Recent Features
| |||||||||||||
Certificates and "authorities"Certificates and "authorities"Posted Sep 8, 2011 0:13 UTC (Thu) by gmaxwell (subscriber, #30048)Parent article: Certificates and "authorities"
To some extent I feel like the concern over the compromised CA's is really missing the elephant in the room: Even with perfect CA security, the HTTPS security model fails to provide effective security in the real world.
First: It's not widely used. Because of the extra software and layer-8 complexity people simply don't bother to use it. Some complexity is unavoidable for authentication, but HTTPS as deployed provides all or nothing security: You don't get ephemeral encryption which makes eavesdropping harder and detectable and which could be provided without any administrative burden unless you also swallow the full authentication pill. (in practice: self-signed certs throw warnings at users which hardly provides any security, but provides enough FUD to make them mostly useless, instead the browsers could just completely hide that such pages are encrypted but they don't)
The lack of ubiquitous mandatory HTTPS makes downgrading attacks utterly trivial: "Oh no, my victim is using SSL! Oh wait, thats no problem, I'll block port 443 and they'll switch to http because its not unusual for HTTPS to fail to work".
HSTS is a good improvement on this particular fault, but even though it is trivially activated practically no sites support it and it creates its own complicated failure modes and still suffers from an inability to securely initialize it.
The authentication model is also failure prone. Certificates expire frequently and users routinely encounter certificate errors even on big name high profile sites. Browser vendors have tried to combat the resulting blind clicking by making the process more burdensome (three clicks in firefox, IIRC) but increasing the burden of the task simply makes the inattentional blindness more potent.
I had recent experience with this: Some teammate linked to an IETF page in chat, and the IETF had an expired certificate. I managed to click through the warnings without ever realizing they were there, only noticing it when other people in the chat commented. None of us reported the expired cert perhaps we were all just MITMed with an old cert, we'll never know because the HTTPS model simply doesn't work.
Despite its faults and the huge number of supported CA's, SSL is also costly: The smaller number of public CA's that are supported by a broader set of browsers charge a lot, especially for the wildcard certificates which are needed to support subdomains. This further discourages usage.
Even when the CAs are functioning normally their validation process is a joke: usually it requires nothing more than responding to an email sent to a domain name administrative contact, or a file with a particular name placed on the site (and served via unauthenticated HTTP) in many cases neither are significant barriers to anyone with a fax machine or a little luck at guessing password. Yet making it better would only increase the already high costs.
Furthermore, in the almost universally used without-PFS mode SSL certificates stored on a server are incredibly valuable to attackers: Capturing a sites certificate not only allows you to _undetectably_ impersonate the site for the duration of the cert (or until its revoked), but it allows an attacker to decrypt all communications with that server _prior_ to the exploitation which they may have captured. So, as deployed SSL does little to discourage the creation of billion dollar ubiquitous surveillance systems, as even when its used its easily defeated ex-post-facto!
Moreover, often your your browser talking to an intermediary "application service provider" rather than to the true far end of your communication. E.g. when you send an email on facebook the other end of your communication is your friend facebook is just a middle-man no different from your ISP. In this very common model HTTPS offers nothing in the way of end to end security, it simply moves the vulnerability point around. In the same way we don't consider our local WiFi WPA adequate to secure our internet traffic, we shouldn't consider HTTPS adequate.
I could continue, but I think these points are enough to establish that the compromise any of many vulnerability of the CA mode is just one problem out of a great many.
People looking at the "SSL problem" would do to expand their analysis to beyond the CA insecurity. Systems like OTR (within its narrow problem domain) and Tcpcrypt (covering layers below authentication) provide security properties which are much more aligned with the practical needs of the internet than what HTTPS provides.
(Log in to post comments)
Certificates and "authorities" Posted Sep 8, 2011 7:45 UTC (Thu) by sgros (subscriber, #36440) [Link]
Why do you think that solving "CA problem" wouldn't do? The majority of the problems you mention is related to CAs. Other set of the problems could be linked to bad usability of browsers. After all, security adds complexity and restrictions, there is no way around it.
But what if "CA problem" is solved in such a way that helps browsers (and users) make better informed decisions? Also, what if the system allows you to not completely trust a single CA? Finally, why browser vendors don't require bundled CAs to provide annual audit about their security from independent companies?
Of course, there is also the fact that majority of Internet users simply do not care about security... (e.g. "I have open WiFi, so what?!", "Pearson 1: You are using http, which means someone can see you communication. Pearson 2: So what!?" or "Pearson 2: Uhm?!").
