phone number? How about a reputational rating? How about a confidence level that the issuer has in the information? Something that human beings can understand? Anything??

I for one absolutely hate the user experience of the certificate system. It's profoundly broken.

[citation needed]

Pointer???

encryption

We gotta move to encryption that is free. Does not rely on a root server and which works between client and client. .

Like gpg or something or a new protocol to pass a connector the public key to which the connectee also gets the clients public key. Then the two start encrypted communication with no man in the middle and no need to pay a lick for a certificate.

And encryption should be standard and not optional .. To prevent signal eavesdropping .

Finally cables need quantum shielding as do CPUs, dram, bus, and even the human brain so nothing can be intercepted.

I hear too that you need a superconducting shield to deflect and block 100% of signals.. Prevent remote control and remote reading.

Kick them out

Kick them off the Internet. All of them. That's the only the appropriate punishment.