[Cryptography] distrusted root CA: WoSign

Jerry Leichter leichter at lrw.com
Sat Oct 1 15:39:15 EDT 2016 

>> In general, why do we put up with this?  Why, why, why?
> 
> Because we have no choice.  What are you going to do in order to opt out, stop
> using the web?  It's a totally captive market.
It goes even further than that.  Suppose you want to provide a secure connection between a couple of endpoints, all of which you own.  Unless you want to roll your own software, you have two widely-accepted choices for secure connections:  SSH and SSL.  SSH *as a library* is a fairly unusual thing.  There are a couple of implementations to be had, but you'd find yourself justifying the choice, and its not clear how the configuration works.

SSL libraries, on the other hand, are almost universal - and come with Java and other common frameworks because they are needed for HTTPS.  So SSL has become pretty much the standard as a secure channel.  Which in and of itself isn't a bad thing - it's a very closely studied protocol, and likely becoming as secure as any library you're likely to find.

But ... buying into SSL requires buying into certificates.  While I believe it's *possible* to use pre-shared keys with SSL, it's not a common or well-understood configuration.  And besides, every security audit your code then has to go through will assume you're using certificates - because SSL needs then, right?  And who will you get to sign your certificates?  Suppose you're selling a system that will be installed as a bunch of communicating processes, which need to authenticate to each other.  Are you going to ask your customer to go to his CA to get signed certificates for each process?  Not a good customer experience.

Here's the reality for managing the infrastructure of large data centers - something I have to deal with every day.  They generally have HTTP/HTTPS protocols.  When you use HTTPS, they pretty universally have self-signed certificates.  Changing this is extremely difficult:  These things are almost always on an isolated, non-routed network (almost always net 10), and often have no DNS.  Good luck getting a cert for 10.0.5.10.  (And would you trust anyone who would give you one?)  Most of the vendors don't even try to give you the option.  (One large vendor, after multiple complaints from customers about the self-signed certs, provided a mechanism to have a CA sign the certs - but the CA had to be the managed system itself!)

For all its problems in the domain for which it was originally intended, the CA design is disaster in other settings.

What I would *really* want to do - if I have to use SSL, and anything else raises so many issues with security auditors it's rarely worth the effort - is to use a self-signed cert and then use certificate pinning to ensure that exactly that cert is the only one that will ever be accepted.  In other works, turn the certificate into a pre-shared key.  But I don't even know of any SSL implementation that supports certificate pinning - it's an extension implemented by some browsers.

> Note that things are run by the CA/Browser forum, not the CA/Browser/web site
> operator/end user/customer forum.  The only people with a say in things are
> the ones who are making money off the whole racket, and they aren't going to
> do anything to change the status quo.
In terms of raw numbers of people affected, browsers and their users would certainly be the largest clients of SSL.  But it's become a standard way beyond the Web/browser domain - and the needs of other users are pretty much ignored.

                                                        -- Jerry

More information about the cryptography mailing list