Google: Maintaining digital certificate security
CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system."
Posted Mar 24, 2015 0:02 UTC (Tue)
by josh (subscriber, #17465)
[Link] (70 responses)
Hangs up anyone who thinks CNNIC as a whole will be removed for this incident, rather than just upbraiding them for trusting this particular holding company.
Posted Mar 24, 2015 0:22 UTC (Tue)
by josh (subscriber, #17465)
[Link] (13 responses)
Note that I'm not arguing against the ability for employers to intercept traffic on their own networks or from their own systems. That's fine, if obnoxious. However, it should always require adding the MITM CA as trusted in any client system. No such MITM CA should ever chain to any public CA, and doing so should be grounds for immediate blacklisting of that CA.
IIRC, that was exactly Mozilla's stated policy the last time this occurred, and Mozilla explicitly stated that any such CA that didn't immediately come forward within X amount of time after that announcement would be removed immediately upon discovery. Here's hoping that actually happens.
Posted Mar 24, 2015 12:34 UTC (Tue)
by gerv (guest, #3376)
[Link] (12 responses)
If you accept the story that this was only used on the company's internal network, and you further accept that a company has a right to inspect data entering or exiting their network, then that sort of abuse has not occurred.
I'm fairly sure Google are not saying "there was no abuse, therefore everything's fine" - the tone of their blog post does not admit that conclusion.
Gerv
Posted Mar 24, 2015 13:31 UTC (Tue)
by ledow (guest, #11753)
[Link] (9 responses)
If something is signed by a valid CA that users worldwide may end up accepting without question, that's a different story entirely.
If you want to MITM, nobody is stopping you. Sometimes it's necessary. And that's why you use your own certificate chain and add it to the machines somehow (even on BYOD setups).
Generating a certificate for a MITM that is signed by a CA that browsers trust by default, that's just stupid. Sure, it lets you sniff "unknown", and that's exactly the problem. You just broke the chain of trust, deliberately and knowingly. Thus, you have no right to be a CA.
And THIS is why places like Google publish their certificate hashes and have their browsers check for the correct hash so they aren't MITM'd unknowingly.
Posted Mar 24, 2015 13:38 UTC (Tue)
by gerv (guest, #3376)
[Link]
Gerv
Posted Mar 24, 2015 21:17 UTC (Tue)
by robbe (guest, #16131)
[Link] (7 responses)
But it's not easy nor convenient to do at scale, especially not for for Firefox¹ or mobile devices. For BYOD it may actually incur legal risk².
We sell these MITM proxies at work, and about once a month I have to explain to a customer:
Customer: I want to <X>
¹ Gerv, you still listening? That's my number one pain point for FF on enterprise desktops.
Posted Mar 24, 2015 23:00 UTC (Tue)
by josh (subscriber, #17465)
[Link] (4 responses)
Good. It should be absurdly hard. If it were easier, more people would do it.
Posted Mar 24, 2015 23:18 UTC (Tue)
by pboddie (guest, #50784)
[Link]
Posted Mar 25, 2015 6:44 UTC (Wed)
by epa (subscriber, #39769)
[Link]
Posted Mar 26, 2015 21:30 UTC (Thu)
by robbe (guest, #16131)
[Link] (1 responses)
Unfortunately, the employer will just stay with IE in this case. Not installing Firefox is certainly easier than rolling it out *and* fudging one or more certificates into its trusted store.
Maybe a better way is to make adding a MITM cert easier, but show a different visual cue in the "security indicator" next to the URL. Example:
Padlock: we're pretty sure nobody can listen in
Posted Mar 26, 2015 22:19 UTC (Thu)
by josh (subscriber, #17465)
[Link]
As far as the right to do so: in my opinion, the provider of a network can intercept traffic if they want, but should not be allowed to do so without notice and consent.
Posted Mar 25, 2015 11:52 UTC (Wed)
by rich0 (guest, #55509)
[Link]
Posted Mar 25, 2015 12:34 UTC (Wed)
by gerv (guest, #3376)
[Link]
Gerv
Posted Mar 25, 2015 1:09 UTC (Wed)
by rodgerd (guest, #58896)
[Link] (1 responses)
Has the company disclosed, in a meaningful fashion, to users of its network that this is happening? Do they understand a third party is intercepting their Google (and banking and whatever else) login? What checks and controls does the company have to ensure the interception is used for legitimate purposes rather than, say, a rogue security officer stealing banking details?
