Networking

SSL/TLS certificates: Perspectives helps authentication

Self-signed SSL certificates are an authentication nightmare. A group of researchers at Carnegie Mellon developed Perspectives, an application that potentially will remove some of the FUD. I'd like to explain the application and make a case for installing it.

In my last article "SSL/TLS Certificates: What you need to know," I wanted to make sure that Internet users were aware of self-signed SSL certificates and what it meant to authorize them without a thorough verification process. In my infinite wisdom, I then proceeded to explain how to go about verifying the certificates:

  1. Obtain a copy of the certificate using a trusted delivery method, such as e-mail or fax.
  2. Compare the certificate in question to the copy received and see if the details are identical. If so, then the certificate is valid.

That sounds like a lot of fun, doesn't it. No one has the time or inclination to do all that just to visit a HTTPS Web site, including me.

My bad

Ironically, while doing some on-line research after I published the article on SSL/TLS certificates, I happened to find myself staring at Firefox's "Unknown Authority" window. I'm muttering to myself: Man, I don't have time for this, and I OK'd the certificate. Whoa, it hit me like a ton of bricks, and to be honest I felt rather guilty. Here I am writing about certificate insecurity and I don't even listen to myself. I immediately decided to find a way to resolve this.

TR members to the rescue

It didn't take long for a potential answer to surface. Members Kevin Feyer and Seanferd both enlightened me about efforts by a group of Carnegie Mellon researchers. I'm very excited after reading the researchers' white paper "Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing" (pdf). First, the paper is very readable, to a point where I can even understand it (kudos to the authors). Second, although it's not infallible, the solution has a lot of possibility.

I'm still testing, trying to make sure the application does what it claims. So far so good, and because of that, I wanted to bring the application to the attention of TechRepublic readers. As I see it, there's no downside, and it has the potential to mitigate issues pertaining to certificate verification.

Perspectives: Better than "TOFU"

Researchers Dan Wendlant and Ethan Jackson along with advisers Dave Anderson and Adrian Perrig of Carnegie Mellon are the developers of Perspectives, a novel and simple-to-implement idea for certificate authentication. I'm not able to improve on their definition of Perspectives, so here's what they say:

"The popularity of "Trust-on-first-use" (TOFU) authentication, used by SSH and HTTPS with self-signed certificates, demonstrates significant demand for host authentication that is low-cost and simple to deploy. While TOFU-based applications are a clear improvement over completely insecure protocols, they can leave users vulnerable to even simple network attacks.

Our system, Perspectives, thwarts many of these attacks by using a collection of "notary" hosts that observes a server's public key via multiple network vantage points (detecting localized attacks) and keeps a record of the server's key over time (recognizing short-lived attacks). Clients can download these records on-demand and compare them against an unauthenticated key, detecting many common attacks.

Perspectives explores a promising part of the host authentication design space: Trust-on-first-use applications gain significant attack robustness without sacrificing their ease-of-use. We also analyze the security provided by Perspectives and describe our experience building and deploying a publicly available implementation."

I must admit acronyms and I have issues, but TOFU quite easily defines a concept that I spent several paragraphs in a previous article trying to explain. To reiterate I'd like to revisit why TOFU is not in anyone's best interest:

  • Automatically accepting a certificate creates conditions where the user becomes vulnerable to malicious attacks anywhere along the data path.
  • On subsequent connections, if the received certificate is different from the cached certificate, the user must still determine whether the certificate is valid or not.
How Perspectives works

Perspectives consists of three distinct components: the notary authority, notary servers, and notary clients. In order to understand the process, let's take a look at each individual component:

The notary authority is the overall controller that determines which notary servers are authorized to service notary clients. The notary authority creates a daily listing of authorized notary servers and their public keys. This listing is signed using the notary authority's private key and pushed out to all of the notary servers that it's responsible for. The notary server consists of two components -- a probing module and a database storage module:
  • The probing module constantly monitors the Internet; looking for services that use certificates. If one is found the probing module pretends to be a client wanting to set up a secure link. The probing module takes the connection setup only to the point of where it receives the service's public key. At that point, the probing module drops the connection, since it has the information it needs.
  • The database storage module is a repository containing signed (notary server's private key) entries for each service that the probing module is monitoring. Each entry consists of certificate information, the type of protocol used, and ways to contact the service. After time, the entry builds a history of observed parameters.
The notary client is a Web browser add-on that contacts the notary server for one of two reasons. The certificate for the contacted Web site isn't in the Web browser's database or it doesn't match an existing certificate.

