This is a poorly-reseasrched comparison, because Windows downloads root certificates when they are first encountered (see http://support.microsoft.com/kb/931125).
"When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. "
This means that Microsoft can add a new root certificate to a user's system at will.
I'd argue that this is actually much less secure, given that by default a Windows machine has an unauditable list of root certs, which change based on what Microsoft supplies. That means that a third-party (let's say a government) can force Microsoft to add an arbitrary root cert to the list, and a user's machine will blindly accept certificates signed by it!
Of course the entire model is broken, if you are looking for un-crackable end-to-end security.
The updates are indeed very auditable. Any organization who chooses to selectively apply updates will not have new root certs appear out of channel.
Of course Microsoft needs to be able to update the root cert list. It has been used to remove certs as well (Diginotar). However, when they do so, it needs to be transparent. Windows Update is transparent. The very article you linked even goes into details about this.
Which means that your claim that "Microsoft can add a new root certificate to a user's system at will" is false. If you do not automatically install all updates or if you use WSUS, root certs will only be updates if you allow the update through.
The process outlined in your linked article describes how Windows will attempt to find and install the Windows Update package from the cert chain. This does NOT bypass the Windows Update mechanism; it merely looks for a package in the catalog with the root cert that was requested by following the chain.
[1] https://www.mozilla.org/en-US/about/governance/policies/secu...
[2] (PDF) http://download.microsoft.com/download/1/5/7/157B29AB-F890-4...
* ApplicationCA (Japan)
* China Internet Network Information Center EV Certificates Root (China)
From a Ctrl+F of [2], there's:
* ApplicationCA (Japan)
* FPKI Common Policy (US)
* China Internet Network Information Center EV Certificates Root (China)
The only odd one out seems to be DoD Root CA 2.
That cert was added as
https://bugzilla.mozilla.org/show_bug.cgi?id=476766
and the plea for removal
https://bugzilla.mozilla.org/show_bug.cgi?id=542689
Till now, CNNIC CA cert is part of builtin authority bundled in Firefox.
CNNIC was a controversial organization not only because of its govn't background but also its involvement with an infamous malware years ago.
And I cannot get access to bugzilla.mozilla.org without using a secure proxy from China as 'Server aborted the SSL handshake'.
No, if they want to hack your SSL comms, they aren't going to do it by using a MITM attack backed by a government-issued root CA, they are going to do it by gaining access to a "neutral" CA (such as Verisign), and obtaining the root certificate's private key. Now you would have a much harder time of figuring out that something has gone wrong, but then, if you're paranoid of the government spying on you, and you are using a CA other than one you own yourself, you've already lost the battle.
Trust is a Hard Problem(tm) to solve. Without using Certificate Authorities that you don't personally know, it is difficult to create a sufficiently trusted network. I think the best attempt at a description of such a system that I have seen is in Cory Doctorow's "Little Brother" (http://craphound.com/littlebrother/download/), but even there it seems to me that there were numerous problems for scaling, or even just avoiding invaders.
All of which is to say that certificate-based technology couple with CAs that you don't control is not a solution against state-level adversaries. Which in turn makes this entire article fear-mongering rather than a real discovery of a potential threat. In a more cynical mood, I might wonder about the author's motives, was this an attempt to distract away from the fact that the main CAs are not secure against state actors?
One nit to pick: obtaining Verisign's root CA key isn't enough to decrypt traffic over the wire. That would just allow Uncle Sam to issue fake certs that appear to be from Verisign. I think that savvy users might still notice that their cert looks different now (fingerprint, expiration, other details), and put the pieces together. Maybe you use a CA whose root key hasn't been obtained yet. I highly doubt the NSA or whomever would let a fake but validly signed cert into the wild where it can be captured and used to prove their capabilities once and for all.
They might use such a cert in a controlled environment where they are going to seize the target's system in a few minutes, I suppose. Instead, what they really need is either a way to break 2048-bit RSA (not inconceivable) or a way to get your real cert's private key.
To your point about trust and CAs: I don't think it's truly a matter of trust. Verisign, GlobalSign, Digicert, Entrust, et. al. are all businesses. They are not inherently untrustworthy (nor trustworthy), they do what they must to be profitable and stay in business. It turns out that end user trust is substantially less important to that equation than remaining in compliance with the government of their host country.
I don't know how you solve that problem. The best thing about the early Internet was that, while heavily US-centric, it was often able to fly under the radar of government oversight and, to an extent, the rule of unpleasant laws. That's no longer possible. The Internet is a source of power and money, and now it has to contend with the oversight and regulation of thousands of governments doing what they do.