Posted Mar 25, 2015 12:35 UTC (Wed)
by gerv (guest, #3376)
[Link]
Gerv
Posted Mar 24, 2015 6:12 UTC (Tue)
by ttonino (guest, #4073)
[Link] (14 responses)
Posted Mar 24, 2015 8:49 UTC (Tue)
by marcH (subscriber, #57642)
[Link] (8 responses)
It's not broken; it's only "centralized". As in: the nearest to the center you are, the easier you can spy.
Posted Mar 24, 2015 9:01 UTC (Tue)
by ttonino (guest, #4073)
[Link] (7 responses)
Posted Mar 24, 2015 16:57 UTC (Tue)
by jeff_marshall (subscriber, #49255)
[Link] (6 responses)
While DANE isn't perfect, at least it reduces the number of potential points of failure for any given domain (Verisign for .com + whoever you put in your TLSA record). IMO, it would definitely be an improvement if any old cc-based CA couldn't successfully convince my browser that the certificate it just signed was valid.
Posted Mar 25, 2015 12:36 UTC (Wed)
by gerv (guest, #3376)
[Link] (5 responses)
They are if you deploy HPKP, which was invented precisely to give sites an opt-in way to avoid this problem.
Gerv
Posted Mar 25, 2015 14:50 UTC (Wed)
by cesarb (subscriber, #6266)
[Link] (4 responses)
Posted Mar 25, 2015 15:33 UTC (Wed)
by gerv (guest, #3376)
[Link] (3 responses)
Gerv
Posted Mar 25, 2015 16:24 UTC (Wed)
by josh (subscriber, #17465)
[Link]
Posted Mar 25, 2015 21:05 UTC (Wed)
by cesarb (subscriber, #6266)
[Link] (1 responses)
That's not a strong argument.
First, if my home connection (or work connection) is persistently MITM'ed, and I always (or almost always) use it, it's likely that both the first visit and all subsequent visits to any site will be MITM'ed.
Second, let's take a real example: online banking. The first time I ever connect to it, I set up the online password by using the ATM password. The online banking website asks for the ATM password as an extra verification when doing important transactions. That is, the first time I connect to that online banking website is precisely when I need the most for it to NOT be MITM'ed.
Sure, HPKP can remove a lot of the risk in many situations (nomadic devices, MITM starting after you've already visited the site, etc), but there are several situations in which it doesn't help.
Posted Mar 25, 2015 21:34 UTC (Wed)
by dlang (guest, #313)
[Link]
There are a lot of cases where something like this does help, and if it can be coupled with something like the ssh key update things so that planned migrations from one key to another don't generate noise for users, there would be a lot of value in it.
Posted Mar 24, 2015 9:32 UTC (Tue)
by Aissen (subscriber, #59976)
[Link] (4 responses)
Posted Mar 24, 2015 9:52 UTC (Tue)
by matthias (subscriber, #94967)
[Link]
Maybe this would not help much against NSA, as they might be able to steal the secret key of the root CA, but this helps against all those little criminals, that just want to break my banking security to empty my bank account.
With SSL it is enough to get hold on the private key of one of the thousands of sub-CAs available. With DANE (ontop of DNSSEC), the attacker needs access to the root key, the key of the TLD, or the key of my bank. I would feel much better if I just have to trust these three instances, instead of the thousands of CAs out there.
Posted Mar 24, 2015 13:45 UTC (Tue)
by job (guest, #670)
[Link]
What DNSSEC allows is this issuance to be made cryptographically secure, so Widget Ltd. can prove that they are indeed the legitimate owner of widgets.com. And DANE hijacks this cryptographic assurance to transfer TLS keys.
For all practical purposes, this system does not place more trust in TLD operators as they already have the power to delegate (and by extension, get a certificate for) a domain. In a DANE-only system, you would remove or reduce the complete trust in every CA world wide. But no one is currently proposing that, and it's not going to happen overnight.
