Certificate Security in the Wild West
Self-Policing Does Not Equal Security or Best PracticeThe hack of online certificate authority DigiNotar has raised a number of questions about Internet security practices and controls - questions for which the experts have no good answers.
The breach at Netherlands-based DigiNotar, which is now known to have lingered for several weeks, could have been avoided. [See Certificate Breach: 3 Lessons.]
No one wants to admit the flaws in the process used by browsers to verify trust in certificate issuers like DigiNotar, VeriSign and Comodo, which in March also suffered a breach.
But the system clearly is flawed, and not just for the fundamental security gaps that the DigiNotar incident revealed. The system is flawed because it is disjointed and unregulated. In short, it's the Wild West.
DigiNotar declared bankruptcy soon after news of its breach hit the street in late August. Though recent speculation suggests DigiNotar's parent, Illinois-based Vasco Data Security, took the breach as an opportunity to close an already-struggling business unit, the bottom line is that once the trust was gone, no one was going to do business with DigiNotar.
"For a CA company, your whole business is based on issuing certificates that browsers trust," says Mike Smith, an online security expert at Akamai. "If all the browsers take the CA certificate out of their lists, then any certificate that DigiNotar signs will not be recognized by the browser. So, why would I get a certificate from you if it doesn't work anywhere?"
Exactly.
But here's the deeper question: Why are these browsers and CAs self-policing themselves? Should there not be some body charged with overseeing how these certificates are issued and by whom, especially when so much private and personally identifiable information about consumers, corporations and government entities is at risk?
In the DigiNotar case, an independent audit conducted by IT security firm Fox-IT determined more than 530 counterfeit certificates were issued with common names like Google, Skype, Microsoft, blog-provider Wordpress, Equifax, Mozilla, CA Thawte and WindowsUpdate. With Google and Skype, it seems logical to assume hackers tried to infiltrate Gmail e-mail accounts and even listen to calls made via Skype. And names such as Microsoft.com and WindowsUpdate could be used to issue malicious software.
That's pretty scary, especially since browsers don't question certificates that appear to come from issuers they trust.
Here's the other problem: No one really knows how many certificate entities are out there. In the certificate space, intermediate CAs, often called registration agents, and root CAs, like DigiNotar, are listed as the official issuers of certificates and float around with equal yet divergent authority.
Intermediate CAs don't necessarily follow the same accepted best practices as root CAs. For instance, an intermediate CA could make a change or issue a certificate without notifying the root CA. And intermediates can create their own intermediates. It's truly an entangled mess, that, as Smith puts it, leads to an "abstraction of trust between the browser and the root."
So, certificates can be created without a check, depending on the level of the CA. "That's how this whole class of attack works," Smith says. "I go to somebody who doesn't actually check to see that the entity requesting the certificate does in fact own Google.com," for instance.
The good news is that the DigiNotar incident could lead to stricter policies regarding intermediate CAs. "Nobody really knows how many of those there are out there, and that's part of our problem," Smith says. "And nobody really knows how many of these intermediate CAs were allowed to generate additional intermediates. ... The more abstract you are from the Web browser to the root CA, the more people there are that can be compromised."
This is why some policing from a single authority, like ICANN, the Internet Corporation for Assigned Names and Numbers, could help.
Whether that's a task ICANN or some other entity plans to take on ... well, we'll see. In the meantime, continued self-policing among browsers and root and intermediate CAs is likely the best we can expect.
Yet, with so much security and privacy on the line, is the "best" really good enough?