Certificates and "authorities" Posted Sep 8, 2011 9:18 UTC (Thu) by gmaxwell (subscriber, #30048) [Link]
Of the problems I listed the only ones that could even theoretically be solved by a perfect CA are the cost and poor validation problems. I'm doubtful that these two can be concurrently solved with the current technical system.
User visible complexity is what matters the most, as implementation complexity becomes well amortized quickly. And from the user's perspective "security adds complexity and restrictions" is not an invariant. Security is a many dimensioned continuum, not a binary value. Some kinds of security adds significant complexity, some add basically none, but the amount of complexity is often only weakly related to the amount of security being provided.
For example, address space layout randomization does not meaningfully increase complexity for the user. Likewise Ephemerally keyed encryption can be provided completely invisibly and provides _absolute_ protection against passive monitoring and at least the risk of detection (if unlikely) for any attacker who performs active attacks.
The user not caring isn't a user problem: It's a technical problem with the system. HTTPS should provide security for the user even if they are unaware or indifferent and should do so without effort on their part. A system which fails to do so is not secure in the real world where systems are used by real humans which have well established poor behaviour, even security experts fall into these traps.
"It's secure if you put the user on the moon" wouldn't be an acceptable excuse for failing of HTTPS and nor should "it's secure if the user has superhuman vigilance" be considered acceptable.
Asking users to make _more_ decisions will decrease security, not increase it, as it provides more ways to trick them, more ways to downgrade them, more reasons for them to blindly agree to whatever dialogs pop up.
Of course, improving things like not making everyone concurrently trust all CA's would be grand. I wasn't trying to oppose this, only pointing out that the CA specific problems are only one part of a system with many issues.
Certificates and "authorities" Posted Sep 8, 2011 12:09 UTC (Thu) by sgros (subscriber, #36440) [Link]
Your use of the term "HTTPS" confuses me! What you mean by "HTTPS"? For example, what do you mean by "HTTPS should provide"?
For me, HTTPS is a layered protocol (HTTP + SSL) in which SSL protects communication using provided certificate.
Certificates and "authorities" Posted Sep 8, 2011 9:25 UTC (Thu) by nmav (subscriber, #34036) [Link]
This is of course only your opinion. If you can tolerate encryption without authentication, it is good for you, but no good for me. I don't care if I talk to someone secretly so no-one hears if I don't know whom do I talk to. The examples of failures you mention are really because of you reluctance to use the provided interfaces. Security -online or offline- requires to follow some protocols. If you don't want to follow them, don't expect security.
Certificates and "authorities" Posted Sep 11, 2011 1:29 UTC (Sun) by foom (subscriber, #14868) [Link]
> If you can tolerate encryption without authentication, it is good for you, but no good for me.
You're missing the point there. Which is better: no encryption whatsoever, or encryption without assurance of who you're talking to? The second is plainly better, as it defeats at least *some* types of attackers (those who have intercepted, but do not have the ability to modify your traffic). By now, all web ought to at least be at the "encryption without authentication" level.
Clearly, authentication of who you're talking to is an important feature to have, but requiring that be present to enable the use of encryption at all was a colossal blunder in the development of HTTPS.
Certificates and "authorities" Posted Sep 16, 2011 17:09 UTC (Fri) by bjartur (subscriber, #67801) [Link] By now, all web ought to at least be at the "encryption without authentication" level. Which, as HSTS, provides adequate data security over end-to-end TCP connections on links that attackers can not inject malicious packets to. This does nothing to protect you against the most dangerous villains: MTAs, ISPs, proxies and the like.
Certificates and "authorities" Posted Sep 17, 2011 2:26 UTC (Sat) by njs (guest, #40338) [Link]
The NSA isn't a dangerous villain?
Encryption without authentication forces any potential broad-scale sniffers to take a more active role, which may be politically problematic and is certainly much more expensive. (Decrypting/re-encrypting a few million TCP flows on the fly is not cheap or easy.)
Certificates and "authorities" Posted Oct 18, 2011 20:46 UTC (Tue) by rich0 (guest, #55509) [Link]
Considering how prevalent cookie theft is over unsecured WiFi I'd say that there is a huge case for encrypted communications even if they aren't authenticated.
Sure, there is always the risk of MITM but at least you force the attacker to make an active attack, which then creates the opportunity to detect the hacker. Just have a few police stings in campus coffee shops or whatever and I bet you'd have some impact on the practice.
