TLS certificate research

This page presents research about certificate authorities, resellers and the evil they embody

The state of X.509 Certificate Authorities is dismal. This is why, years ago, Riseup was part of an effort with other groups to research the possibility of creating our own CA (Certificate Authority), we called it the CAA (Certificate Anti-Authority), because we didn’t believe that we could trust any of the ones that exist out there. Doing some research in the last few days hasn’t given me much more hope.

What is the problem?

TLS certificates means “security”, the traffic is encrypted, right? Yes it does, but what if the proper authorities decide that they want to snoop our traffic, can they do that if we are encrypting things over TLS?

An attacker with government resources can generate a new certificate that looks like yours and employ a man-in-the middle attack to read all your TLS traffic.

It would work like this:

  1. Obtain a fake certificate. This could be done by requiring the Certificate Authority who issued your SSL certificate to issue another one with your information. A much more likely scenario is that they simply require a different CA to issue a certificate with your information. If the user’s browser connects to a website and is fed this fake certificate, they will be none the wiser unless they are manually checking the fingerprint (which no one will actually ever do).
  2. The attacker then installs a proxy somewhere upstream, using this “replacement” certificate for your server. This proxy is installed between you and the internet, or the target, and the target is presented with the fake certificate instead of yours. With the key in-hand, the attacker can decrypt all encrypted traffic that travels the wire.

To have faith in your TLS certificate, you need to trust the following government:

  • United States: verisign, aol, wells fargo, comodo, entrust, equifax, gte, starfieldtech, godaddy, visa, valicert.
  • Hungry: netlock
  • Taiwan: ‘government root certificate’
  • Spain: IPS
  • Israel: StartCom
  • Bermuda: QuoVadis
  • Netherlands: TDC

These are all in firefox by default.

How do we discourage this kind of warrantless wire-tapping?

dkg wrote a great piece on this very problem, not only does he illuminate clearly for a non-technical audience the problems involved, but he also has some interesting suggestions for ways that the architecture and protocols can be tweaked just a little bit to change the situation so that this problem will no longer exist.

Another option is to write a firefox plugin that will notify the user if the fingerprint of a certificate has changed. Even better, we should have a way of using a GPG key to sign the fingerprint. Maybe the plugin could request /fingerprint.txt which would return the signed fingerprint. If it is not signed by a trusted GPG key, then a little popup warns the user.

There has been a lot of lamenting how TLS is tied to a trusted authority system of security, but there are cases where you don’t trust the authority. The root certificates for dozens of CAs are installed by default in the web browser: all it takes is one of those companies (or one of those governments where the companies are located) to compromise all your security.

A firefox plugin that checked the fingerprint could be a backwards compatible way to add a network of trust layer on top of the authority layer.

What are our requirements?

  1. Not a Verisign company
  2. Not incredibly expensive
  3. Doesn’t require users to import certificate root
  4. Supported in browsers/email clients

There is a list of CAs that are in Mozilla, I’ve gone through this list to try and do some research on the different options. Dmoz.org also has a list of certificate authorities.

The ones that I have found so far that are non-Verisign origin certificates are: digicert, comodo, identrust, godaddy, entrust, and ipsCA.

A friend of mine said that Entrust is to be avoided: their software being horrible, and they act like a big bureaucratic, inefficient organization with tons of money who thinks its thinks it’s a good idea to send 19 salesmen to one meeting.

Here is a breakdown of certificate authority market share

Possible CAs

Identrust

Seems to be closely associated to the US Department of Defense, thats not very exciting. Plus their certificates are about $200/yr

ipsCA

based out of: madrid spain
browser coverage: all
cost: $38/year, three month free trial.
type: not sure if root or chained.

ipsCA is a subsidiary of company of IPS, whose root certificate (IPS SERVIDORES) is present in Microsoft products since 1999, and in other internet products from other vendors. Our root certificate was incorporated into Internet Explorer 5.01, Mozilla and Firefox 1.0 which means that is present in more than 98% of today’s browsers. Microsoft bundles our root in IE, W2000,W2003, XP, WME and NT4 SP6.0.

certs.ipsca.com

Comodo

Uses a chained root certificates, which means they don’t own their CA, but thats not a problem, its apparently only more complicated to install the certificate on the server-side itself. Comodo’s root CA is BeTrusted. There are some cheaper Comodo certs. en.wikipedia.org/wiki/Comodo_Group

Sources for comodo certs: www.instantssl.com

Digicert

Also a chained root cert, expensive.

GoDaddy

Caves quickly into foreign legal threat, and is owned by a Marine conservative who made his money in domain squatting. GoDaddy’s registration terms of Service actually say that “You can lose your registration for embarrassing someone”, awesome. Clearly we can’t count on them to stay out of legal battles that other registrars would ignore. Instead, they’ll likely kill our registration, and expect to be patted on the back for being good citizens. In fact if they pull your registration, they require a $200 fee and a written apology!

There is a pretty good anti-godaddy page with a lot of information about why you shouldn’t use godaddy.

Staat der Nederlanden

Their CA root is included in Mozilla. I dont know anything about them, but it seems to be created by the Dutch Ministry of the Interior and Kingdom Relations. What is that? They seem to be managed by GBO.Overheid which is Government wide Shared Service Organisation for ICT for the Netherlands… Considering this is the Dutch State and that the Ministerie Van Binnenlandse Zaken En Koninkrijksrelaties is the Dutch Home Office and the Dutch National Intelligence Agency (AIVD) falls under them, I don’t think this is a very good option.