The following diagram (courtesy of the Carnegie Mellon researchers) depicts the interaction between the notary client and the notary server as well as the interaction between the probing module and network services such as Web sites that use SSL.

process.JPG

The next diagram (courtesy of the Carnegie Mellon researchers) is an example of the information sent from the notary server to the notary client in response to the notary client's initial certificate query.

notary-records.jpg

With all the pieces now understood, let's walk through a complete transaction:

  1. I open Firefox and try to access https://www.mpksecuresite.com for the first time.
  2. The Web server for www.mpksecuresite.com sends a certificate to Firefox.
  3. Firefox and the notary client realize that the certificate is new, so the notary client sends a query to the appropriate notary server.
  4. The notary server looks up the certificate entry for www.mpksecuresite.com.
  5. After finding the information, the notary server signs the query response with its private key (signature) and sends it back to the notary client.
  6. The notary client has the public keys for all the notary servers that it uses, so it can verify that the query response from the notary server is valid and not from a spoofed notary server.

How the preferences are set up in the Perspectives client will determine how the client presents the information to the user. The following image is one example of how the preferences can be configured.

preferences.JPG

How does this help?

Perspectives provides a secure method for Internet users to obtain information about certificates published by services such as SSL Web sites. The information includes historical data from multiple notary servers, creating what may be considered a quorum, and allows Internet users to make an informed decision as to whether the certificate is valid or not. The following image is an example of the Perspectives application warning that the notary server's quorum duration is only 1.39 days (the configuration specifies two days). So it flagged the HTTPS Web site, allowing the Internet user to make a more informed decision as to whether to accept the certificate or not.

results1.JPG

Final thoughts

Making better decisions because of additional information is what makes Perspectives so appealing. The Carnegie Mellon researchers also did a great job of making Perspectives very configurable. Perspectives can be as granular or automated as you want. That should eliminate angst among users who just want to be secure and get their work done.

I use and recommend Perspectives. If there are some concerns, please refer to the researchers' paper on Perspectives. The paper goes into much more detail and should answer any questions you may have.

-------------------------------------------------------------------------------------------------------------------

Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer for Orange Business Services and an independent wireless consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

39 comments
JDA2
JDA2

Why create all this "parallel universe" of SSL certificates? Why not just buy a signed cert from an established certificate authority? Thay're not all that expensive these days.

Jaqui
Jaqui

Isn't Perspectives a tool to make T.O.F.U. a bit safer? After all, it's designed to help you make an informed decision about trusting a certificate that is not from a CA in the "trusted" list. I did run a test about CA's and certificates with a windows XP Pro system, I deleted the CA list and installed certificates. [ just like I do with any os I install for myself to use. ] It broke windows, couldn't boot afterwards. :D I'm still in thinking mode on perspectives, I haven't thought about verifying certs from "non-trusted"(sic*) CAs before. * I don't "trust" any CA by default, so I have to decide on a per site basis every time.

JCitizen
JCitizen

I need to call the college and tell my old Cisco teacher to make all his students read these TR articles! Especially the ones authored by Michael!

Michael Kassner
Michael Kassner

Perspectives is one slick approach to help validate SSL certificates. If you read the article and give Perspectives a try, please let me know what you think.

apotheon
apotheon

Thanks for the link. I also added a note about this article at the end of my own article -- the readers should have all the resources at their disposal we can give 'em.

Michael Kassner
Michael Kassner

I take a bit of a different approach. I pretty much accept the trusted certificates as we really don't have much choice. I'm more focused on the self-signed certs as those are typically a great deal easier to subvert. I'm talking to the developers of Perspectives (a very knowledgeable group to be sure), and am getting the impression that they are looking for Perspectives to actually be a check on all certs. There's a certain amount of solidarity when several notary servers all agree that the cert session key is identical.

Michael Kassner
Michael Kassner

When you call them, ask if they have anything that they would like to read about. Especially with reference to networking.

Dumphrey
Dumphrey

but it raises some questions. 1) How can it find all the SSL web connections short of scanning every ip/ 2) Will this not create alot of "background" traffic. 3) How does it deal with legitimate cert changes? I guess the white paper may answer some of these so its my next stop. Thanks for another good post Michael.

seanferd
seanferd

I rather like your explanation, it has reinforced what I've already read. I still haven't had a chance to try the add-on, but I will do so. Thanks!

Michael Kassner
Michael Kassner

I realize that you are totally focused on the TR membership. I am as well, and have no idea as to where I would be without them.