I think our industry needs to collectively move beyond "zomg CA's are pwned by governments". It's just unhelpful. Firstly there's no evidence it's true. A bogus cert would be strong evidence, documents from the Snowden archive talking about compromising CA's would be evidence ..... so far we have zilch.
But even if one day it does happen - what next? You end up down the "what if my CPU is backdoored" rabbit hole. Ultimately you have to ignore adversaries that have unlimited power and focus on the ones that do have limits. There's no other way to stay sane.
I think it's highly unlikely that they'd do that, as there's a chance that the fake certificate could be used as evidence against them later. A valid certificate for google.com signed by the US Govt CA would raise a few eyebrows.
If the NSA really wants to MitM you, it wouldn't surprise me if they had backdoor access to the real GeoTrust Global CA, either by bribery, National Security Letter or even "dark arts" that the real GeoTrust knows nothing about.
In other words the NSA could MITM the CA<->website connection and get themselves a cert issued in the regular manner.
However I do not believe they are doing this at any meaningful scale, and possibly not at all. It's clear from the Snowden archives that they focus almost exclusively on malware. That has a lot of advantages for them over creating fake SSL certs.
Also bear in mind that certificate transparency is a multi-year plan to prevent secret issuance of certificates. So there is effort being done to reveal such attacks even before they are happening. Not too shabby!
You've been sitting on common knowledge for some time? Research into what?
Sorry but this is a very well known issue with HTTPS that has been discussed in depth for the last few years, in particular with people suggesting alternatives and improvements to HTTPS (like certificate pinning, Convergence[0], etc).
The fact the author thinks they have found some type of unknown or smoking gun says more about the author than anything. I mean heck you can go back and find tons of examples of root CAs "mistakenly" generating fake certificates for things like Google or Windows Update. You can also read about entire countries being victim of it [1].
[0] http://convergence.io/ [1] http://www.bbc.com/news/technology-14789763
I don't think that's a very helpful way to look at it though. The PKI system has been around for 20 years, was designed to stop credit card theft, and we can sum up the number of times it's been seriously breached on the fingers of one hand.
Many other security systems have failure rates measured in percent, so I don't think it's doing so badly.
https://github.com/okTurtles/dnschain/blob/master/docs/Compa...
Of course, a MITM attacker would just strip all certificates and send only theirs along, so you have to have a way to enforce multiple signatures from different blocks. Maybe a httpss url scheme or something.
[1] Something like: http://security.stackexchange.com/questions/6926/multiple-ca...
It remains to be seen if it actually makes an impact upon launch. It certainly can't replace all the types of certs in use today.
Your browser blindly trusts a list of a few hundred CA's, any of which can impersonate any SSL site you visit at any time (except for the chosen few that use certificate pinning)
Many of the biggest CA's (e.g. Verisign) are under government control.
The browsers could start not trusting those CAs, and not allowing them to impersonate any SSL site you visit, and they are making steps towards this with measures like pinning aren't they?
Measures like that just need to be made the default, and if companies want the ability to MITM they should have to adjust settings to make that happen, but consumers should not be vulnerable to that by default and browser vendors could work towards that future. At least people are now more aware of these issues, and that a green lock really doesn't signify much if a government takes an interest in your communications.
Pinning is an unscalable hack around the core problem.
What would really help in this would be to know if any of these CAs have signed certificates for popular websites. Rightly or wrongly, I'd trust a CA who has certificates in active use by many sites over an obscure foreign (or not?) government CA who doesn't seem to sign any certificates that I'd normally interact with. After all, if suddenly one day ycombinator.com's site appears to be now signed by an obscure CA, I should probably be worried.
So, is there any way to map a given CA to the subset of the top 1000/10000/whatever number of websites that have certificates signed by it? Surely some webcrawlers must have indexed a large number of site certificates and have the data to build such a database.
A more practical approach: Disable all root certificates, then enable them one by one as you are getting browser warnings.
However, in any case, there are already so many CAs, that I am wondering what is preventing governments of forcing one of them to provide a fake certificate that suits their needs for national security reasons...
Also I find it highly unlikely that these certificates get abused:
- Those certificates are from other branches of the government. They won't like the NSA abusing their certificates.
- When abuse of these signatures gets detected it would be a big scandal. It's way more easy and stealthier to steal the keys of a intermediate CA.
There is also (at least one) a project that tracks changes in trust stores in OS:es, Java, browsers:
(I am one of the authors.)
If band-aid is what we got before the system is fixed, then that is what we can use.