However, not many are using it, which shows. There is a big push to modernize TLS right now (RC4 and SHA1 is out, ECDHE and GCM is in, for example), and no one is really looking at DNSSEC.
Posted Mar 24, 2015 16:36 UTC (Tue)
by flussence (guest, #85566)
[Link]
DANE as currently specced can be used in two ways: ignore a compliant user-agent's pre-trusted CA list entirely (leaving the DNS as the sole chain of trust), or augment it as a whitelist where the TLSA records have to match the site and CA certificates presented.
The latter would require an attacker to not only MITM with a "trusted" certificate in the browser's store, but also do the same for DNSSEC.
Posted Mar 25, 2015 11:57 UTC (Wed)
by rich0 (guest, #55509)
[Link]
Using DNSSEC for SSL certs would still give them the same power over .com, but it would eliminate its ability to spoof anything outside of that domain.
Then if a website owner doesn't trust Verisign, then can just avoid .com.
There is no simple solution to PKI that doesn't involve trusting somebody. However, using a hierarchical system tied to DNS at least greatly reduces the amount of trusting that you have to do. Right now navy.mil has to trust some Chinese CA to not spoof it, and vice-versa. In what world does that make sense?
Posted Mar 24, 2015 8:22 UTC (Tue)
by paulj (subscriber, #341)
[Link]
Hell, I expected this long before, just from observing the CA list in my browser growing and growing from a dozen or two to many dozens.
I also expect this is just the tip of the iceberg, that this has happened many others without being noted publicly.
Posted Mar 24, 2015 13:49 UTC (Tue)
by job (guest, #670)
[Link] (4 responses)
It would not be fair to treat CAs differently according to their nationality.
Posted Mar 25, 2015 5:17 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link] (3 responses)
Posted Mar 25, 2015 6:07 UTC (Wed)
by josh (subscriber, #17465)
[Link] (2 responses)
Posted Apr 2, 2015 6:13 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
[1]http://arstechnica.com/security/2015/04/google-chrome-wil...
Posted Apr 10, 2015 12:40 UTC (Fri)
by ghane (guest, #1805)
[Link]
http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150...
Posted Mar 24, 2015 16:07 UTC (Tue)
by flussence (guest, #85566)
[Link] (34 responses)
And yet *nothing* will be done about it, because Mozilla, Google, et al. have some undisclosed agenda in keeping this security theatre going forever. They're not even *trying* to maintain an illusion of security - StartSSL got a free pass after trying to extort a profit off of its "free" SSL users following Heartbleed.
I wish SSL/TLS would die. It's a horrible protocol and nobody does it right, neither in the code nor layer 8. It's worth about as much as software patents.
Posted Mar 24, 2015 16:30 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link] (4 responses)
Suppose Google say "This is too much" and drop CNNIC, but nobody else does.
Users who visit a lot of sites with CNNIC certificates get annoying errors and things stop working properly, they ask their friends, and the owners of the sites, and both say "That's just Chrome, switch to Firefox". So they do.
Now Chrome has lost market share, and the users are seemingly no better off. So why would Google want to do that?
Posted Mar 24, 2015 21:15 UTC (Tue)
by alankila (guest, #47141)
[Link] (3 responses)
Posted Mar 25, 2015 3:57 UTC (Wed)
by roc (subscriber, #30627)
[Link] (2 responses)
Posted Mar 25, 2015 6:32 UTC (Wed)
by alankila (guest, #47141)
[Link] (1 responses)
Posted Mar 25, 2015 13:40 UTC (Wed)
by nye (subscriber, #51576)
[Link]
Posted Mar 24, 2015 16:39 UTC (Tue)
by josh (subscriber, #17465)
[Link] (27 responses)
That's not even close to the same category as CAs abusing their position of trust to enable MITM attacks. Why fault the only zero-cost CA for charging for something that actually incurs a cost on their end, when every other CA charges for certificates in the first place?
> I wish SSL/TLS would die. It's a horrible protocol and nobody does it right, neither in the code nor layer 8.
TLS seems fine, as long as you kill off the CA model and replace it with a more sensible scheme. What would you suggest replacing TLS with?
