#SSL fix aims to mend huge cracks in 'Net's foundation of trust

SSL fix aims to mend huge cracks in 'Net's foundation of trust
Under the Mutually Endorsing CA Infrastructure proposal, end users would rely on Notaries to confirm the validity of digital certificates presented by Google Mail and other SSL-protected websites.

Open-source software developer Kai Engert has proposed an overhaul to the Internet’s SSL authentication system, aiming to minimize the damage that would result from the compromise of one of the authorities trusted by major browsers.

Under version 2 (PDF) of Engert’s Mutually Endorsing CA Infrastructure proposal, people connecting to Google Mail, Twitter and other sites protected by SSL would draw on one of three randomly selected notaries to verify that the digital credential being presented is valid. By comparing the SSL certificate’s contents to data contained in the voucher returned by the notary, the person’s Web browser or e-mail program could quickly spot credentials that have been forged, even when they’ve been signed using the private key of a legitimate certificate authority. The notaries—or “voucher authorities” as they’re called—would be made up of existing CAs.

“The introduction and requirement of vouchers has the benefit that controlling a single CA will no longer be sufficient,” Engert, a software developer at Red Hat and a contributor to the Mozilla Project’s security team, wrote in the proposal. “If the presence of a valid voucher were mandatory, at least two CAs would have to be involved to create a working rogue identity, one CA signing the certificate, another CA using its VA to produce a voucher.”

At a minimum, the vouchers would contain a cryptographic hash of the certificate the end user wants to access, a single IP address used by the site, a timestamp recording when the data was collected, and a digital signature using the underlying VA’s private key. It might also include data concerning intermediate certificates used by the SSL certificate, recent OCSP—or online certificate status protocol—responses for the certificate and intermediate certificates, and proof that the VA signing certificate hasn’t been revoked.

Fractures in the Web’s foundation of trust

Critics have complained for years that the web of trust used to prevent eavesdropping on webmail, banking transactions, and other sensitive Internet-based sessions is hopelessly broken. With more than 600 entities authorized to mint certificates that are trusted by major browsers, all it takes is the compromise of one of them for an attacker to forge a credential for any site. That point was dramatically underscored last year when hackers breached Netherlands-based DigiNotar and created counterfeit credentials for Google Mail, Mozilla’s add-ons download site, and other sensitive services. The Gmail certificate alone was used to snoop on an estimated 300,000 Gmail users, an audit later showed.

Since then, a flurry of competing alternatives and enhancements to the fractured SSL system have surfaced. Among them is Convergence, proposed by Moxie Marlinspike, a researcher who has repeatedly exposed serious flaws in the underlying SSL protocol. Convergence relies on a loose confederation of notaries that independently vouch for the validity of a given SSL certificate. One of the key benefits of the system is a “trust agility” that allows users to query specific notaries they trust.

It also provides privacy protections not available with regular SSL. Under the current system, certificate authorities track huge numbers of requests for SSL-protected websites and map them to individual IP addresses. Convergence uses two separate notaries that are intentionally kept in the dark when vouching for a certificate. One notary gets to see the IP address of the Convergence user but not the SSL certificate she wants validated. The other one sees the certificate but not the IP address.

Last year, Convergence got a strong endorsement from security firm Qualys, when it deployed two notary servers. Developers for the Google Chrome, meanwhile, have said they have no plans to add it to the browser.

Google researchers have proposed their own fixes (PDF) for the ailing SSL system. Under their new system, CAs would be required to publish the cryptographic details of every credential they sign to a publicly accessible log that’s also been cryptographically signed to guarantee its accuracy. Some CAs have baulked at the proposal, saying it would require them to part with proprietary customer data. The Google plan would also place technical burdens on websites and browser makers, these critics have said.

The latest proposal comes a day after Ivan Ristic of Qualys released a set of SSL/TLS deployment best practices (PDF) that administrators can follow to avoid common configuration mistakes. He said that his company has conducted surveys and found that two-thirds of all SSL servers are badly set up and that of the remaining third “many have application-level issues that fully compromise SSL.”

“The truth is that most experts are attracted to the CA trust problem, but, in reality, most SSL installations fail because of configuration and implementation errors,” he added.

