But who do you trust?
"Someone relying on Convergence wouldn't have been tricked by the rogue certificate discovered Monday."
Do you trust Convergence? What happens if/when they become the gatekeepers? Will they be [cr|h]acked, gamed, impersonated, etc?
Ultimately, it is about trust - and trusting ANYTHING and ANYBODY only as far as you must. The current SSL model of a tree of trust works until you subvert the trunk (the certificate authorities) - or rather, subvert *A* trunk as there are more than one CA (which is what happened here).
But having some other means to validate certs WILL fail when that other means gets subverted - and given enough money it will.
If the CAs did their job properly...
If the certificate authorities did their job properly and checked that they were only issuing certificates to the right people, this wouldn't happen. But then, the cost of SSL certificates would rise. As usual, do we want it done cheap or do we want it done rights? Seems like cheap has won as far as SSL certificates are concerned.
SSL certs should be cheap, there is no reason for it not to be, it cost nothing to issue it, where does the $7.99 go?
Should it not go to the $.49 on a phone call for authentication and to request the person to fax/email them a business registration cert and/or passport copy?
Even after wages are paid they still get a big margin, especially on those Extended SSL certs where they do exactly as I said above.
Labelling a new approach that does work as fail is fail.
We're talking about security and encryption. Do you see anybody labeling SHA-512 as fail and refuse to adopt to it because it is eventually feasibly crackable?
Convergence works on the basis of majority vote.
On the note of SSL and trust, trust does not exist in reality so why was the SSL trust system even conceived in the beginning is beyond me. However I would say that SSL certs should only be used realistically to signal connection encryption.
You might say without trust, how can we ensure that sites we visit are really authentic? That is a problem that we need to solve, but it is clear that the trust model with single point CA in distributed computing is flawed as there are plenty of CA out there that can issue forged certs. The best bet is with a distributed authentication method spanning across different geo-graphical locations so that it's not susceptible to even government poisoning.
Re: True but...
Yes, people pay for certificates.
The CA take that money for (essentially) nothing. For the most part they can't even be bothered to provide CRLs and OCSP on decent servers!
Firefox still doesn't treat unreachability of OCSP (!) server as fatal validation failure because problems with OCSP reachability and performance are so common!
Only recently the EV certificates made the situation better, but browsers still treat CRLs and OCSP as optional.
Add-ons such as "Certificate Patrol", "Force-TLS" or "Perspectives" should be internal to the browser.
We should start with axing all but 5 up to 10 CAs that are automatically trusted. All of them should issue only EV, hand verified certificates without any sub CAs (chain length limited to 2). The rest should be downloaded on demand from browser vendor servers, user notified that the certificate is not trustworthy and the certificate for the site *saved* in the browser, if it changes, the user should be notified about it (different CA - error, renewal for certificate that would loose validity in the next 3-4 weeks - notification).
Computer security is hard, making it easy makes it insecure.
The big players themselves undermine trust
Not about SSL certificates, but ...
A few years ago I did a paper on trust and the web, and one of the big findings was that many of the people who shout the loudest about the importance of trust and web security are the biggest sources of confusion.
For example, it is common practice for the banks to farm out the marketing and application for credit cards and special deals on accounts to third parties. If you try to match the look and feel of the websites, the IP addresses, and email accounts, you will see that although the offer is branded as being from a particular bank, the rest doesn't match.
In other words, the bastards are undermining security by habituating people to exactly the clues that are supposed to warn of something fishy.
I've been on about this for years - why do some banks insist on having their online banking on a completely different domain, which on the face of it has no relationship to them at all?
I've reported upmteen suspected phising emails to them that I suspect might actually have come from some misguided marketing attempt by them.
For instance - take natwest - they advertise www.natwest.co.uk on all of their literature, but click on their online bancking icon and it takes you to nwolb.com - if I look this up on whois I find it is actually owned by RBS (or so it says - I could quite easily register say rbsukolb.com and put their details in as owner - doesn't bother me after I've carried out my phishing attacks that I'll lose the domain). Even that sounds dodgy - not everybody knows that Natwest is owned by RBS.
Fail on the banks part, at so many different levels.
mozilla will "protect users from this attack"...
... by stripping everyone else who's given money to diginotar of the usability of their certificates, breaking their websites and exposing their users to fear, uncertainty, doubt, and whatever MITM attacks are now so much easier without encryption.
Contrast this with the comodo root cert, where *two* resellers were compromised and comodo actually pointed fingers at them instead of themselves as the culprits while they used no intermediary to sign off on various RAs' signing requests so you can't just distrust those RAs and as such all of comodo is compromised, but simply stamping out a couple specific certificates by hardcoding their fingerprints in various programs was deemed sufficient. *Their* root certificate is still there.
Diginotar did quickly what they should do and revoked the certificate (though of course revoking doesn't actually work all that well, wonderful design we have here dear mozilla) but apparently aren't "too big to fail" so don't rate comodo's approach.
On a similar note, Honest Ahmed's Used Cars And Certificates root cert still hasn't been approved for inclusion, despite them actually being honest about their business model.
So, mozilla, what are the criteria for taking which action, please? I think all users and CAs deserve to know how what yardstick(s) apply to your certificate store handling.
Mozilla AND GOOGLE revoked DigiNotar's root cert as a result of GROWING MISTRUST culminating in this fraudulent certificate. Security researchers are calling for this. Presumably other browser makers will follow suit. Why are you singling out Mozilla?
