[Cryptography] hard to trust all those root CAs
John Denker
jsd at av8n.com
Sat Jul 19 17:03:24 EDT 2014
AFAICT, a lot of existing protocols were designed to resist
passive eavesdropping. In contrast, the idea of large-scale
MITM attacks was sometimes considered tin-foil-hat paranoia.
To this day, standard Ubuntu Firefox trusts 162 different
authorities (including the Hong Kong Post Office) to certify
/anything and everything/.
In the /usr/share/ca-certificates/mozilla directory, only one
of 163 root certificates has any v3 Name Constraints at all.
Why Ubuntu and Firefox tolerate this is beyond me; I can
understand trusting Microsoft to sign Microsoft-related stuff,
but allowing them to sign /anything and everything/ ?!????!!
Actually it's even worse than that, because people like
Microsoft have been issuing subsidiary certificates with
unlimited power, so you don't even need to capture a root
CA; all you need is one of the subsidiary certs.
Forsooth, one would think that if these Authorities had any
sense at all, they would voluntarily put constraints on their
own certificates, just to make themselves less of a target.
Issuing an all-powerful cert is like walking through a bad
neighborhood pushing a wheelbarrow full of cash. If you
carried less cash, you'd be less of a target.
Forged certs are a documented problem in the wild. No tin-foil
hat required:
https://www.linshunghuang.com/papers/mitm.pdf
SSL "packet inspection" is an article of commerce. The fact that
this is even remotely possible tells me that SSL fails to provide
the thing I most want it to provide.
https://www.google.com/search?q=%22ssl+packet+inspection%22
That crunching noise you hear is the sound of dead canaries
underfoot. We really need to take action to reduce exposure
on this issue.
More information about the cryptography
mailing list