“Like speaking with a corpse in your mouth”

The changes envisioned by Engert are in many ways similar to Convergence, except that notaries would be limited to existing CAs and would be chosen randomly by the client software rather than by the end user. Marlinspike characterized the difference as a major shortcoming.

“This is just Convergence without the good parts,” he wrote in an email. “The problem we need to solve is the lack of trust agility in the CA system. Speaking about solutions to the CA system which don’t provide trust agility is like speaking with a corpse in your mouth.”

The proposed fix is also receiving a chilly reception from some CAs. Comodo Senior Scientist Phillip Hallam Baker wrote: “It might help if implemented. But probably not very much. Having two parties do essentially the same check in the same way is not likely to result in much reduction in risk.”

In his own email to Ars, Engert said the proposal is an update to one he first floated (PDF) at a security conference late last year.

“The document v2 is the result of thinking about the initial ideas more, taking into consideration the thoughts and feedback that I had received from various sources,” he wrote. “I’m hoping my proposal can be helpful inspiration for finding a solution for the trust problem.”

#SSL and the Future of Authenticity #DNSSEC

An anonymous reader writes

“There has been a growing tide of support for replacing SSL’s Certificate Authorities with an alternative authentication mechanism. Moxie Marlinspike, the security researcher who has repeatedly published attacks against SSL, has written an in-depth piece about the questions we should be asking as we move forward, and urges strong caution about adopting DNSSEC for this task.”

Hackers exploit chink in Web's armor | Privacy Inc. - CNET News

A long-known but little-discussed vulnerability in the modern Internet’s design was highlighted yesterday by a report that hackers traced to Iran spoofed the encryption procedures used to secure connections to Google, Yahoo, Microsoft, and other major Web sites.

This design, pioneered by Netscape in the early and mid-1990s, allows the creation of encrypted channels to Web sites, an important security feature typically identified by a closed lock icon in a browser. The system relies on third parties to issue so-called certificates that prove that a Web site is legitimate when making an “https://” connection.

The problem, however, is that the list of certificate issuers has ballooned over the years to approximately 650 organizations, which may not always follow the strictest security procedures. And each one has a copy of the Web’s master keys.

Compromise related to fraudulent digital certificates is traced to IP addresses in Iran, Comodo says.

Compromise related to fraudulent digital certificates is traced to IP addresses in Iran, Comodo says.

(Credit: Comodo)

“There is this problem that exists today where there are a very large number of certificate authorities that are trusted by everyone and everything,” says Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation who has compiled a list of them.

This has resulted in a bizarre situation in which companies like Etisalat, a wireless carrier in the United Arab Emirates that implanted spyware on customers’ BlackBerry devices, possess the master keys that can be used to impersonate any Web site on the Internet, even the U.S. Treasury, BankofAmerica.com, and Google.com. So do more than 100 German universities, the U.S. Department of Homeland Security, and random organizations like the Gemini Observatory, which operates a pair of 8.1-meter diameter telescopes in Hawaii and Chile.

It’s a situation that nobody would have anticipated nearly two decades ago when the cryptographic protection known as SSL (Secure Sockets Layer) began to be embedded into Web browsers. At the time, the focus was on securing the connections, not on securing the certificate authorities themselves—or limiting their numbers.

“It was the ’90s,” says security researcher Dan Kaminsky, who discovered a serious Domain Name System flaw in 2008. “We didn’t realize how this system would grow.” Today, there are now about 1,500 master keys, or signing certificates, trusted by Internet Explorer and Firefox.

The vulnerability of today’s authentication infrastructure came to light after Comodo, a Jersey City, N.J.-based firm that issues SSL certificates, alerted Web browser makers that an unnamed European partner had its systems compromised. The attack originated from an Iranian Internet Protocol address, according to Comodo Chief Executive Melih Abdulhayoglu, who told CNET that the skill and sophistication suggested a government was behind the intrusion.

Spoofing those Web sites would allow the Iranian government to use what’s known as a man-in-the-middle attack to impersonate the legitimate sites and grab passwords, read e-mail messages, and monitor any other activities its citizens performed, even if Web browsers show that the connections were securely protected with SSL encryption.

If Comodo is correct about the attack originating from Iran, it wouldn’t be the first government in the region to have taken similar steps. Late last year, the Tunisian government undertook an ambitious scheme to steal an entire country’s worth of Gmail, Yahoo, and Facebook passwords. It used malicious JavaScript code to siphon off unencrypted log-in credentials, which allowed government agents to infiltrate or delete protest-related discussions.