I'm amazed sometimes at the XOR approach we take towards security - either very secure but lots of cost/hurdles, or absolutely and completely insecure. A better approach is to provide a tiered system where everybody can work out how secure is secure enough for a particular application. Use DNSSEC and stick the required security level (as well as certificates) in the DNS record for a site and you have a standard way of ensuring the client and server are on the same page where security is important.
The bigger picture Posted Sep 8, 2011 14:18 UTC (Thu) by scripter (subscriber, #2654) [Link]
Thank you for reminding us of the bigger picture of placing trust, beyond the scope of Certificate Authorities and SSL.
A colleague once stated, "encryption was the opiate of the 90s". I'm not so sure that we've gotten past our delusions of what encryption can accomplish, even in 2011.
Certificates and "authorities" Posted Sep 9, 2011 21:24 UTC (Fri) by Simetrical (guest, #53439) [Link] You accurately summarize many of the failings of HTTPS in practice today, but don't give enough credit to solutions that are being worked on and deployed right now. First: It's not widely used. Because of the extra software and layer-8 complexity people simply don't bother to use it. Some complexity is unavoidable for authentication, but HTTPS as deployed provides all or nothing security: You don't get ephemeral encryption which makes eavesdropping harder and detectable and which could be provided without any administrative burden unless you also swallow the full authentication pill. This one I'm in total agreement with. I don't know of any good solution being worked on. HTTPS is a headache even for big sites to get right -- https://amazon.com is proof enough of that. Still, it's worth pointing out that the highest-profile targets are also the ones who are most likely to actually have the resources to deploy HTTPS properly. (in practice: self-signed certs throw warnings at users which hardly provides any security, but provides enough FUD to make them mostly useless, instead the browsers could just completely hide that such pages are encrypted but they don't) That behavior would destroy any benefit of HTTPS. A MITM could intercept any HTTPS connection and take it over by just serving a self-signed cert, and the only way the user would know is if they were aware enough to notice the UI changes. I wrote up a more detailed explanation of this on LWN a while ago. If we want encrypted but unauthenticated HTTP, we should either reuse the http scheme or make up a new one. The https scheme has to remain reserved for full authentication only. The lack of ubiquitous mandatory HTTPS makes downgrading attacks utterly trivial: "Oh no, my victim is using SSL! Oh wait, thats no problem, I'll block port 443 and they'll switch to http because its not unusual for HTTPS to fail to work". HSTS is a good improvement on this particular fault, but even though it is trivially activated practically no sites support it and it creates its own complicated failure modes and still suffers from an inability to securely initialize it. It creates its own failure modes, but so does anything. It can be securely initialized right now via browsers shipping with lists of sites that should always use HTTPS. Chrome already does something like this for some Google sites, and in fact that's how these forged certificates got detected to start with. In the medium term, you could in principle securely initialize HSTS using DNSSEC, although the performance implications would need to be carefully considered. HSTS is definitely going to greatly improve HTTPS security, although admittedly it will make it yet more complicated. The authentication model is also failure prone. Certificates expire frequently and users routinely encounter certificate errors even on big name high profile sites. Browser vendors have tried to combat the resulting blind clicking by making the process more burdensome (three clicks in firefox, IIRC) but increasing the burden of the task simply makes the inattentional blindness more potent. I had recent experience with this: Some teammate linked to an IETF page in chat, and the IETF had an expired certificate. I managed to click through the warnings without ever realizing they were there, only noticing it when other people in the chat commented. None of us reported the expired cert perhaps we were all just MITMed with an old cert, we'll never know because the HTTPS model simply doesn't work. Part of this is probably because certs have to be reissued regularly, at a cost. If you set up a system where a site can refresh its certs automatically, like using DNSSEC, then this kind of failure is less likely. But yes, HTTPS is unreasonably hard to actually deploy properly, and I agree that's a huge problem. Despite its faults and the huge number of supported CA's, SSL is also costly: The smaller number of public CA's that are supported by a broader set of browsers charge a lot, especially for the wildcard certificates which are needed to support subdomains. This further discourages usage. Using DNSSEC instead of CAs would fix this problem entirely. Recent Chrome already supports this. Certs would be free, and as reliable as the domain name registration process itself. An attacker who compromises the registrar could forge a cert, but that's a very small attack surface. The nice thing about Chrome's implementation is that it doesn't rely on DNSSEC actually being available on the client. It just sticks the signed record in place of the regular cert in the TLS setup. Thus the only limiting factors are browser support, and TLD signing. Lack of browser support will