Posted Mar 24, 2015 20:03 UTC (Tue)
by flussence (guest, #85566)
[Link] (20 responses)
>That's not even close to the same category as CAs abusing their position of trust to enable MITM attacks. Why fault the only zero-cost CA for charging for something that actually incurs a cost on their end, when every other CA charges for certificates in the first place?
Part of the supposedly rigorous NSS database inclusion process is that any enrolled CA is *required* to issue revocations for any certificate if it becomes known they've been compromised. There's no clause about compensation, and I'm not satisfied with that assertion that throwing a few keys in a CRL until they expire months later is unfairly costly to maintain either. They'd be getting positive PR for their expense in any case.
A few users gave evidence of breaches happening to StartCom and got brushed off with a "pay up or get lost" prewritten reply. At least one user went as far as posting their private key in a Github repo to make a point - amusing but also had no result. So, now, there's undeniably compromised certs in the wild with StartCom's brand name and browsers' trust attached to them. The complete indifference on the corporates' part should be a huge red warning flag.
> TLS seems fine, as long as you kill off the CA model and replace it with a more sensible scheme. What would you suggest replacing TLS with?
Anything a bit closer to the web and reality than ASN1 (itself a rich source of nasty bugs) and X.509. libsodium looks like a good starting point.
I'm also not a fan of the STARTTLS command - it's something that can conveniently go missing without detection, depending on the protocol it's used in. Secure should be the default, compatibility be damned.
Posted Mar 24, 2015 22:22 UTC (Tue)
by riking (guest, #95706)
[Link]
Wasn't there a snafu where Verizon Mobile or someone was doing s/STARTTLS/XXXXXXXX/ on the mail ports?
Posted Mar 24, 2015 22:58 UTC (Tue)
by josh (subscriber, #17465)
[Link] (16 responses)
But in any case, hopefully Let's Encrypt will make this all easier.
> Anything a bit closer to the web and reality than ASN1 (itself a rich source of nasty bugs) and X.509. libsodium looks like a good starting point.
Fair enough, but someone needs to actually build and standardize a real protocol on top of that. It's far too easy to get wrong. And as awful as ASN.1 is, TLS has had close scrutiny from a huge number of people, which is a high burden for any potential replacement to meet.
> I'm also not a fan of the STARTTLS command - it's something that can conveniently go missing without detection, depending on the protocol it's used in. Secure should be the default, compatibility be damned.
No argument there. Open port, immediately start cryptographic handshake protocol.
Posted Mar 25, 2015 6:06 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (14 responses)
Posted Mar 25, 2015 8:06 UTC (Wed)
by tialaramex (subscriber, #21167)
[Link] (13 responses)
The last few rounds of crypto protocol attacks have concentrated on messing about with padding. That's a great place to look because "I'll just handroll something and it'll be so simple it won't have any mistakes" people like you often are frustrated to discover that padding is even necessary and they decide they don't care about it at all, thus opening up an avenue of attack.
But TLS from the outset specified that padding is always to have a specific value and be verified along with the payload, thus defeating this sort of attack. That's a result of scrutiny by people who know what they're doing.
Posted Mar 25, 2015 18:06 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (12 responses)
Padding and ability to downgrade are just symptoms - any modern protocol should avoid them entirely.
Posted Mar 25, 2015 18:18 UTC (Wed)
by dlang (guest, #313)
[Link] (7 responses)
The "downgrade" is just that the software at the two ends is being updated on different schedules and they need to find something they both understand. One side views it as being as secure as it knows how, the other side sees it as a "downgrade" from the best that it knows how.
Posted Mar 25, 2015 19:01 UTC (Wed)
by pizza (subscriber, #46)
[Link] (3 responses)
Posted Mar 25, 2015 19:09 UTC (Wed)
by dlang (guest, #313)
[Link] (2 responses)
A case I ran into a few years back was where we had a site that was mostly open to the public, but we wanted one subdirectory to be protected by a client cert. This required renegotiating the connection.
Yes, in theory it could allow to renegotiate to a stronger connection and not to a weaker one, but how _exactly_ do you define in an unambiguous way which options are stronger than others? Especially as new vulnerabilities are discovered.
