Pages

Sunday, August 15, 2010

Thought on certificate authorities

An article warning of "a weak link in secure Web sites" notes that the Electronic Frontier Foundation has expressed concerns about the trustworthiness of some of the certificate authorities, or CAs, on the Internet.

This does not represent a new threat. Trustworthiness has always been a requirement of the SSL (secure sockets layer) security protocol, which is what lies behind so-called secure Web sites. What's new is that the New York Times is bringing it to everyone's attention.

Now the question is whether people are going to have to accommodate another area of complexity in their lives.

First, let's lay a little groundwork. SSL (actually TLS, but let's skip lightly over that) is actually not at the root of the problem. Rather, it relies explicitly and heavily on earlier work from the Telecommunication Standardization Sector (ITU-T), specifically, on a standard that the ITU-T defined called X.509. X.509 is the standard that introduced the world to CAs.

X.509 envisions a world of trusted authorities, godlike institutions that certify identity over a network. If a person presents this certification to a computer, the computer consults the CA and verifies that the presenter is who he claims to be.

That explanation is grossly oversimplified, but it gets to the heart of the aforementioned brouhaha over CAs. You might be wondering why anyone would trust the certification issued by the CA. It's a perfectly reasonable question, and the answer has two parts.

Let's start with the second of those parts. There must be a way to tie together the CA's certification to the entity (a person or an organization, like a company) claiming to hold that identity. That's where cryptography comes in: the certification is only regarded as valid if the presenter successfully meets a cryptographic challenge, part of which is inextricably tied to the certification itself. That's what happens, under the hood of your computer, whenever you visit a secure Web site. The complexity of the cryptography, or rather, the complexity of getting it right, is where most of the security community's time, energy and attention has been focused for a couple of decades.

Again, this is a gross and incomplete simplification, but that doesn't matter because the current problem is with the other part of the answer to "why should we trust CA certifications?" Quite simply, we trust the certifications because we trust the CAs. That has always been an explicit and bedrock assumption underlying X.509.

And that brings us back to the expressed concerns about the trustworthiness of CAs. What do we do when we can't trust one of them?

Fifteen years ago I attended a conference in which one of the presenters proclaimed, "Let a thousand CAs bloom." His point was that in our daily lives, we encounter many different levels of required trust, and thus many different ways of attesting to identity have evolved. Your local coffee shop may be willing to give you a free cup if you're short on cash one day because the staff recognizes your face. Your bank is going to require a government-issued photo ID if you want to do anything more than get change. The source of trust is different for each situation.

Online, however, there is primarily one source of trust: the CA. (Technically minded folks, leave aside PGP and the critical role of DNS for the sake of this discussion.) If a CA attests to the identity of Macy's online, that has to be good enough for us, because we have no other way of determining identity.

However, an untrustworthy CA can certify that some other entity is Macy's. The only way to discern whether or not you're dealing with the real Macy's is to do cryptographically secure checks of the certification chain back to the CA. Your browser can (and usually does) perform those checks, but you still need to know with what CA the real Macy's registered. How many of us know that? And intermediate CAs complicate the situation further, since you have to know which of them should be part of the certification chain, too.

The only reason rogue CAs haven't flourished is that only a few CAs at the top of the certification chain matter. Verisign, for instance, will not risk its reputation by certifying anything other than the "real" Macy's. It also will decertify any intermediate CA (that is, any CA whose own identity is verified by Verisign) that, by certifying bogus identities, abuses the trust placed in it.

However, other CAs can and do operate at the top, and it's not clear which of them can be trusted. Some of them might have an incentive to issue bogus certifications, on behalf of criminal organizations, for instance. Others might just be sloppy.

You can, if you wish, look at the certification chain by which your browser verified a secure Web site. The information is presented in a highly technical way, however, and likely won't mean much to you. This view also doesn't answer the fundamental questions: are the CAs attesting to the site's validity all trustworthy? Are they the ones that the real business actually requested to certify that business's identity?

Unfortunately, there's no automatic and straightforward way to answer those questions. At the moment, the best we can do is to ask the real vendor to announce which CA(s) it uses to certify its identity. That's a highly unsatisfactory answer, of course, but it is, sadly, the best we can do.

No comments:

Post a Comment