Over a decade ago I described the horrors of blindly trusting SSL “certificate authorities” like Thawte, Network Solutions and GoDaddy to an online discussion group. Things haven’t improved much. Back in the day one of my web servers was being aggressively attacked by the Code Red worm. It was quite the evil little monster. The thing is, the most malicious server that was attacking my server, was within the network owned by Thawte. Yes, that Thawte…the one that was responsible for most of the SSL “security” certificates of the period!
What it is
First, I guess I should explain what SSL is. SSL (Secure Sockets Layer) is the technology behind the httpS you see in the URL when you visit “secure” websites. SSL effectively encrypts all content between the browser and the server, and back again. The information is encrypted with a public key that the browser understands and a private key that the server understands. As long as this traffic is truly bidirectional and uninterrupted, it adds a level of security that simply doesn’t exist in normal web browsing. SSL does NOT affect the security of any data stored or transmitted on either side of that communication, such as email or database storage. In the context of browsing, it only encrypts data in transit between the browser and server.
Next, we should define “security”. I know this sounds silly, but it’s actually quite important to effecting true security. Security isn’t different just because it’s on a computer. I would define it as being free from risk and danger. For the pedantic among us, there is no such thing as true security, and security, especially in the technology world, is always evolving. However, security is entirely based on trust. Anyone that’s ever had a relationship knows that trust isn’t simply black or white, but many shades of gray. The level of trust is tied to reputation, brand, knowledge, past experience and other indicators. But the old adage remains: trust, once lost, is difficult to regain. What hasn’t yet made it to adage status, is that sometimes it’s extremely hard to lose that trust when you need to.
You see, the way SSL works isn’t simply a matter of the two ends – the browser and the server. It also includes the certificate provider or “Certificate Authority” (CA). For most SSL certificates, the CA validates that the individual or organization buying the certificate is actually representative of them. Equally as important, the CA operate as a validation step to ensure that invalid certificates are revoked and that their own authority is trusted.
Sadly, if the CA itself is violated, the only method to ensure that the certificates they’ve released are corrected is when their own certificate expires (usually in only 20 or so years), or when your operating system vendor releases an update to the root certificate authority keys (only a couple times per year), or during a browser update cycle (mostly random).
How often could this happen, anyway? Too often.
A decade ago at least one server from Thawte was actively pushing malware at one of my servers, and when contacted, they avoided responsibility for it by saying something like “don’t worry, it wasn’t an important server.”
Certificates have been forged a number of times since then. Last year VeriSign issued fake certificates.
In March of this year, Comodo (another major CA player) was compromised and issued fraudulent certificates. Three times!
Four months ago, iOS (the operating system behind iPhones and iPads) had to release updates to address certificate authority issues of their own. iOS (one of the fastest growing operating systems in the world) isn’t updated very often, but due to the way it’s designed, even something as “minor” as a certificate authority update (which should only be a couple megabytes) needs to replace the entire operating system – over 600mb – each time.
Three months ago, StartSSL was hacked and issues fake certificates for many of the most popular sites.
Two months ago, DigiNotar, another SSL Certificate Authority, was hacked and issued fraudulent certificates for Google, Microsoft, AOL, Yahoo, Twitter, WordPress and others. Last week these fraudulent certificates were used against Google to gain access to users accounts. Microsoft released a quick patch ‘fixing the problem‘ by revoking the CA certificate. Well, at least for everyone using Vista and newer. Today they updated that patch to revoke all DigiNotar CA certificates and include Windows XP (no longer supported!) in the release.
These attacks are now more frequent and more common. So, knowing that this happens, how it happens, and how it can be prevented…why is it still happening?
Because the system itself is flawed. This is what’s called “low hanging fruit” in the security industry. A single exploit that can be used for as much as twenty years, especially if the user doesn’t apply regular updates? That’s a no-brainer.
Instead of issuing CA certificates that expire every couple decades, how about a system that validates the CA’s on a daily or even hourly basis? Instead of reliance on that level of trust lasting way longer than your computer ever will, we should nip it in the bud and limit that trust to minor increments. In the words of Ronald Reagan, “Trust, but verify.”
The CA should be put to the test far more frequently than every few months. Heck, I have clients whose websites are validated by various security scanning systems on a daily basis. Daily! And yet, it took two months for DigiNotar – a company whose business is literally attesting to the security of others – to detect that their system was hacked and eliminate the forged certificates…and that only happened when the fraudulent certificates were actually being used in the wild!?! How can anyone actually put their trust in these people?
Sure, Microsoft, today, released an update that revoked all of DigiNotar’s CA certificates…but it shouldn’t have taken Microsoft a full week to figure out that a company that was hacked over two months ago — and never noticed — probably shouldn’t be relied on as an authority on security! Sigh.
The bottom line is that security is a matter of trust. And I want everyone to understand exactly what that means. The problem isn’t that the certificates were “fake” – they were 100% valid and “trusted” by every browser in the world only 9 days ago. The problem is that the level of trust that this validity itself was based on was misguided. The system itself is flawed, and no reactive “quick update” mentality to the CA lists is going to fix the endemic flaw. Certificate Authorities are essential to this process. But they must be put to higher levels of scrutiny than they currently are. After all, if Thawte were hacked (again) today, it could literally affect the “millions” of their existing customers and anyone else that were foolish enough to trust the brand more than their history.
I call on the SSL industry to reconsider their trust metrics. No less frequently than daily!
And while we’re waiting on this major SSL industry shift, it sure would be nice if Apple took the time to address the CA flaws in iOS with yet another 600mb+ update. No rush, guys, it’s just the security of about 40 million users in the US at stake.
Keep it clean out there, folks!