Comodo’s revelation throws into sharp relief the list of flaws inherent in the current system. There is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. There are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance; Tunisia even has its own certificate-issuing government agency.

“These organizations act as cornerstones of security and trust on the Internet, but it seems like they’re not doing basic due diligence that other organizations are expect to do, like the banks,” says Mike Zusman, managing consultant at Web app security firm Intrepidus Group. “I’m not sure what we need to do but I think it’s time we start addressing the issue of trust and issues of certificate authorities potentially not living up to standards that they should be.”

Over the last few years, a handful of papers and demonstrations at hacker conferences have focused more attention on the topic. But the Comodo intrusion, which appears to be the first public evidence of an actual attack on the way the Web handles authentication, could be a catalyst for rethinking the way to handle security.

Two years ago, for instance, Zusman was able to get a certificate from Thawte, a VeriSign subsidiary, for “login.live.com” just based on an e-mail address he created on the Hotmail domain. Even though it was revoked, it still worked in a Web browser during a demonstration at the Black Hat conference in Las Vegas. Comodo, too, has previously been shown to have lax security standards among its resellers as far back as December 2008.

“Remember, the only reason Iran has to go to the lengths they’ve gone to to get certificates is because they don’t have a (certificate issuer) of their own… most countries can just generate their own,” says Moxie Marlinspike, chief technology officer of mobile app developer Whisper Systems, who has discovered serious problems with Web authentication before. One problem, he says, is that companies that issue certificates have a strong economic incentive to make it as easy as possible to obtain them.

Another worrisome aspect is that browser makers don’t always have a good way to revoke fraudulent certificates. A discussion thread at Mozilla.org, makers of the Firefox browser, shows that after being alerted by Comodo, they had no process to revoke the faux certificates. Mozilla developers ended up having to write new code and test a patch, which took a few days and, even after its release, meant that only users who downloaded new versions of Firefox benefit.

Google’s Chrome, on the other hand, uses a transparent update system for desktop versions but not necessarily mobile ones. Microsoft said yesterday that “an update is available for all supported versions of Windows to help address this issue.”

Ross Anderson, professor of security engineering at the University of Cambridge’s computer laboratory, offered an anecdote in this paper (PDF): “I asked a panelist from the Mozilla Foundation why, when I updated Firefox the previous day, it had put back a certificate I’d previously deleted, from an organisation associated with the Turkish military and intelligence services. The Firefox spokesman said that I couldn’t remove certificates—I had to leave them in but edit them to remove their capabilities - while an outraged Turkish delegate claimed that the body in question was merely a ‘research organisation.’”

Jacob Appelbaum, a Tor Project developer who is a subject of a legal spat with the Justice Department over his work with WikiLeaks, says Mozilla should have warned of the vulnerability immediately and shipped Firefox 4 with a way to detect and revoke bad certificates turned on by default. (The technique is called Online Certificate Status Protocol, or OSCP).

“Mozilla’s not taking their responsibility to the Internet seriously,” said Appelbaum, who wrote an independent analysis of the situation. “A Web browser isn’t a toy. It’s being used as a tool to overthrow governments…At the end of the day, they did not put their users first.”

Some long-term technical fixes have been proposed, with names like DANE, HASTLS, CAA (Comodo’s Philip Hallam-Baker is a co-author), and Monkeysphere. The technology known as Domain Name System Security Extensions, or DNSSEC, can help. The Electronic Frontier Foundation’s Eckersley, who runs the groups SSL Observatory that tracks SSL certificates, hints that he’ll soon offer another proposal about how to reinforce the Web’s cryptographic architecture.

“We do in fact need a way not to trust everyone,” Eckersley says. “We have 1,500 master certificates for the Web running around. That’s 1,500 places that could be hacked and all of a sudden you have to scramble to dream up a solution.”

Further reading:

Comodo analysis by Philip Hallam-Baker

Comodo incident report

Analysis by Jacob Appelbaum

EFF technical analysis of the fraudulent SSL certificates

Freedom to Tinker post by Steve Schultze

Microsoft’s blog post

F-Secure’s blog post

ImperialViolet.org post on March 18 titled “Revocation doesn’t work”

Top