Jaqui
Jaqui

isn't in the cerificates, or the authorities. It's the John Q Public perception that since there was no certificate acceptance dialogue, that the CA is backing / verifying the site as good to do business with. We both know that the CA's don't do that, even those who do verify data for the customer before issuing a cert don't endorse the customer, only the security of the site's ssl layer. The trusted CA list feeds the misunderstanding of the end user. Unless the CA will make good damages to the consumer from a bad merchant transaction they certified the website for they should not be listed in a "trusted" list. [ which is what the trusted list says to the typical end user ] Perspectives is sounding like a better thing to have in a browser by default, an [b]independant[/b] source that says that the certificate is a valid certificate, reguardless of source, or that brings up the issues with a cert. Because I use linux, I have the software to generate a cert, of any level, and install it into a web server. If I use a self signed cert for my own website, and sell them to my clients for their websites, does it make the site less secure than if the cert came from a well known authroity? Nope, only makes the browser throw a dialogue up about not knowing the authority that signed the cert, the encryption technology is the same for any cert. With perspectives, if it only talks about the cert as valid or not, expired or not, and encryption level supported.... maybe adding in the number of times this CA has been queried against with good results and bad results. [ bad results being cert corruption / expired detailed ] as a tool that is not trying to suggest anything about a CA endorsing the site as a trusted lst has become to the end user.

JCitizen
JCitizen

to add to our membership base! I've already been promoting you and our site to my IT and tech related Army buddies. The IT staff over there that actually run the network are already fans.

Michael Kassner
Michael Kassner

Hello Dumphrey, Well, I'm impressed I got answers for your questions from Dan Wendlant, one of the researchers and authors of the initial research paper. Here they are: 1) How can it find all the SSL web connections short of scanning every IP address? We actually use an "on-demand" model. If a client contacts a notary about a service that the notary has not already been scanning, the notary immediately queries that service, and responds with the results. Thus, the first client to ever contact a notary gets key results for the immediate moment, but no key history. To phrase this using terms from the paper, the client gets "spatial redundancy" but not temporal redundancy. We have also toyed with the idea of making a web crawler that uses google results to find HTTPS sites, and then test if their certificates are invalid. I've played around with this and it seems promising, but haven't done anything on a large scanning. An interesting note: scanning at the IP layer does not necessarily help you, because it would only let notaries bind IP addresses to certificates. To be secure against a man-in-the-middle attack using DNS, clients must query notaries using the DNS name of the service they are interested in. > 2) Will this not create a lot of "background" traffic? I'm not sure if "this" refers to the scanning mentioned in question 1 or Perspectives in general. I'll assume the later, as we don't actually perform the scanning mentioned in question 1. As we discuss in section 7.1 of the paper, the bandwidth overhead of key monitoring is surprisingly small. Bandwidth-wise, grabbing the public key is similar to downloading a single small jpeg image from the service being queried. In fact, the directional bandwidth required for a notary to query a million hosts per day (~200 KB/s) is roughly equivalent to a client download a low quality youtube video. Considering the vast amount of traffic sucked up by p2p sharing and new video intensive applications, the bandwidth needed by perspectives is tiny. And things will get better in the future: bandwidth rates increase 10x every few years, while the bandwidth required to monitor a single notary site will stay roughly constant. > 3) How does it deal with legitimate cert changes? Depending on the client's policy (i.e., what value they chose for a quorum duration, as described in the paper), the client may experience a brief period right after the key change when they are unable to override the security error issued by the browser. While unfortunate, this is still a vast improvement over the status quo. Additionally, it is worth noting that with perspectives, legitimate cert changes can be much more rare than they are today, because unlike certificates from a CA, these certs need not contain an expiration date. Thus, the main reasons to change keys, as I see it, would be the following: 1) I need to upgrade to a new, stronger key 2) I accidentally deleted my private key when i reinstalled the server and didn't have a backup 3) An attacker may have compromised my private key, so it is no longer secure. In the case of 2 or 3, if the server is compromised or reinstalled, it is likely that the site will experience some amount of downtime anyway. If a server requires extremely high availability, it is likely managed by someone with enough competence to make sure either 2 or 3 happens rarely if ever. 1 is more interesting. Every couple of years, you will want to switch to a more secure key. We've tossed around the idea of allowing servers to response with 2 certificates, a primary cert and a secondary cert. Thus, the notary could start building a key history for the secondary cert, even though it is not supplied to the clients. Thus, when the server upgraded the secondary key to the primary key, clients would immediately be able to see a history of that key in use. So in sum, the issue of legitimate key change is a tough one for perspectives. I think we can handle it pretty well, but in the end if you're the kind of site that needs extremely high uptimes, you're likely better off using a root-signed cert. I see the main value of perspectives as allowing any site to use HTTPS with out the server owner paying the cost (in dollars and management complexity) of participating in a PKI. I still think that major websites will (and should) continue using root-signed certs, with perspectives then acting as a second layer of security to prevent attacks.

