Security

SSL/TLS encryption and the vacant lot scam: Too big to fail

Find out what kind of scam masquerades as security on the Web, how the scammers are "too big to fail", and why we should make the switch to an alternate system of certificate validation.

Transport Layer Security (TLS) encryption, still sometimes called SSL, is the encryption backbone of Web security. It is what secures your connection every time you point your browser at a site that uses the https:// URI schema. A system of certification authorities (CAs) is used to validate the certificates used as encryption keys, to ensure there is no man in the middle attack in progress while connecting to a secured Web resource, or that the Web resource at the other end of a connection is not someone merely pretending to be what the client expects to find. In theory, the CA checks out the certificate applicant to ensure it is not a scammer or otherwise malicious party, then provides a digitally "signed" certificate the applicant can use. This is the Public Key Infrastructure. In theory, it sounds good.

In theory, theory and practice are the same. In practice, they are often quite different. The fact of the matter is that the PKI trust model does not work the way people think. In fact, recent events suggest it does not work at all. Experience tells us that relying on the CAs to issue and validate security certificates is possibly worse than no validation at all.

I have addressed the PKI scam before, in the article, "The TLS/SSL Certifying Authority system is a scam." This time, I will address the classic form the scam takes.

The Vacant Lot scam

The trust we place in the CAs is predicated upon a lot of guesswork and wishful thinking, and on the CAs' own claims that they are trustworthy. The belief in the trustworthiness of CAs depends entirely on the motives of the CAs involved. Specifically, the problem comes from the fact that the PKI system is a vacant lot scam. In a vacant lot scam, someone assumes the color of authority by a simple act of declaration in order to charge people to park their cars in a vacant lot. People simply assume that, because there is someone asking for money to allow entry, that person is supposed to be there, and they pay the scammer. The truth of the matter is that the lot is vacant, and does not belong to that person.

By the same token, CAs are charging for something they do not possess; a greater ability to provide validation of TLS certificates than can be had without the CA. A number of alternative methods of validation for TLS certificates are coming to the fore as the flaws of the PKI system become more and more obvious. Among them are Perspectives (see "Perspectives: better than CAs?" as well) and Monkeysphere, both of which use a distributed agreement approach to validation that directly addresses the problem of "back door" certificates issued by CAs. Thus, out-of-band validation -- necessary to protect against things like a man in the middle attack -- is the vacant lot, accessible for free to anyone who happens by, and the CA is the swindler taking our money.

Too big to fail

A number of government regulations designed to encourage real estate lending by eliminating the downside of lending to people who cannot afford their mortgages set the stage for the biggest financial meltdown in recent history. Banks and other lenders took advantage of the situation to make money in the short term. Eventually, this involved a lot of double-dealing, and the entire real estate market turned into a scam targeting the general public. When the market faltered and crashed in 2008, the flaws in the system as it had been set up were exposed, and those willing to look could easily see that the solution to the problem is to deconstruct the system in place. Government decided that perpetuating the problem in the long term by bailing out the system in the short term was how to "fix" things, because the big lenders were "too big to fail."

The same situation is playing out for the PKI system. It has been said that the laws of the Internet are embodied in code, rather than legislation. That being the case, we start with the analogy of government regulation.

Major browser distributors adopted the PKI system to encourage use of encryption by taking the responsibility for validating certificates out of the hands of users, setting the stage for the eventual collapse of the PKI trust model. Corporate certificate authorities took advantage of the situation to make money in the short term. Eventually, this involved CAs cutting deals with government and selling validated certificates -- site unseen, to coin a phrase -- to random strangers, as long as they paid, and the entire TLS certificate market turned into a scam targeting the general public. Now that the PKI trust model is faltering, the flaws in the system as it had been set up are exposed, and those willing to look can easily see that the solution to the problem is to deconstruct the system in place. Browser distributors have evidently decided that perpetuating the problem in the long term by continuing to include the biggest CAs -- also the biggest offenders -- in their trust lists is necessary, because the big CAs are "too big to fail".

After all, excluding a major CA that is used to validate too many sites' certificates would be a disaster for short-term public relations, since people might just assume there was something wrong with the browser.

