x.509 Certificate Danger

The EFF and iSEC have posted their slides on x.509 certificate research. They call it an HTTPS Observatory. I guess it is a good thing they did not ask me because I would have called it the SSLatarium.

Some of the observations (ok, observatory makes sense) are the usual stuff you might expect. Our trust includes far more information than we could possibly verify in detail. This is true in regular life so it’s no surprise we have similar behavior when faced with the nontrivial certificate system on the web. I have always argued that certs are basically a failure and authority does not exist. The value of SSL is in the ability to encrypt communications. No one, except perhaps Verisign, walks around boasting about CAs or talking about how authorities are great.

I would like to take this moment to remind everyone how many unprotected windows there are in an average neighborhood. We trust that all the anonymous people wandering by outside will not try to break the window or fool us into opening our door. Authority is something difficult to put a finger on. A badge? A car with blinking lights? The Internet is a dangerous place with even less information about authority. It’s not obvious in what kind of neighborhood your browser lives and who it should trust. Back to the question of certificates. We knew they were bad. We knew they were untrustworthy. What now?

The presentation says to this point “Who are these [Certificate Authorities] we trust & what’s going on?” I sense a Harvey Keitel movie plot coming — Certificate Authority gone bad.

The observatory was created by mining the Internet for TLS communication and then recording X.509 certificate data. Here are some fun facts from their database of roughly 10 million handshakes:

  • The majority (6.5 million) of sites used invalid or self-signed certs
  • Wildcard certs are used more often than they should.
  • Google and Microsoft are impersonated
  • There are around 1,500 CA Certificates trusted by IE (the presentation says Windows) or Firefox
  • Your browser probably trusts all intermediary certs signed by the CAs, including the Department of Homeland Security and Booz Allen Hamilton.
  • Mozilla has 124 trust roots from 60 organizations.
  • GoDaddy is practicing unsafe authority-ness with just one signature for 300,224 leaf certs. I would have guessed this from their advertising campaigns anyway, but it is nice to see the data backs it up.

To answer the question in the presentation, yes the CA model is fundamentally broken. Authority has not worked out so well at the giant global level. No big surprise since there is hardly any big global authority to back up the authority role and management that a clean CA infrastructure would require. I think the failure maps well to the world outside of technology and people are wise to think of it in the same way they might identify and measure a physical authority.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.