Posted Mar 25, 2015 19:22 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
> A case I ran into a few years back was where we had a site that was mostly open to the public, but we wanted one subdirectory to be protected by a client cert. This required renegotiating the connection.
A real protocol should have an optional authentication layer built on top of it. I.e. you establish a secure connection and then use it to transmit a signed token that proves that it's really you (the token must include a hash of the transport-level parameters). There's absolutely no need to renegotiate lower transport levels for that.
Posted Mar 25, 2015 19:46 UTC (Wed)
by dlang (guest, #313)
[Link]
This is not the case. At most you could say that encryption is "strong enough" against a particular threat model.
but just because the NSA could crack something with a datacenter full of computers doesn't mean that the encryption is worthless if what you are trying to protect against is a child in your family.
As for no encryption being stronger than any other, 512 bit RSA keys are not as strong as 4096 bit RSA keys. At one point 512 bit keys were 'strong enough', but now they generally are not considered to be 'strong enough' against any non-trivial threats.
Posted Mar 25, 2015 19:15 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Then there's an ability to use session tickets to resume TLS connections without a full renegotiation. I'm pretty sure that there are vulnerabilities still undiscovered there, since pretty much nobody actually uses them yet lots of servers inherit it from OpenSSL.
So yes, I think the world would be better with plain text HTTP - we might actually get a simple and secure transport protocol instead of the TLS mess.
Posted Mar 26, 2015 19:07 UTC (Thu)
by kleptog (subscriber, #1183)
[Link] (1 responses)
Eeh, what? Resuming SSL sessions is used a lot. You need it to get any kind of performance out of an HTTPS site. See this bug enabling it in Firefox in 2008.
TLS isn't perfect, but it's come a long way as the knowledge of cryptography has improved. The installed base is not to be sneezed at and we're getting a lot better at pushing out updates.
Posted Mar 26, 2015 19:09 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
And no, in practice they're not used that often.
Posted Mar 25, 2015 22:17 UTC (Wed)
by tialaramex (subscriber, #21167)
[Link] (3 responses)
Posted Mar 25, 2015 22:20 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Posted Mar 25, 2015 23:29 UTC (Wed)
by cesarb (subscriber, #6266)
[Link] (1 responses)
Posted Mar 26, 2015 6:18 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Mar 25, 2015 12:25 UTC (Wed)
by rich0 (guest, #55509)
[Link]
I then publish those 1000 private keys so that anybody can spoof those domains. Those certificates are completely compromised.
StartSSL won't revoke any of them.
Why exactly should browsers trust StartSSL to issue certificates? They have a policy of not revoking certificates they know are compromised, even if it is pointed out to them.
If they need to start charging up-front I don't have a problem with that. I'd prefer not having any free SSL options so that there is pressure to create one, rather than having a free SSL option that isn't secure and causes everybody problems.
Posted Mar 25, 2015 12:39 UTC (Wed)
by gerv (guest, #3376)
[Link] (1 responses)
I'm rather interested in that. Citation, please?
Gerv
Posted Mar 26, 2015 15:45 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link]
Posted Mar 25, 2015 12:17 UTC (Wed)
by rich0 (guest, #55509)
[Link] (5 responses)
My understanding is that you can't even issue a new key for a domain without paying them to revoke it.
The problems are:
and
3. Anytime somebody brings up the issues with CAs costing money people always trot out StartSSL and say "hey, you can use these guys for free!" The problem is that you can only do that if you don't follow good security practices.
Posted Mar 25, 2015 16:21 UTC (Wed)
by josh (subscriber, #17465)
[Link] (4 responses)
No, you can get a new certificate issued at any time as long as you can prove domain ownership; you just can't get the old one revoked.
