Transport Layer Security (TLS) encryption, still sometimes called SSL, is the encryption backbone of Web security. It is what secures your connection every time you point your browser at a site that uses the https:// URI schema. A system of certification authorities (CAs) is used to validate the certificates used as encryption keys, to ensure there is no man in the middle attack in progress while connecting to a secured Web resource, or that the Web resource at the other end of a connection is not someone merely pretending to be what the client expects to find. In theory, the CA checks out the certificate applicant to ensure it is not a scammer or otherwise malicious party, then provides a digitally “signed” certificate the applicant can use. This is the Public Key Infrastructure. In theory, it sounds good.
In theory, theory and practice are the same. In practice, they are often quite different. The fact of the matter is that the PKI trust model does not work the way people think. In fact, recent events suggest it does not work at all. Experience tells us that relying on the CAs to issue and validate security certificates is possibly worse than no validation at all.
I have addressed the PKI scam before, in the article, “The TLS/SSL Certifying Authority system is a scam.” This time, I will address the classic form the scam takes.
The Vacant Lot scam
The trust we place in the CAs is predicated upon a lot of guesswork and wishful thinking, and on the CAs’ own claims that they are trustworthy. The belief in the trustworthiness of CAs depends entirely on the motives of the CAs involved. Specifically, the problem comes from the fact that the PKI system is a vacant lot scam. In a vacant lot scam, someone assumes the color of authority by a simple act of declaration in order to charge people to park their cars in a vacant lot. People simply assume that, because there is someone asking for money to allow entry, that person is supposed to be there, and they pay the scammer. The truth of the matter is that the lot is vacant, and does not belong to that person.
By the same token, CAs are charging for something they do not possess; a greater ability to provide validation of TLS certificates than can be had without the CA. A number of alternative methods of validation for TLS certificates are coming to the fore as the flaws of the PKI system become more and more obvious. Among them are Perspectives (see “Perspectives: better than CAs?” as well) and Monkeysphere, both of which use a distributed agreement approach to validation that directly addresses the problem of “back door” certificates issued by CAs. Thus, out-of-band validation — necessary to protect against things like a man in the middle attack — is the vacant lot, accessible for free to anyone who happens by, and the CA is the swindler taking our money.
Too big to fail
A number of government regulations designed to encourage real estate lending by eliminating the downside of lending to people who cannot afford their mortgages set the stage for the biggest financial meltdown in recent history. Banks and other lenders took advantage of the situation to make money in the short term. Eventually, this involved a lot of double-dealing, and the entire real estate market turned into a scam targeting the general public. When the market faltered and crashed in 2008, the flaws in the system as it had been set up were exposed, and those willing to look could easily see that the solution to the problem is to deconstruct the system in place. Government decided that perpetuating the problem in the long term by bailing out the system in the short term was how to “fix” things, because the big lenders were “too big to fail.”
The same situation is playing out for the PKI system. It has been said that the laws of the Internet are embodied in code, rather than legislation. That being the case, we start with the analogy of government regulation.
Major browser distributors adopted the PKI system to encourage use of encryption by taking the responsibility for validating certificates out of the hands of users, setting the stage for the eventual collapse of the PKI trust model. Corporate certificate authorities took advantage of the situation to make money in the short term. Eventually, this involved CAs cutting deals with government and selling validated certificates — site unseen, to coin a phrase — to random strangers, as long as they paid, and the entire TLS certificate market turned into a scam targeting the general public. Now that the PKI trust model is faltering, the flaws in the system as it had been set up are exposed, and those willing to look can easily see that the solution to the problem is to deconstruct the system in place. Browser distributors have evidently decided that perpetuating the problem in the long term by continuing to include the biggest CAs — also the biggest offenders — in their trust lists is necessary, because the big CAs are “too big to fail”.
After all, excluding a major CA that is used to validate too many sites’ certificates would be a disaster for short-term public relations, since people might just assume there was something wrong with the browser.
The market crash
How does a market crash work for the PKI trust model? Consider the case of Comodo’s recent security troubles with its certificate authority (or, as identified in The Inquirer’s article, “Comodo admits hackers issued fraudulent SSL certificates,” its Registration Authority):
WEB SECURITY OUTFIT Comodo has admitted that an affiliate registration authority (RA) was compromised leading to the issuance of fraudulent secure sockets layer (SSL) certificates.
This one article points out several key points about the weakness of the PKI system.
- A security compromise at the CA (or RA) can allow, as the article put it, “several bogus SSL certificates to be issued” — a weakness that effectively has no meaning in a distributed agreement system such as Perspectives or Monkeysphere where certificates may as well be self-signed.
- As reported in the article, Comodo representatives said the domains targeted by the fraudulent certificates “would be of greatest use to a government attempting surveillance of Internet use by dissident groups”.
- Most problematic is the realization that, if some outsider can compromise a CA and cause fraudulent certificates to be issued, an insider can do so as well. No matter how secure they are against outsiders, CAs can themselves be the source of security issues.
That last point deserves special attention. Consider two key motivational factors:
- If a CA considers the risk of accidentally issuing a certificate to someone who should not have it small enough, and considers its civil culpability in the case that such a certificate is issued a small enough problem, the CA is motivated to automate the process of issuing certificates as much as possible so that it can get paid by as many customers who want certificates as possible. This means bypassing any kind of rigor in ensuring the certificates are not being issued to scammers while being able to claim no fault despite the de facto complicity of the CA.
- Governmental pressure in the form of legislation, law enforcement requests, National Security Letters, and other authoritarian demands could strongly motivate CAs to issue certificates that allow circumventing the security of TLS encryption. This not only puts the power to compromise the security of your encrypted access to a given site into the hands of government; it also spreads extra copies of trusted cryptographic keys around to more places, increasing the likelihood that the people the CA expects to violate your privacy may accidentally put those keys in the hands of others even less trustworthy.
If you are skeptical about the possibility of such things happening, you do not have to take my word for it. The Register’s article, “How is SSL hopelessly broken? Let us count the ways,” presents a laundry list of problems with the PKI system as it currently exists, presenting not only the problems described above but others as well that have arisen over the years.
Pricing is a problem
Many people point to the cost of validated certificates as a limiting factor for malicious security crackers. Supposedly, the cost of these certificates serves as a disincentive for them to just get their own certificates to trick people into trusting them. The registration process as well is supposedly a deterrent, but recent events as detailed by The Register disprove that theory, just as low-cost certificates — for ten dollars or less — undermine the idea that the cost is prohibitive. If a malicious security cracker is going to make enough money to justify the effort of setting up a server with a certificate to trick people on financial grounds, ten dollars or less is unlikely to matter in the grand scheme of things.
This matches up with the opinion of some people who believe the money is a real deterrent, of course. They believe that low price certificates are not sufficiently expensive to keep malicious security crackers from using them, and such low price certificates should be eliminated or demoted in their default level of trust. Higher prices may make the use of a certificate less enticing for low-yield scams, but if thousands of dollars will be made, a three hundred dollar certificate is not a real impediment either. Short of making them so expensive that nobody uses them, trying to price validated certificates out of the range of malicious security crackers is a lost cause.
The real problem with certificate pricing is that it encourages laxity on the part of the certificate authorities. They want to make money — which means they want to make it as quick and easy as possible to issue certificates in exchange for a few bucks. The security of the encryption protocol and the care taken in checking up on their customers are secondary to that, and pursued only as far as absolutely necessary to be able to plausibly claim they are doing their jobs.