It's a choice that users must do, not the OS. I don't blame computer manufacturers for adding these certs to their systems, they try to make browsing as easy as it gets. Theoretically speaking, the government is your friend. Practically speaking, if you're into any business that requires extra security, you need to take control of your OS at much deeper level, which probably means running something Open Source and manually checking the certificates that came along with your system and your browsers.
Pull requests welcome, Don't run unless you know what you're doing, YMMV etc....
Why couldn't browser issue a warning whenever the root CA for a known domain has changed compared to previous browsing sessions ? I suppose MITM attack are targeted and probably depends on the network you're using. If there's a difference between the root certificate for google.com when surfing with your laptop at home or from the office, then there's probably something wrong.
It's a bit similar to what ssh is doing with cert/ip associations.
Both TACK and HPKP are mechanisms for doing public key pinning for individual websites.
These mechanisms are similar to how SSH uses a known_hosts file to store the fingerprints of public keys it encounters on a "Trust-On-First-Use" ("TOFU") basis.
The problem with these mechanisms is:
* They don't protect on first visit.
* They break websites when the public key needs to legitimately change.
* In the case of TACK, the TACK public key needs to change very frequently (at least every 30 days). This defeats the purpose of pinning, as a MITM does not need to wait long before they can present a fraudulent key that the user has no way to know is legitimate.
* These mechanisms assume that client software has its current time set properly, and they break when that's not true.
While DNSChain does use public key pinning, it doesn't have these problems because there is only one pin that is ever required: the pin to DNSChain itself, which is easily verified once only at setup.
[1] https://github.com/okTurtles/dnschain/blob/master/docs/Compa...
Does exactly that.
For Firefox, use CertPatrol:
• https://addons.mozilla.org/en-US/firefox/addon/certificate-p...
Also, a few websites are starting to use DNSSEC with TLSA and DANE. There's also a Firefox plugin for that at https://www.dnssec-validator.cz/
User: Why should I trust this root CA to secure this domain?
Domain Owner: How can I specify which root CA should be trusted to secure this domain?
If neither of these parties are significantly involved in the trust decision, how can it be said that trust has been established at all?
Most pinning implementations seem to either delegate the trust to someone else (browsers, OS, libraries, etc.) or blindly trust the information presented in the first encounter. This is no different than the historical model. There's nothing preventing any application from presenting a warning when a known certificate changes or a new one is encountered, so what does pinning offer other than extra complexity?
Locally cached relationships aren't any more viable than using an /etc/hosts file for the whole Internet (and pose additional privacy concerns). Leveraging DNS is a worthy goal, but if it was secure enough for this purpose, it would eliminate the need for pinning because a domain owner could confidently present its public key via DNS.
I believe in defense in depth, and this work is important, but we seem to be making little progress in solving the fundamental problem of establishing trust. Maybe it's as unsolvable on the Internet as it is in the real world.
1. An attacker can't MITM everything, all the time. Perhaps he can, but it would create unwanted attention
2. Thus, a visitor will usually not be a victim of MITM during her visits
3. When an attack occurs, the certificate pinning will make it visible.
Ok, I know why. But it's infuriating to watch the U.S Government throw it's weight around in other countries under the guise of spreading democracy or "cooperation", but then operating like a totalitarian police state anywhere it sees fit.
It's not O.K. that Americans get a better deal than everyone else when it comes to privacy and security. Especially not when the U.S government acts like the World Government in real terms.
I really don't have a problem with the U.S running things. I have a problem with the U.S. running things for the the exclusive benefit of America... whatever America is these days. It's certainly not the American people anymore.
EDIT to add, I'm not attacking your comment by the way. I'm jumping on the "illegal to spy on American citizens" bit, which we also know is untrue in real life.
Do you really believe somebody will go to trial if they are caught spying on American citizens?
I know Snowden isn't in jail, but it isn't for lack of trying or will from the USG, only because they couldn't get their hands on him.
And to be honest who really cares. Countries increasingly are mandating invasive spying through legislation. Arguing over CAs is like rearranging deckchairs on the titanic.
Sure, the CA system should be replaced altogether, but that's going to take quite some time. In the mean time I think the idea I mentioned could be useful to avoid invisible man-in-the-middle attacks by the CAs. It only requires work by the browser developers, while changing from CAs to something else will take a major effort by everyone who's running a part of the web.
https://www.imperialviolet.org/2011/05/04/pinning.html
However then you get to the same market issue that allowed the whole Superfish and related debacles -- Enterprises require the ability to self-CA everyone else given that they demand the right to MITM.
Windows 7 was released 5 years ago. Might be more relevant to compare to Windows 10 given that Yosemite is updated quite regularly.