Posted Mar 25, 2015 21:45 UTC (Wed)
by mgedmin (subscriber, #34497)
[Link] (2 responses)
Posted Mar 26, 2015 11:40 UTC (Thu)
by nye (subscriber, #51576)
[Link] (1 responses)
Posted Mar 26, 2015 13:36 UTC (Thu)
by mgedmin (subscriber, #34497)
[Link]
Posted Mar 26, 2015 14:29 UTC (Thu)
by apoelstra (subscriber, #75205)
[Link]
Posted Mar 25, 2015 14:47 UTC (Wed)
by cesarb (subscriber, #6266)
[Link]
For all its ills, it's the best we have. Ripping it out would mean a return to plaintext. The solution is not to rip it out; what's being done, instead, is to evolve it in a backwards-compatible manner, gradually fixing its mistakes, like the lack of explicit IV or its use of the less robust mac-pad-encrypt order (which leaves the padding unprotected by the MAC).
The real problem is not with TLS; the real problem is with PKIX. Again, ripping it out would mean a return to a world where anyone can spoof any server, so we have to live with it until a better solution is found.
Posted Mar 24, 2015 16:12 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link] (2 responses)
I will be disappointed in any outcome where CNNIC CA remains trusted. But I've come to expect to be disappointed on this issue, it's evident that basically no-one takes it seriously, whether that's end users, browser vendors or CAs themselves.
Posted Mar 24, 2015 19:39 UTC (Tue)
by walex (guest, #69836)
[Link] (1 responses)
To do MITM attacks against (allegedly) their own systems, that is their own employees, without leaving a paper trail
«MCS could easily use an API to request each certificate as it was needed.»
That leaves a paper trail.
«CNNIC would have oversight on how it was actually being used»
It is touching to see such awesome optimism. :-)
But the above are trifling details, the core story is amazingly huge: at least some commercial registrars are willing to sell unrestricted signing certificates specifically for use in MITM attacks to those who pay for them and are unlikely to get caught.
How many security services and other (private) criminal gangs around the world are in possession of unrestricted signing certificates? Likely lots of them.
The consequence can be described very simply: the UK Shibboleth Federation discourages members from using CA-signed certificates for authentication, and anyhow *requires* every certificate registered with them to have their fingerprints communicated out-of-band for authentication, the trust fabric does not involve any CAs:
http://www.ukfederation.org.uk/content/Documents/Setup2SP
Posted Mar 24, 2015 21:03 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link]
No, that's what they supposedly actually used it for, I was talking about what they supposedly needed it for. CNNIC told Google that they issued the intermediate CA "on the basis that MCS would only issue certificates for domains that they had registered".
If you believe CNNIC they're grossly incompetent. That's my point, even based on _their_ version of events what they did defies reason and should get their CA cert deleted by all the vendors, but it won't happen.
Posted Mar 28, 2015 7:13 UTC (Sat)
by ptman (subscriber, #57271)
[Link] (1 responses)
Posted Apr 1, 2015 11:26 UTC (Wed)
by robbe (guest, #16131)
[Link]
A write-up of your findings would be hightly appreciated.
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
> that's why you use your own certificate chain and add it to the machines
> somehow (even on BYOD setups).
Me: You must turn on HTTPS inspection for that to work.
Customer: But the manual says I then have to install a certificate on every device. That's so much bother! Isn't there a better way?
Me: No legal one, no.
² If I do e-banking from this MITM-ready device, non-repudiation conveniently goes out the window.
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Stethoscope: someone is watching your decrypted traffic, ostensibly for malware, but insulting your boss or planning a coup is probably not a good idea either
Megaphone: only politeness protects you, don't do anything you wouldn't do in the cafeteria
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Since trust-roots aren't restricted to the domains over which they should have authority
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Not the first
Not the first
Not the first
Not the first
Not the first
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Yet people still keep finding glaring errors in it. It means this protocol is a failure.
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Being so complex that it can't be implemented sanely.
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
No you don't. There shouldn't be 'stronger parameters'. Encryption is either strong or useless.
Client cert _authentication_ does not mean 'stronger parameters', it just means that.
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
https://bugzilla.mozilla.org/show_bug.cgi?id=415033
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
At least one user went as far as posting their private key in a Github repo to make a point - amusing but also had no result.
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
1. Their users have incentive to continue to use potentially-compromised keys because it costs money not to do so.
2. Even if their customers somehow switch to a different key the old key remains valid, and can be used to compromise anybody who trusts them as a CA.
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
nameConstraints