delay practical usability of DNSSEC certs for many years, unfortunately, but that's a problem with any realistic alternative too. Even when the CAs are functioning normally their validation process is a joke: usually it requires nothing more than responding to an email sent to a domain name administrative contact, or a file with a particular name placed on the site (and served via unauthenticated HTTP) in many cases neither are significant barriers to anyone with a fax machine or a little luck at guessing password. Yet making it better would only increase the already high costs. Once DNSSEC cert stapling is reliably available, there will be no reason for sites to use old-style CAs anymore. At that point, browsers can gradually drop support for them, only allowing DNSSEC-based certs, which don't have this impersonation problem. In the short term, HSTS should allow for individual sites to require that only certain public keys work for them (pinning), which works around it for now. Again, this is how the DigiNotar compromise was actually caught in real life. An Iranian Chrome user reported that they were getting hard failure when accessing Google sites, since the wrong cert was presented. Even though the cert was completely valid, Chrome blocked it because the correct public key was shipped with the browser. There's no reason this approach couldn't protect every site on the web that opted in. Furthermore, in the almost universally used without-PFS mode SSL certificates stored on a server are incredibly valuable to attackers: Capturing a sites certificate not only allows you to _undetectably_ impersonate the site for the duration of the cert (or until its revoked), but it allows an attacker to decrypt all communications with that server _prior_ to the exploitation which they may have captured. So, as deployed SSL does little to discourage the creation of billion dollar ubiquitous surveillance systems, as even when its used its easily defeated ex-post-facto! If you can get root access to the web server, sure. In that case, why not just take over the webserver process itself? Moreover, often your your browser talking to an intermediary "application service provider" rather than to the true far end of your communication. E.g. when you send an email on facebook the other end of your communication is your friend facebook is just a middle-man no different from your ISP. In this very common model HTTPS offers nothing in the way of end to end security, it simply moves the vulnerability point around. In the same way we don't consider our local WiFi WPA adequate to secure our internet traffic, we shouldn't consider HTTPS adequate. In almost all cases, the user actually wants the site they're connecting to to see their data. For instance, Gmail lets you search your mail, it can filter it according to criteria you set, it can heuristically mark certain messages as important or spam, etc. Most users just do not want solutions like PGP, because the security-convenience tilts drastically toward convenience for them. So I don't rate this as a problem with HTTPS at all. I could continue, but I think these points are enough to establish that the compromise any of many vulnerability of the CA mode is just one problem out of a great many. I disagree. The biggest problem with HTTPS today is that it's not secure against determined attackers, such as governments, because of the countless SPOFs (every CA in existence). The way to address that is to support public key pinning in HSTS, which has been discussed a bunch and is likely to happen in the not-too-distant future, I hope. Chrome already supports such a feature (although currently only for certain Google sites) and it did actually work against the DigiNotar compromise. The second-biggest problem with HTTPS today is that it's fragile and hard to set up. This is less tractable, but it's also less important. Relatively few targets are worth anyone's effort to MITM, and the ones that are can mostly handle the complexity. Certificates over DNSSEC will be a big step forward, because that will remove the cost, and then most of the remaining complexity can be automated away. HTTPS does suffer from several major design flaws that have caused untold harm to the web and its users. However, it's not a fundamentally broken approach and real efforts are underway to fix some of its worst problems. I wish progress could be faster, but it is happening.
Certificates and "authorities" Posted Sep 11, 2011 1:40 UTC (Sun) by foom (subscriber, #14868) [Link]
>> Capturing a sites certificate not only allows you to _undetectably_ impersonate the site for the duration of the cert (or until its revoked), but it allows an attacker to decrypt all communications with that server _prior_ to the exploitation which they may have captured.
> If you can get root access to the web server, sure. In that case, why not just take over the webserver process itself?
The point is that taking over the webserver should not allow you to decrypt sessions that occurred *prior* to the takeover. Yet, because of the shoddy encryption most commonly used for SSL, that is exactly what you can do.
Certificates and "authorities" Posted Sep 11, 2011 14:44 UTC (Sun) by Simetrical (guest, #53439) [Link]
I'm not familiar with SSL implementations to this level of detail, so I'll take your word for it. Regardless, this seems like only a minor additional level of compromise in the scheme of things. In most cases, such a breach will be pretty disastrous to start with, and lack of perfect forward secrecy doesn't make it that much worse. The fact that malicious governments can MITM sites like Gmail is an incomparably bigger issue.
