[Cryptography] Well, that only took ten years

Jerry Leichter leichter at lrw.com
Fri Aug 16 09:07:27 EDT 2019 

> Hundreds of CAs was wrong. Approximately one sensible
> CA also seems wrong to me.
No matter how good your CA, no matter what you do to secure the whole CA system, in the end your security is much more fundamentally dependent on your browser maker.  And there are way fewer browser makers out there than CA's.

It's all very nice that many of the browsers are partly, or even entirely, open source, but the fraction of the population who builds browsers from source is vanishingly small.  And even among that crew, browsers are immense, and immensely complicated, supporting tons of protocols and full of all kinds of strange "compatibility" hacks.  Every browser out there gets broken into regularly - and that's for attacks through the surface they intentionally open to the outside world, and thus intentionally strengthen as much as they can.  Stuff hidden in the implementation that leaks your keys under the right conditions?  It could stay there for years with no one noticing.

Browser makers ship an absurdly long list of "trusted CA's" because ... a browser without *some* list of "trusted CA's" is worthless.  The makers are effectively vouching for the CA's by including them - though they are very, very careful to disclaim any responsibility here, which is why they end up accepting pretty much anyone who claims to be a CA.

There's a common mistake in reasoning about security composition:  I don't want to rely on my browser maker for both the code and the certs - it's safer to split the responsibilities.  Splitting security, however, only works that way if  the multiple "splits" must cooperate to attack you.  Here, each can independently attack you.  You're more vulnerable than before.

In fact, as I've discussed on this list before, it would make sense to do away with the whole CA infrastructure (for most uses) by simply having the browser makers ship the actual public keys for, say, the top 100,000 sites.  Even taking the most expensive approach and assuming 4Kb (512B) RSA keys and doubling for overhead, that's 100MB of data, less the size of a typical web page these days!

                                                        -- Jerry

More information about the cryptography mailing list