The market crash

How does a market crash work for the PKI trust model? Consider the case of Comodo's recent security troubles with its certificate authority (or, as identified in The Inquirer's article, "Comodo admits hackers issued fraudulent SSL certificates," its Registration Authority):

WEB SECURITY OUTFIT Comodo has admitted that an affiliate registration authority (RA) was compromised leading to the issuance of fraudulent secure sockets layer (SSL) certificates.

This one article points out several key points about the weakness of the PKI system.

  • A security compromise at the CA (or RA) can allow, as the article put it, "several bogus SSL certificates to be issued" -- a weakness that effectively has no meaning in a distributed agreement system such as Perspectives or Monkeysphere where certificates may as well be self-signed.
  • As reported in the article, Comodo representatives said the domains targeted by the fraudulent certificates "would be of greatest use to a government attempting surveillance of Internet use by dissident groups".
  • Most problematic is the realization that, if some outsider can compromise a CA and cause fraudulent certificates to be issued, an insider can do so as well. No matter how secure they are against outsiders, CAs can themselves be the source of security issues.

That last point deserves special attention. Consider two key motivational factors:

  • If a CA considers the risk of accidentally issuing a certificate to someone who should not have it small enough, and considers its civil culpability in the case that such a certificate is issued a small enough problem, the CA is motivated to automate the process of issuing certificates as much as possible so that it can get paid by as many customers who want certificates as possible. This means bypassing any kind of rigor in ensuring the certificates are not being issued to scammers while being able to claim no fault despite the de facto complicity of the CA.
  • Governmental pressure in the form of legislation, law enforcement requests, National Security Letters, and other authoritarian demands could strongly motivate CAs to issue certificates that allow circumventing the security of TLS encryption. This not only puts the power to compromise the security of your encrypted access to a given site into the hands of government; it also spreads extra copies of trusted cryptographic keys around to more places, increasing the likelihood that the people the CA expects to violate your privacy may accidentally put those keys in the hands of others even less trustworthy.

If you are skeptical about the possibility of such things happening, you do not have to take my word for it. The Register's article, "How is SSL hopelessly broken? Let us count the ways," presents a laundry list of problems with the PKI system as it currently exists, presenting not only the problems described above but others as well that have arisen over the years.

Pricing is a problem

Many people point to the cost of validated certificates as a limiting factor for malicious security crackers. Supposedly, the cost of these certificates serves as a disincentive for them to just get their own certificates to trick people into trusting them. The registration process as well is supposedly a deterrent, but recent events as detailed by The Register disprove that theory, just as low-cost certificates -- for ten dollars or less -- undermine the idea that the cost is prohibitive. If a malicious security cracker is going to make enough money to justify the effort of setting up a server with a certificate to trick people on financial grounds, ten dollars or less is unlikely to matter in the grand scheme of things.

This matches up with the opinion of some people who believe the money is a real deterrent, of course. They believe that low price certificates are not sufficiently expensive to keep malicious security crackers from using them, and such low price certificates should be eliminated or demoted in their default level of trust. Higher prices may make the use of a certificate less enticing for low-yield scams, but if thousands of dollars will be made, a three hundred dollar certificate is not a real impediment either. Short of making them so expensive that nobody uses them, trying to price validated certificates out of the range of malicious security crackers is a lost cause.

The real problem with certificate pricing is that it encourages laxity on the part of the certificate authorities. They want to make money -- which means they want to make it as quick and easy as possible to issue certificates in exchange for a few bucks. The security of the encryption protocol and the care taken in checking up on their customers are secondary to that, and pursued only as far as absolutely necessary to be able to plausibly claim they are doing their jobs.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