Oh be quiet...
...talk about a fanboy response. So he misses out Google, maybe,, just maybe, as it's a Google cert, they WOULD be involved, Mozilla is a 3rd party (partly) independant of Google, and as such, is following blindly their paymasters lead?
What about valid site, with valid certs?
Will Google / Mozilla, refund them for any losses incured?
It's like sayin, Oooh there a couple of dogdy geezers in that country, let invade it and kill thousands of people and help create a civil war....Oh wait.
On noes, singled out mozilla
Three reasons, really. First and foremost, netscape came up with this scheme. You're entirely right that google, and for that matter opera, micros~1, and whoever else runs a root cert collection, needs scrutiny too. As well as everything in those collections. It certainly doesn't stop after mozilla, nor after google. Second, I didn't feel like digging up the dirt on the rest though as noted they do deserve it. I was commentarding, not writing a scientific position. And that also because, thirdly, it was bloody late up in CEST-country. Consider mozilla the (successor to the) inventing pars pro toto if you will.
No, Mozilla/Google shouldn't refund the (now) defunct certifivcates. Diginotar should do so, since THEY are the ones selling a service they're not performing. Their product is a "seal of approval" that they've actually checked the owners of the domain they're issuing a certificate for. That's all they are selling.
They provably AREN'T checking, and as such, their customers have paid for a service not received. Your refund should come from the registrar, who have committed fraud.
It's not just that one CA.
The keepers of the root CA cert collections (mozilla/google/micros~1/...) do have culpability here. They're the ones pushing you to trust resellers like digicert and comodo. They've made it decidedly non-trivial to un-trust a CA and in the case of micros~1 there is code in place that will de-un-trust a CA, that is, it'll add the CA back in at the next software update, behind your back, with no notification. It actually *forces* you to use its selection of CAs.
While you're right it's not them that should refund monies paid to someone else, there is a clear problem: The handling is uneven and the yardsticks used, if any, are unclear. And until that is cleared up, it's not so much a case of a single registrar gone bad, but the entire CA store that's suddenly in dire need of scrutiny.
*That* is what the original comment is about.
Is bloody high time browser vendors started revoking root CA certificates for misconduct. Yes that includes issuing certificates for high profile sites.
Any CA software that doesn't rise red flags for issuing certificates for any of the Alexa 500 sites is broken.
Any CA that does issue certificates for such domains without manual double check is fraudulent.
I can only hope that we will see more and more CA roots revoked, the system is flawed and browser vendors kept washing their hands, even when CA was time and again shown guilty of negligence.
Beer for fine folks at Mozilla that finally done something. Cheers!
Those who STILL think the design and implementation of SSL is worth a damn...
design and implementation of SSL
SSL starts to show its age, TLS OTOH is solid (after patching the TLS renegotiation issue).
What I think you're referring to is the PKI and CAs. You don't even have to use X.509 certificates with TLS...
It seems at present, Iran, or any other miscreant country, would need to control the network (in order to direct users to their fake Google.com). They also need to get a secure certificate issued by an authority the browser trusts for the domain. Both of which they appear to have done.
Now that Mozilla and Chrome are revoking the root cert of DigiNotar who issued the bogus cert, what does the miscreant country do next?
Presumably step one is to try to block their users from receiving the browser update so the bogus one continues to fool users.
Step two would be to set up fake Mozilla and Chrome sites, and bake their own versions of the browsers that trust their own bogus cert authority. If they can get users installing their own browser, they can freely issue bogus certs for anything they like.
Open source code actually makes this job rather simple, as it's trivial for them to roll their own Mozilla or Chrome. Presumably they could probably create a fake IE too by embedding the core code in a modified interface as some IE-based alternatives do.
Doesn't Firefox use digital signatures to authenticate updates?
Just install Certificate Patrol
You would have noticed the unusual certificate if you only installed https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
No need to have Perspectives or this new variant of Perspectives called Convergence installed, and report your certificate browsing habits to others.
PKI considered harmful
"A commercial CA protects you from anyone whose money it refuses to take."
The following is worth a read:
Weren't they going to make it possible to
include a domain's official certs in DNSSEC?
Yes, there are moves to include site certificates in DNSSEC records. There is no support for this in any browser. The only browser that "natively" supports is Firefox, after you install DNSSEC add-on.
Other browsers require the OS to do the DNSSEC query and verification.
What's more, I'd say, we are at least 5-10 years before most of domains are signed, more for wide roll out of DNS-embedded certificates. DNSSEC requires rewrite of nearly whole DNS record management software. That's a high cost for the registars for no gain. Most people don't even know about DNSSEC so they don't even ask about support for it...
Comodo got away with it
If you hadn't removed Comodo's CA certificates from your stores, don't bother with the ones from Diginotar...
Can someone explain what this dodgy certificate can achieve? Does it authenticate a non-google.com domain as being google.com? Or does it authenticate google.com as being google.com (what's the point?).
Sorry I am clearly missing something here...
Why diginotar lost trust
"Diginotar did quickly what they should do and revoked the certificate"
No they did not. They did not tell anyone that they had been hacked until the rogue certificates surfaced in public few months later.
Had diginotar a) announced on July 19th that they got hacked and b) actually identified all hacked certificates, diginotar would be still probably be trusted by Mozilla and others. SSL still needs heavy restructuring to become trustworthy again..