Michael Kassner
Michael Kassner

Thanks Dumphrey, I'll be interested in hearing your comments after using it for awhile. I'm not sure if it's a coincidence, but my Firefox has been shutting down accidentally more since I have installed the add-on. Not sure if it's related or not. I have been in communication with the Carnegie Mellon researchers and hopefully they will be willing to comment on these questions or I'll send the questions to them and publish the answers.

Michael Kassner
Michael Kassner

It's kind of neat to play with. You can adjust the security level and then see how Perspectives works. I think it's a great idea and is well thought out. Thanks for the links as well about BGP. That was almost a deja-vu moment as BGP had issues several years ago. It's another one of those Internet backbone protocols that has to be bullet-proof.

VBJackson
VBJackson

I have to say that in one way I disagree with you, and in another I couldn't agree more. A large part of the problem is in defining what we mean by "trust", because that IS the root of any PKI infrastructure. So in PKI, we HAVE to have a starting list of certificate providers that we trust, and they HAVE to certify that they have issued certificates for specific purposes. That is what we are paying the CAs to do, provide that base layer of accountability. The problem is that, as Jaqui mentioned in a previous post, most USERS think that trust that a certificate that was issued also means that you can trust the site it was issued TO. PKI doesn't do that, and has never claimed to, and before EV certificates the only thing the CAs have claimed was that they had made some effert to ensure that the (Web, FTP, SSH, etc.) site that the certificate was issued for was actually registered to the person or company requesting the certificate. But even if they go way overboard and verified the name and address of every person that worked for the company, that doesn't say ANYTHING about the the web site that the certificate is protecting. It could be riddled with virus downloaders or taken over by aliens for all we know, the only thing that the chain of trust states is that the certificate for the website you visited belongs to that website, and that the website you visited is the one that the certificate way assigned to. Nothing more, nothing less. On the other side, even with additional research and confirmation expected for EV certificates, I agree with you that the level of security is only as good as the company providing it, and there will always be those that will only do the minimum amount of work that will avoid legal concequences. The thing is that there is no way to establish trust without SOME kind of central authority. Even the Perspecives system has to have one, because the certificates that authenticate the repository servers have to come from somewhere. The only advantage that I see is that you are, at least in theory, comparing the results from multiple authoritative systems to look for discrepancies. But you still have to rely on the operators to do thier job, and it still doesn't say anything about the reliability of the site the certificate is protecting. Victor

Jaqui
Jaqui

in my comments that self signed is no less secure. The biggest difference in the EV is that the CAs actually do background checks before issuing a cert. They should be required to do those for any but testing / temporary [ 30 day to 90 day ] certs. though doing the checks means no "instant" certificates.

Michael Kassner
Michael Kassner

Chad, I am in the process of writing an article about this very subject (EV certificates, hopefully out 04 Sep 08). I'd love to debate this platform, as so doing will offer the TR membership alternative options. I just want to engage every TR reader and give them the best of all worlds.

apotheon
apotheon

This isn't really the kind of thing that's particularly susceptible to supporting evidence. Chalk it up to my profound mistrust of claims of authority, the effectiveness of checklists, and the long-term integrity of any process that is managed by a bureaucracy (which is all a public corporation is, anyway -- a private sector profit-oriented bureaucracy).

Michael Kassner
Michael Kassner

Chad, I respect your opinion immensely. So please forgive me if I ask for some tangible evidence as to why you feel this way. I'm researching EV certs right now and there's a great deal of effort and cost being put forth by vendors and CAs to explicitly make it a great deal safer for Internet users.

apotheon
apotheon

Extended Validation Certificates aren't really anything to write home about. It's just more money spent for reduced liability to the CA and more marketing BS for CA customers. It doesn't in any way actually guarantee anything about the security of the site. It's just a bureaucratic checklist. I don't "trust" an EV cert any more or less than any other. Perspectives is the first software I've seen that provides a really useful validation system. In short, CAs are kind of a half-baked scam that plays on the tendency of most people to desire "authorities" that will make their decisions for them. My concern isn't the cost. It's the fact that EV certs create an impression of trustworthiness where none has been demonstrated.

