Fraudulent certificates in the wild

Fraudulent certificates in the wild — again

Posted Jan 9, 2013 11:46 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

The "profitable business" only has to last until it's paid for its purchase, and not even that long if you believe you can sell it to a bigger sucker. SSL CAs are in the picture for at least one more generation of browser technology (say, 10 years), but longer term they're dead by their own hands. Since nobody in the stock market has apparently heard of periods of time longer than a quarter that doesn't matter for Symantec.

But anyway, CAs are not solely in the SSL market. For SSL there was a competitive market, and technological pressure to innovate the CAs out of existence. The walled gardens are a much better opportunity. Typically the walled garden owner agrees a monopoly deal with you, the CA, where either they bundle your certificates with an SDK or their ISVs come to you separately to buy one, say once per year. The owner takes a slice of the money, you spend a slice more on overheads and the rest is clear profit with zero risk of being undercut by desperate competitors. Even if something goes wrong, the walled garden owner is in more trouble than the CA and will spend money on both PR and digging its way out, they're unlikely to offer the CA as scapegoat if they think they can still fix it, and as we've seen with SSL, you can just insist that whatever happened is "in the past" (when else would it be?) and won't happen again.

So expect Verisign SSL to still be there in ten years, but with SSL certificates as a very small part of the business, hardly mentioned in any financials and largely forgotten by the general public.

Fraudulent certificates in the wild — again

Posted Jan 9, 2013 14:25 UTC (Wed) by Lennie (subscriber, #49641) [Link]

I don't know what technology will be choosen in the future, but AFAIK DNSSEC/DANE is the currently only generally available protocol/standard.

The only parties that need to implement it are the browser vendors. They do however depend on an Internet where proper checking of DNSSEC material is possible.

This can be handled by something part of the browser, handled by the operating systems or something installed on the network or local machine ( http://www.nlnetlabs.nl/projects/dnssec-trigger/ ).

This hasn't happend, partly, because there are other issues in the network that prevent this. From DSL-routers which block large responses to just plain browser resolvers. A failover to HTTP or similair to collect this information is possible, but no-one has come forward to setup a large distributed network of servers for this.

From the browser vendors I only see an interrest in this field from the Google Chrome/Chromium developers and Firefox developers.

Google Chrome/Chromium uses the same NSS-library and, I believe, the same CA-store as Mozilla/Firefox.

The NSS-library is getting a lot of development, for example to refactor to easily support SPDY, but I haven't seen a lot of DNSSEC-/DANE-related development.

The Chrome/Chromium developers are developing their own DNS-library to improve performance. I've not seen any initiatives to add DNSSEC-validation support to it.

Chrome/Chromium does support this as a test:
DNSSEC-chain validation for DNSEC-validated DNS-material embedded in the SSL-chain.

No other browser supports this and you can't have both the normal CA-chain and the DNSSEC-chain in the same SSL-certificate configuration. It is something that might be possible in theory, but different browsers handle this case differently and you end up with at least one browser giving errors depending on the choices you make.

Even if all this is said and done DNSSEC does not solve what the CAs call "extended validation" certificates (also known as the green bar).

In the meantime there are addons for Firefox and Chrome which you can use to add DNSSEC-/DANE-support to those browsers. I think even an IE-extension when combined with DNSSEC-trigger you have a full solution which should always work.

Fraudulent certificates in the wild — again

Posted Jan 9, 2013 17:27 UTC (Wed) by giraffedata (subscriber, #1954) [Link]

The "profitable business" only has to last until it's paid for its purchase

This is equally true of Verisign and Symantec (with the Verisign version being "until it's paid for what it could have sold for.")

And that was my point: the fact that the SSL CA business transferred from one company to another doesn't tell us whether the business has a future. (If you look closely, you see I haven't argued that SSL CAs are here to stay; I argued that the transfer to Symantec is not evidence of that).

... not even that long if you believe you can sell it to a bigger sucker ... Since nobody in the stock market has apparently heard of periods of time longer than a quarter ...

Give me a reason to believe that Verisign likes long-lived businesses more than Symantec, that Verisign is less interested in the stock market, or is a smaller sucker than Symantec, and then we have evidence, together with the sale of the SSL CA business, that SSL CAs are doomed. That wasn't present in the original post.

Fraudulent certificates in the wild — again

Posted Jan 14, 2013 11:16 UTC (Mon) by ortalo (subscriber, #4654) [Link]

Pretty realistic analysis.
But then, what should (open source) browsers developers do? It is time to start an alternate "certificates-like" technology? It it time to push for crazy things? [1]
I am not especially worried about paying for LWN.net: for that we could certainly find a way. However it seems the Web will be here apparently within 10 years and more and more people are using it for (slowly) increasing financial transactions. Sounds like things could turn annoying in general...

[1] My try: support GnuPG certificates with individuals as roots of trust in browsers, integrate gnucash with git for secure publication of accounting status. Crazy enough?)