[Cryptography] hard to trust all those root CAs

John Denker jsd at av8n.com
Sat Jul 19 17:03:24 EDT 2014


AFAICT, a lot of existing protocols were designed to resist
passive eavesdropping.  In contrast, the idea of large-scale 
MITM attacks was sometimes considered tin-foil-hat paranoia.
To this day, standard Ubuntu Firefox trusts 162 different
authorities (including the Hong Kong Post Office) to certify
/anything and everything/.

In the /usr/share/ca-certificates/mozilla directory, only one 
of 163 root certificates has any v3 Name Constraints at all.
Why Ubuntu and Firefox tolerate this is beyond me; I can 
understand trusting Microsoft to sign Microsoft-related stuff, 
but allowing them to sign /anything and everything/ ?!????!!

     Actually it's even worse than that, because people like
     Microsoft have been issuing subsidiary certificates with 
     unlimited power, so you don't even need to capture a root 
     CA;  all you need is one of the subsidiary certs.

Forsooth, one would think that if these Authorities had any 
sense at all, they would voluntarily put constraints on their 
own certificates, just to make themselves less of a target.
Issuing an all-powerful cert is like walking through a bad 
neighborhood pushing a wheelbarrow full of cash.  If you 
carried less cash, you'd be less of a target.

Forged certs are a documented problem in the wild.  No tin-foil 
hat required:
     https://www.linshunghuang.com/papers/mitm.pdf

SSL "packet inspection" is an article of commerce.  The fact that
this is even remotely possible tells me that SSL fails to provide
the thing I most want it to provide.
  https://www.google.com/search?q=%22ssl+packet+inspection%22

That crunching noise you hear is the sound of dead canaries
underfoot.  We really need to take action to reduce exposure
on this issue.


More information about the cryptography mailing list