Michael Kassner
Michael Kassner

I'm in the process of researching EV certs right now for the next article. Specifically, I'm trying to find the exact details and what kind of teeth the certificate will have. Most of the signing CAs are on the forum that is regulating the EV cert.

Jaqui
Jaqui

the library file does contain the "personal" information about the upper level management needed for verification purposes. If the company has a website, a lot of them have small bios about the top level management personnel, which is often sufficient for verification purposes. Since a company is legally a person the main focus is on the company. The personal information needed for the responsible parties doesn't go deep enough to invoke the privacy protection laws, it being all in publicly available records. Partnerships the company is the partners, so the partnership agreement [ with the details of what each partner brings to the company ] is the important document, as well as annual reports. The sole proprietorship is the person, so it's information is all the personal information of the owner, and is all under the privacy protection laws. One thing about companies that may have an impact, with the exception of a sole proprietorship, every registered company is a "limited liability" entity, meaning that no-one on the payroll can be held personally liable for damages. A sole proprietorship, the owner is personally liable for damages in event of any legal action against the company.

Michael Kassner
Michael Kassner

Good points Jaqui, I had even heard there's a requirement to get some personal information about responsible company members.

Jaqui
Jaqui

unless a company is new, or a sole proprietaorship, the local library for them will have a lot of information on the company, free,like annual reports. getting copies shipped is a small cost. a credit bureau lookup os a couple of hundred. company registration info from their local gov is about 100 BBB information for their local office is usually free, though for this type of purpose they may have a small charge. of them all, the library file on the company has the most information. a scan of this file for negative press, and annual report profit / loss statements will show how good or risky an EV cert is going to be. reading the business sections of at least one major newspaper from each country every day will also give you a lot of information about well known companies, and about what industry of the customer is looking at. This reading of files and papers is the majority of the man hours involved, and the papers is a very low cost item since it is for all customers. it's the library files / credit report / bbb reports that are a per customer cost. a new company won't have the records available. a sole proprietorship it's all the "personal" information, which is much, much harder to get out of agencies, for very valid legaal reasons. [ priivacy protection laws ccome into the foreground. ] To deal with the sole proprietorship or individual you will need a blanket authorisation to access their credit records or tax records to get anything. Most CAs don't like the sole proprietorship or individual when it comes to an EV cert because of this issue.

Michael Kassner
Michael Kassner

I thought the same thing when talking about cost, but couldn't really quantify it. Maybe the cost will come down as it gets more popular.

Jaqui
Jaqui

associated with getting the information to verify a company so the EV certs will never be available as a "free" cert, I can understand that. But a reasonable charge for the costs of verification, and operating expenses [ man hours ] with a bit of profit is not amiss. I don't agree with a 2 thousand dollar a year cost for them. I can get all the information verified for about 500. figuring in man hours such a cert could be priced at 750 first time buyer and then a much lower renewaal cost for additional years.

Michael Kassner
Michael Kassner

Very well said. That's why I hope the EV cert takes hold as it does force the signing CAs into due diligence when issuing certificates. My concern is the cost, it shouldn't be that much but is.

JCitizen
JCitizen

I could only find Linux and some other FOSS version there. The only stuff I run on FireFox right now is SiteAdvisor and an Active X blocker that works in the registry to augment FireFox called Spyware Blaster. So far my in depth approach is working with every test page/tool I've tried. Every since IE7 started using colored bars for SSL sessions, I've been interested in the improvements to the service. FireFox probably beat Microsoft to the punch on that one too; but I became aware of it too late. I was working in so many other technical areas at the time I just couldn't keep up, but that has changed lately.

Michael Kassner
Michael Kassner

Not sure what you mean J? Are you talking about Perspectives? It's a Firefox add-on if you are. I'm so impressed with the researchers at Carnegie Mellon. These guys are top notch and very busy, yet took the time to answer my questions. Very cool. Kudos to Dan and Ethan.

JCitizen
JCitizen

And thanks for the very informative article! They don't seem to have a Windows version; maybe now I will finish my Linux project.

Michael Kassner
Michael Kassner

It's almost detailed to a point where it might be irritating to many people.

seanferd
seanferd

Tried it out on maximum security to make sure it was as verbose as possible. For the site I went to, it even offered to check when I changed pages within the secure site.

StealthWiFi
StealthWiFi

Great article Michael, I will have to give that a try thanks for the writeup. It would be neat to see this built into Firefox. Cheers,