9 comments
MarkGyver
MarkGyver

Treat anyone with any certificate, even an unauthenticated certificate, as a CA and rate the CA's by their record. Add up the value of all the CA's that have authenticated a certificate to generate the certificate's rating, which could be represented by a number, a grade, or even a smiley face. With a comprehensible rating shown for each site, users should understand how trustworthy it is. If a CA is hijacked, its rating will drop to zero and it will stop contributing to sites' ratings until things are fixed up, and even then the CA won't be trusted as much as before. If a site is validated by only the one CA, then the browser will give a warning that the site's authenticity is on longer verifiable. If a site uses that CA, but has several others, then its authenticity rating will drop a bit, but not enough to generate a warning. If someone makes a fake certificate to impersonate a site, they can easily get the less reputable CA's to authenticate them. However, those CA's won't count nearly as much and the fake certificate will have a significantly lower rating, generating a browser warning. If a site wants to switch to a new certificate it generated, the site would first sign the new with the old, telling the browsers that the change is expected and avoiding warnings popping up, even if the new one isn't yet signed by everyone that signed the old one. This would also be a way that the browser would detect a fake certificate; if it's not signed by the old one, it's fake. This should allow browsers to function normally when dealing with old-style PKI certificates while also giving the benefit to more secure redundantly-signed certs. Also, there could even be cert-caching CA's that automatically validate all certs that have been verified by another CA without incident for a month, without PKI-users having to do anything extra. When a CA is compromised, the bogus certs made would not be signed by the cert-cacher CA's, making compromise-detection instant and automatic. Basically, the PKI system can be trusted, but only after it's made redundant.

Realvdude
Realvdude

I think that making each individual responsible for their own security validation, is like doing away with law enforcement. That said, there is a due diligence that users don't seem to understand applies to them, like not necessarily trusting a website just because it has a certificate; much akin to locking your home or auto, regardless of where you live or park your car. I certainly believe there is room to improve security, like two pass authentication for financial websites. I also agree if CAs are not insuring the identity of those they issues certs to, then either the competition or the government needs to motivate them to do so. It doesn't appear that you are stating that anything is wrong with technology, just the trust behind it.

VBJackson
VBJackson

Chad, I think everybody knows how strong an anti-government privacy advocate you are, but I think that calling PKI an empty lot scam is a bit much. Your idea of a fix is to require the end-user to check the validity of the security certificate. That is a lot of trouble for a techie like us. I can guarantee you that most users are going to do the same thing that they did for UAC in Vista - just hit accept without even looking. In my opinion, the more reasonable course is to force the CAs and RAs do do thier job. If the cost of NOT doing due dilligence is so high that failure is not an option, then it WILL get done, at least in most cases. If a single failure meant a $100,000 fine, and multiple failures meant having ALL thier certificates revoked, I think we would see them straighten up and fly right. I also think that issuance of certificates to government agencies, other than public sites (i.e. .GOV) should require the equivilent of a search warrent, but we all know that no matter what, there are going to be survailance and privacy issues. Does this mean that there is still a potential flaw in the system, yes. As you pointed out, there could still be internal compromises and governments could still require CA to issue certificates for mimic/sting sites. But under the alternative systems, a government agent could issue a self-signed certificate just as easily, and could use government resources to make sure it was accepted. We are talking about people, and until basic human nature changes there will ALWAYS be flaws in the system.

Duluth Networker
Duluth Networker

Thanks for pointing out the problem. Wouldn't it be great to have a solution users would find simple and intuitive to deploy? "Click here and be secure." I suspect our typical user doesn't know certificates from Cervantes, and all they want to learn is what simple steps they should take to follow a secure path. It's up to the analysts & technologists to make it simple enough for those users to be productive in a safe network environment.

NickNielsen
NickNielsen

In fact, it sounds a lot like my understanding of how Perspectives works, using the existing PKI infrastructure as a basis.

apotheon
apotheon

> I think that making each individual responsible for their own security validation, is like doing away with law enforcement. Nobody "makes" individual users responsible for it; they are responsible for it by definition. They can shirk that responsibility, expecting others to look after their security for them without even thinking very hard about whether those others are trustworthy -- which is exactly what's going on with the certificate authority PKI. They can ask others to act on their behalf after spending some time applying a little due diligence to figuring out whether those others are trustworthy; this is a wholly reasonable approach. In neither case, though, do they actually stop being responsible for their own security. The only people who are not actually responsible for themselves are children, in the general case. Their parents are responsible for them. That's what it means to be an adult: being responsible for yourself. > It doesn't appear that you are stating that anything is wrong with technology, just the trust behind it. Indeed -- this article is not about the encryption tools themselves. It is about the validation system we use, which is fundamentally broken. edit: fixing formatting after TR changes to how comments are formatted