Certificates and "authorities" Posted Oct 18, 2011 20:54 UTC (Tue) by rich0 (guest, #55509) [Link]
The issue is that the SSL certificate is used to encrypt the session key and transmit it to the server. That means that the corresponding key can recover the session key (which is a requirement, since the server has to know the session key to talk to the browser).
If you capture the entire SSL session and later recover the key from the webserver you could go back and decrypt the session.
Note that a CA breach doesn't help with this - the key is stored on the webserver and is used to generate a CSR - it never leaves the server in a good implementation. Apache at least lets you store it encrypted on-disk as well (which requires providing the password when you start the web server).
I'm not certain this would work, but I'd think the way that you could prevent this attack would be to have the webserver not actually give the client its certificate, but instead generate and sign a new certificate for each connection, and then give that certificate to the browser. It would still have a valid trust chain so it would be usable, but it would have a different private key. The webserver would then discard that private key after the session is complete so that nobody could go back and decrypt the session. Right now server certificates cannot be used to sign additional certificates, so that would need to change to make this work.
New URI suggestion Posted Sep 16, 2011 17:22 UTC (Fri) by borthner (guest, #4277) [Link]
May I suggest that httpe:// would be an appropriate scheme for encrypted but not authenticated traffic? This would solve a number of use cases. I get very tired of clicking allow on self-signed certificates for internal sites, but I'm too lazy (and overworked) to set up my own CA and import the CA into every browser on every computer I use. Browsers could take it as a given that httpe:// traffic would be allowed for any certificate, since the principal purpose would be to ensure encryption, rather than to ensure authentication. Sites where authentication of the server is critical would continue to use the https:// URI scheme.
New URI suggestion Posted Sep 16, 2011 17:28 UTC (Fri) by jrn (subscriber, #64214) [Link]
Encryption without _some_ sort of authentication is useless. For example, after a DNS cache poisoning attack, the other end could be a spy who is forwarding your data to the actual intended recipient. If you are lucky enough to have a DNS setup that is immune to cache poisoning, then that's a form of authentication.
New URI suggestion Posted Sep 16, 2011 22:14 UTC (Fri) by Simetrical (guest, #53439) [Link]
It's not actually useless. For one thing, it's possible to design a protocol where any MITM attack can be detected after the fact. tcpcrypt creates session ids in the course of setting up the encryption, with the property that they will match if and only if there was no MITM. Thus clients could conceivably store the session keys and compare them later over an authenticated channel.
The clients could also compare the session id's in some ad hoc way at the application layer. This will detect a MITM if the attacker is just blindly intercepting the encryption without understanding the higher-level protocol. For instance, if web browsers supported something like tcpcrypt, the current client session id could be exposed to JavaScript. Then obfuscated site-specific JavaScript code (complicated enough that it can't be automatically detected) could compare the client and server session id's, and bail out if they mismatch. A targeted attack against the particular site could work around this, but something that just intercepts all HTTPE traffic blindly would be detected.
Additionally, you could design the encryption protocol so that the initial stages are indistinguishable from an encryption-with-authentication protocol. Using tcpcrypt again as an example, you can layer auth on top of it by just setting up encryption as usual and then sending the server's session id to the client, signed with the server's certified public key. Then the attacker has to decide whether to try a MITM attack before knowing whether it has any chance of working. If he tries it and it turns out there is auth, he's detected, guaranteed.
So it's not true that encryption without authentication is useless. It does nothing against an ideal attacker, so it gives no guarantees. But it can make it a lot easier to detect attackers who are careless, and can make it harder for even careful attackers to pull off indiscriminate attacks with no risk of detection.
But I'm not sure it would be any easier to get such an encryption scheme working in browsers than to fix HTTPS so every site can use it. If we had SNI support and DNSSEC stapling support in all browsers of consequence, and DNSSEC were readily available for all domains, then good tools could conceivably make HTTPS about as easy to set up and maintain as a hypothetical HTTPE.
New URI suggestion Posted Oct 18, 2011 20:59 UTC (Tue) by rich0 (guest, #55509) [Link]
Agreed, and by forcing an active attack it makes detection and countermeasures possible.
Police could trace cookie theft to some coffee shop, then set up shop in the shop. They'd browse to some site and wait for somebody to MITM their connection (they'd be running software that detects an IP for gmail/facebook/etc that isn't valid). Then they'd capture MAC IDs, camera images, and maybe even use DF to figure out who the culprit is. They'd have probable cause to make an arrest and search a laptop to confirm it was used. Then you nail them to the wall and publicize this. Pretty soon the level of casual hacking goes WAY down.
|
|||||||||||||