Swisscom

Their CA is also in Mozilla products, I’m trying to find out if they provide certificates to anything but Swiss organizations, it does say in their CPS:

Section 6. Swisscom appears to provide a service relevant to Mozilla users: It is a public CA issuing certificates to persons and organizations in Switzerland

Although Switzerland’s Cantons enjoy a remarkable amount of autonomy, I’m somewhat skeptical of them as they initiated a seizure of an Indymedia server located in the UK. Swisscom to switzerland is like at&t to the USA, and AT&T is currently engaged in warrantless wiretapping, and lobbying the government for immunity in case this turns out to be massively illegal (it is). I also cannot find how you request a certificate from Swisscom or one of their approved RAs.

Startcom

These guys look interesting. They are a Free Software/Linux organization that is based in Israel. Their Certificate Root is in Mozilla Products. They seem to provide free certificates, for basic authentication, however we need the Class-2 certificates that they provide and those require paying $20 for validation. The validation is a little sketchy, its done through a reseller, which is just an Ebay store, because Paypal screwed them over (Paypal is owned by a mega-conservative). Something peculiar is that their CA root is not in Internet Explorer, or Opera, but they are in the Safari, and Firefox, and others. Their list of supported browsers tells all.

I like Startcom’s angle on things, and I like the idea of supporting an organization that takes Free/Open source software seriously. For some reason, I really like this option, I get a good feeling about them (and its not just the secret doors that they describe in their Certificate Authority Policy),maybe the fact that they are in Israel and the reseller is a sketchy Ebay thing makes me somehow feel better about them not being in cahoots with the spooks, or at least somewhat real people. All of our users need to install the CACert root certificate now, if we use Startcom only IE and Opera users would have to do this, and Firefox/Thunderbird people wouldn’t have to. This seems like a win to me as we should be promoting Firefox and people like Frontline Defenders are telling people to use that. It somewhat violates the two criteria, “Doesn’t require users to import certificate root” and “Supported in browsers/email clients”, but its a step up from what we have now.

QualitySSL

www.qualityssl.com/en/products/ssl-cert...

Denmark, $150/year

AffirmTrust

AffirmTrustis also offering free certificates, just like StartSSL (Startcom), but it offers something better: three-year domain validated SSL certificiates. AffirmTrust announced its launch on the same day as the StartSSL security breach.

 

Thanks for the access to the page. This is an interesting rundown, though the situation as it stands still seems pretty bad to me. I recently found RapidSSL while looking for a cheap CA (if you can’t find a good CA…). It would be worth reviewing RapidSSL with the same criteria and thoroughness that’s been used on this page for others.

I really like the idea for the firefox plugin that operates at the http level (with a well-known filename on the host). i wonder if the FireGPG plugin folks would be interested in taking that on. They’ve already done the heavy lifting of integrating GPG with Firefox.

I suspect that the thing signed in the well-known location should not just be a fingerprint, though, as that message is too context-independent to be meaningful. For example, if the webserver’s host key was somehow compromised, it could be taken and placed on a new site, alongside fingerprint.txt, and the new site would be “validated” for whatever name they chose to give. So the thing signed would need to be some well-defined aggregate of the public key + hostname, no? This smells like an OpenPGP certificate to me. If the host key is RSA anyway, there’s nothing to say that the server couldn’t generate an OpenPGP certificate for the same key, and just publish that. There was an interesting discussion on the help-gnutls list about how to put a hostname or a URL into the OpenPGP UserID field.

(it’s dkg, not DKG, btw—if you use “DKG” it feels like you’re yelling at me :P)

 
 

btw, can someone explain the difference between the last two concerns?

“Doesn’t require users to import certificate root”

seems pretty similar to

“Supported in browsers/email clients”
 
 

i guess gpg certs would be an example of something not supported.

 
 

Thanks for the access to the page. This is an interesting rundown, though the situation as it stands still seems pretty bad to me. I recently found RapidSSL while looking for a cheap CA (if you can’t find a good CA…). It would be worth reviewing RapidSSL with the same criteria and thoroughness that’s been used on this page for others.

The situation is clearly dire, as you have detailed clearly in the chapter you wrote for the book. Sadly, we have to get some kind of certificate that is at least imported by default into Firefox, and although we watch CACert with some hope for a small step in the right direction, the last I looked at their inclusion process it was nowhere near passing due to the CACert board dragging their feet on the 3rd party verification process.

About RapidSSL… they are a subsidiary of GeoTrust, which is a subsidiary of Verisign. GeoTrust owns the Equifax root used to issue its certificates, but its still a Verisign company and thats enough reason to not use them for me.

There are few problems with the firefox plugin idea. One of course is that you have to get users to install this plugin, which means trading one technical hurdle (installing an otherwise untrusted root cert such as CAcert) for another one (installing a firefox plugin). The second technical hurdle is a much smaller one, but my experience observing people who aren’t very savvy manage to get the point of switching to Firefox is that a surprising few of them actually use plugins/extensions. However, I think it would be a step in the right direction, without a doubt and the education necessary for getting people to install plugins is much less than the certificate import process. The other problem is that the plugin idea doesn’t work so well at internet cafes, where security is more important than ever.

Sorry about yelling, my family refers to everyone by their three letter initials, and they are always caps when they are typing, but they are never yelling when they speak them.

 
 

well, darn. the IPSCA certs are reported to have lots of problems. what next?

RapidSSL is another name for GeoTrust, which got bought by verisign.

 
   

it turns out the ipsCA certs aren’t really having problems, they were just incorrectly installed in a few places, which was our fault, not theirs.

incidentally, they will revoke and re-issue for free, which is nice.