apotheon
apotheon

> I think everybody knows how strong an anti-government privacy advocate you are I'm a pro-privacy advocate. Government is hardly the only misbehaving party when it comes to privacy violations, and while I used the government's handling of the mortgage market crash as an analogy here, it was certificate authorities -- private corporations -- that were the target of this article. > I think that calling PKI an empty lot scam is a bit much. What does this have to do with whether I'm "an anti-government privacy advocate"? Are you aware that the certificate authority PKI is not a government program? (I suppose you might claim it is, but then you become a government conspiracy theorist.) . . . and why is it a bit much? Look at my explanation of what constitutes a vacant lot scam, and how I described in the article the way the PKI promises us it has the authority to give us something (for a price) that is freely -- and more effectively -- available through other means. It looks like a one-to-one correspondence to me, rather than "a bit much". > Your idea of a fix is to require the end-user to check the validity of the security certificate. That's certainly something that should be available to us, but it's not "the fix". What I proposed as "the fix" is to use a distributed agreement system, which is automated by Firefox extensions like Perspectives and MonkeySphere. > That is a lot of trouble for a techie like us. Let's just say that, for some reason, you are incapable of using a browser extension that automates things for you. What then? Are you going to use a system that offers no real security because it's easy? If so, you get what you deserve -- just like someone who keeps voting for the Democrat to keep the Republican out of office, or vice versa, gets what (s)he deserves for that woefully uninformed approach to the democratic process. That is to say, (s)he deserves a crappy President and Congress, and (s)he gets it, in spades. > I can guarantee you that most users are going to do the same thing that they did for UAC in Vista - just hit accept without even looking. I would feel pretty confident in suggesting that you did not read very closely if you think that is what I was suggesting in the article. > In my opinion, the more reasonable course is to force the CAs and RAs do do thier job. Good luck with that -- especially if you want to accomplish it without destroying the ability of the security industry to innovate, and without violating people's privacy in the process (thus burning the village to save it). > If a single failure meant a $100,000 fine, and multiple failures meant having ALL thier certificates revoked, I think we would see them straighten up and fly right. I don't. I think we would see the CAs go out of business. Of course, if that was all that happened, I think it would be a net win, because it would hasten the migration to a better system. It's not all that would happen, though. There would be an even bigger "bailout" because the PKI system is "too big to fail". > But under the alternative systems, a government agent could issue a self-signed certificate just as easily, and could use government resources to make sure it was accepted. The kinds of bogus certificates that are used in the article's explanations have to be signed by the same entity as the legitimate certificates -- or at least signed using the same key. That would mean that the government, to sign its own certificates, would have to get the key from the CA. If there are no central CAs, that would mean that to make bogus certificates, the government would have to get the keys from each site whose certificates it wanted to spoof -- and even then, distributed certificate agreement would show the sudden appearance of the bogus certificate as a new certificate for sites that have already had established certificates for quite a while. > We are talking about people, and until basic human nature changes there will ALWAYS be flaws in the system. Maybe so, but the certificate authority PKI is a flaw -- a flaw that everybody seems all too ready to perversely accept as the core strength of the system. If you remove the PKI and replace it with a distributed agreement system, you eliminate that particular flaw. edit: the constant changes in how comments are formatted here at TR have broken formatting on this comment; I tried to fix it

apotheon
apotheon

MonkeySphere and Perspectives offer alternatives to the PKI system, with a nod to the idea that a self-signed cert confines the number of trusted parties involved in cert creation to one rather than requiring trust for multiple parties. Is an alternative to a broken system not a solution to the problem? I've also written articles about other approaches to solving the problem, such as "Why not use OpenPGP for Web authentication?" (addressing the matter of a replacement strategy for some purposes that, to put in in tongue-in-cheek style, brings a bit of "power to the people"). If you're looking for a solution that you can install on your home computer and will immediately work for 100% of sites, infallibly, you're in for a rude surprise. There is no such solution yet, though given enough growth for distributed agreement systems like Perspectives or Web of Trust approaches like MonkeySphere and OpenPGP, they'll get a lot closer to that ideal than the certificate authority PKI ever could. Tell me what basic criteria for usefulness a proposed solution should offer to satisfy you. edit: fixed formatting in the comment after changes in how TR discussion comments get formatted broke it

AnsuGisalas
AnsuGisalas

"Allowing each individual to take responsibility for their own security" - after all, the https-system is completely opaque to the average user, it's a "magic" authority. If that magic authority is bunk, then it's like the bogus guns issued to people in the West World movie... they only work if the other guy wants to let them work. Good article.

Editor's Picks