The state of X.509 Certificate Authorities is dismal. This is why, years ago, Riseup was part of an effort with other groups to research the possibility of creating our own CA (Certificate Authority), we called it the CAA (Certificate Anti-Authority), because we didn’t believe that we could trust any of the ones that exist out there. Doing some research in the last few days hasn’t given me much more hope.

What is the problem?

TLS certificates means “security”, the traffic is encrypted, right? Yes it does, but what if the proper authorities decide that they want to snoop our traffic, can they do that if we are encrypting things over TLS?

An attacker with government resources can generate a new certificate that looks like yours and employ a man-in-the middle attack to read all your TLS traffic.

It would work like this:

  1. Obtain a fake certificate. This could be done by requiring the Certificate Authority who issued your SSL certificate to issue another one with your information. A much more likely scenario is that they simply require a different CA to issue a certificate with your information. If the user’s browser connects to a website and is fed this fake certificate, they will be none the wiser unless they are manually checking the fingerprint (which no one will actually ever do).
  2. The attacker then installs a proxy somewhere upstream, using this “replacement” certificate for your server. This proxy is installed between you and the internet, or the target, and the target is presented with the fake certificate instead of yours. With the key in-hand, the attacker can decrypt all encrypted traffic that travels the wire.

To have faith in your TLS certificate, you need to trust the following government:

These are all in firefox by default.

How do we discourage this kind of warrantless wire-tapping?

dkg wrote a great piece on this very problem, not only does he illuminate clearly for a non-technical audience the problems involved, but he also has some interesting suggestions for ways that the architecture and protocols can be tweaked just a little bit to change the situation so that this problem will no longer exist.

Another option is to write a firefox plugin that will notify the user if the fingerprint of a certificate has changed. Even better, we should have a way of using a GPG key to sign the fingerprint. Maybe the plugin could request /fingerprint.txt which would return the signed fingerprint. If it is not signed by a trusted GPG key, then a little popup warns the user.

There has been a lot of lamenting how TLS is tied to a trusted authority system of security, but there are cases where you don’t trust the authority. The root certificates for dozens of CAs are installed by default in the web browser: all it takes is one of those companies (or one of those governments where the companies are located) to compromise all your security.

A firefox plugin that checked the fingerprint could be a backwards compatible way to add a network of trust layer on top of the authority layer.

What are our requirements?

  1. Not a Verisign company
  2. Not incredibly expensive
  3. Doesn’t require users to import certificate root
  4. Supported in browsers/email clients

There is a list of CAs that are in Mozilla, I’ve gone through this list to try and do some research on the different options. Dmoz.org also has a list of certificate authorities.

The ones that I have found so far that are non-Verisign origin certificates are: digicert, comodo, identrust, godaddy, entrust, and ipsCA.

A friend of mine said that Entrust is to be avoided: their software being horrible, and they act like a big bureaucratic, inefficient organization with tons of money who thinks its thinks it’s a good idea to send 19 salesmen to one meeting.

Here is a breakdown of certificate authority market share

Possible CAs

Identrust

Seems to be closely associated to the US Department of Defense, thats not very exciting. Plus their certificates are about $200/yr

ipsCA

based out of: madrid spain
browser coverage: all
cost: $38/year, three month free trial.
type: not sure if root or chained.

ipsCA is a subsidiary of company of IPS, whose root certificate (IPS SERVIDORES) is present in Microsoft products since 1999, and in other internet products from other vendors. Our root certificate was incorporated into Internet Explorer 5.01, Mozilla and Firefox 1.0 which means that is present in more than 98% of today’s browsers. Microsoft bundles our root in IE, W2000,W2003, XP, WME and NT4 SP6.0.

certs.ipsca.com

Comodo

Uses a chained root certificates, which means they don’t own their CA, but thats not a problem, its apparently only more complicated to install the certificate on the server-side itself. Comodo’s root CA is BeTrusted. There are some cheaper Comodo certs. en.wikipedia.org/wiki/Comodo_Group

Sources for comodo certs: www.instantssl.com

Digicert

Also a chained root cert, expensive.

GoDaddy

Caves quickly into foreign legal threat, and is owned by a Marine conservative who made his money in domain squatting. GoDaddy’s registration terms of Service actually say that “You can lose your registration for embarrassing someone”, awesome. Clearly we can’t count on them to stay out of legal battles that other registrars would ignore. Instead, they’ll likely kill our registration, and expect to be patted on the back for being good citizens. In fact if they pull your registration, they require a $200 fee and a written apology!

There is a pretty good anti-godaddy page with a lot of information about why you shouldn’t use godaddy.

Staat der Nederlanden

Their CA root is included in Mozilla. I dont know anything about them, but it seems to be created by the Dutch Ministry of the Interior and Kingdom Relations. What is that? They seem to be managed by GBO.Overheid which is Government wide Shared Service Organisation for ICT for the Netherlands… Considering this is the Dutch State and that the Ministerie Van Binnenlandse Zaken En Koninkrijksrelaties is the Dutch Home Office and the Dutch National Intelligence Agency (AIVD) falls under them, I don’t think this is a very good option.

Swisscom

Their CA is also in Mozilla products, I’m trying to find out if they provide certificates to anything but Swiss organizations, it does say in their CPS:

Section 6. Swisscom appears to provide a service relevant to Mozilla users: It is a public CA issuing certificates to persons and organizations in Switzerland

Although Switzerland’s Cantons enjoy a remarkable amount of autonomy, I’m somewhat skeptical of them as they initiated a seizure of an Indymedia server located in the UK. Swisscom to switzerland is like at&t to the USA, and AT&T is currently engaged in warrantless wiretapping, and lobbying the government for immunity in case this turns out to be massively illegal (it is). I also cannot find how you request a certificate from Swisscom or one of their approved RAs.

Startcom

These guys look interesting. They are a Free Software/Linux organization that is based in Israel. Their Certificate Root is in Mozilla Products. They seem to provide free certificates, for basic authentication, however we need the Class-2 certificates that they provide and those require paying $20 for validation. The validation is a little sketchy, its done through a reseller, which is just an Ebay store, because Paypal screwed them over (Paypal is owned by a mega-conservative). Something peculiar is that their CA root is not in Internet Explorer, or Opera, but they are in the Safari, and Firefox, and others. Their list of supported browsers tells all.

I like Startcom’s angle on things, and I like the idea of supporting an organization that takes Free/Open source software seriously. For some reason, I really like this option, I get a good feeling about them (and its not just the secret doors that they describe in their Certificate Authority Policy),maybe the fact that they are in Israel and the reseller is a sketchy Ebay thing makes me somehow feel better about them not being in cahoots with the spooks, or at least somewhat real people. All of our users need to install the CACert root certificate now, if we use Startcom only IE and Opera users would have to do this, and Firefox/Thunderbird people wouldn’t have to. This seems like a win to me as we should be promoting Firefox and people like Frontline Defenders are telling people to use that. It somewhat violates the two criteria, “Doesn’t require users to import certificate root” and “Supported in browsers/email clients”, but its a step up from what we have now.

QualitySSL

www.qualityssl.com/en/products/ssl-cert...

Denmark, $150/year

AffirmTrust

AffirmTrustis also offering free certificates, just like StartSSL (Startcom), but it offers something better: three-year domain validated SSL certificiates. AffirmTrust announced its launch on the same day as the StartSSL security breach.