[Cryptography] hard to trust all those root CAs

Jerry Leichter leichter at lrw.com
Sat Jul 19 18:07:50 EDT 2014 

On Jul 19, 2014, at 5:28 PM, Lodewijk andré de la porte <l at odewijk.nl> wrote:

> 2014-07-19 23:03 GMT+02:00 John Denker <jsd at av8n.com>:
> (including the Hong Kong Post Office)
> 
> So far these people have been very reliable for me.
> 
> But, more seriously, nobody thinks SSL is a reasonable way to secure the web. It's just the best people could think off.... 
> 
> But, ultimately, a much better way is still unfound or unproduced.
Better approaches are known and even implemented.

The biggest cause of insecurity in SSL is the insistence of various elements of the system that they must be allowed broad freedom of action and damn the consequences to the security of everyone else.  The reason there are so many trusted CA's is that we can't have some random browser maker deciding that a Chinese CA isn't trustworthy - that violates Chinese sovereignty.  (That a Chinese dissident might have very strong feelings on this matter is just too bad.)

In theory, we could have different "trusted CA list" distributions; but in practice, this is first hard to implement because the browser makers have made it complicated to change the lists.  Beyond that, it runs into the freedom of action reserved to those who run the big sites:  They can pick any CA they like.  Not only can they pick one, but they insist on the right to pick multiple CA's, or to switch CA's whenever they feel like it.

One "fix" for this is certificate pinning:  Providing a way for a site to announce via a secondary channel that it will always use a cert signed by a particular CA (or even a particular cert).  This gives away the site's freedom to switch things when it feels like it, but short-circuits the entire CA trust scheme.  Chrome does this - it has a built-in set of "pinned" certificates for Google sites, and I think a few others.  I don't know if any other browser has implemented this.  If the top 500 sites had their certificates pinned in all the widely used browsers, most potential MITM attacks would be blunted.  (Of course, all the users of MITM'ing packet inspectors would scream bloody murder.)

A broader technique is to cross-check certificates seen by different users at different times.  Certificates thus have an additional trust measure:  The longer they've been around, and the more people scattered around the world who've seen them, the more trustworthy they are.  MITM attacks have to be running around the world for long periods of time to pass this kind of validation.  (Or, of course, someone could attack the database.)  This approach is even stronger when sites monitor the public database and make sure no certs they don't own show for their own URL's.  The Perspectives project is one effort in this direction.

Of course, to *really* work, these techniques must be implemented in commonly used browsers in a way that's pretty much invisible to users.  As with pretty much everything in crypto, the human interface/usability aspects trump all the technical issues.  And there will be pushback - as there was, for example, from schools when Google went all-SSL for searches.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140719/5cb0f5b7/attachment.html>

More information about the cryptography mailing list