Does your Certifying Authority have a clue who you are? Do they care?
So, an interesting thing happened to me yesterday. I run OpenBSD's https.openbsd.org site. Of course, we have an SSL Site certificate for this site. When we first started the site, (about 6 years ago) we got a site certificate from Thawte. Back in these days they were based in South Africa, and had a Canadian Legal firm to verify who we were. So of course, Theo had to fax them some stuff, as did I. etc. etc. The whole process was rather painful, particularly since "OpenBSD" isn't a company, so we couldn't exactly send incorporation documents and the like. Nevertheless, supposedly this is to provide some sort of protection for people - that "OpenBSD" really is who it claims to be. So, time comes to renew the certificate again, and give Thawte their bi-yearly sum to keep our server cert alive. Every other year, the renewal process has been automatic, They already have our documentation on file so presumably they can and do check this. This year, they know nothing, They have been bought by verisign and they want new documentation. The conversation went something like this: <"What happened to our previously sent documentation?"
"It's in a warehouse in Canada, because we changed how we do things" <"Why can't you get it from there - We're a multinational volunteer organization, coming up with any sort of stuff like this is a pain" "Well, we can't". <"So you've lost it?" "No, we know where it is, it's in the Warehouse" <"Well, you can't get it because you don't know where it is in the Warehouse" "Yes, so what can you send us?" <"Are you going to get the documents from Canada?" "Yes, but we're not sure when or how?"
So the long and the short of it is, our CA has *LOST* the documents showing who we are, and wants new ones. Had someone previously filed fraudulent documents to obtain an ssl certificate, they wouldn't have copies of those. So, the real question is, what good does it do to send supporting documentation to these services, if all they do is lose them? Is this really providing anyone with any security, or is this really just a thinly veiled revenue generation procedure. If they can't even produce the documentation used to support a certificate they've issued, then why the heck ask for, and charge money for this in the first place? Of course my certificate is good for X years, not to protect me from my cert being exposed, but just to get more money after X years. Certificate revocation? Who actually uses that, for real, in a manner that any widespread public apps (i.e. web browsers) will pay attention to? Needless to say, any real confidence I (used to) have in Thawte (back when it made Mark Shuttleworth enough money to buy a ride on the space station) is really no more. (And no, I never really did have any confidence in https, because of the human engineering issues) Anyway, we got a new cert from a provider that only cares about domain ownership, which works fine. The real question is, between the fact that the web browsers makes it so easy for knuckle dragging apes to accept any certificate out there anyway, and if the CA's aren't doing anything to speak of with the "Supporting Documentation", Who are we kidding that there's any real point (security wise) to this exercise? Time for a new protocol that just stores the public key the first time like SSH, and the user maintains their own list? Really, is that any less secure than this ongoing nonsense from a practical perspective? (Other than there's no way for CA's to make money off of it?) -Bob
While the ssl certificate is meant to verify the owners identity, as a consumer I would never trust a ssl certificate for that purpose. It does provide a reasonable effort to keep information between me and the server confidential. That's worth something, I guess. Adi
I would never trust a ssl certificate for that purpose. It does provide a reasonable effort to keep information between me and the server confidential. That's worth something, I guess.
I agree with you, I just don't think this is reasonable. If the CA's aren't going to keep tabs on your stuff (and I'm not just picking on thawte here) and the browsers both don't differentiate between CA's, and make it easy for the user to accept random certificates or bypass the certification mechanism entirely, I don't think it is a reasonable effort. The whole process is flawed. -Bob
On Fri, 05 Dec 2003 09:28:05 CST, Adi Linden said:
While the ssl certificate is meant to verify the owners identity, as a consumer I would never trust a ssl certificate for that purpose. It does provide a reasonable effort to keep information between me and the server confidential. That's worth something, I guess.
So what does the PKI actually buy you that using a throwaway self-signed cert doesn't provide?
On 5 Dec 2003, at 11:01, Valdis.Kletnieks@vt.edu wrote:
On Fri, 05 Dec 2003 09:28:05 CST, Adi Linden said:
While the ssl certificate is meant to verify the owners identity, as a consumer I would never trust a ssl certificate for that purpose. It does provide a reasonable effort to keep information between me and the server confidential. That's worth something, I guess.
So what does the PKI actually buy you that using a throwaway self-signed cert doesn't provide?
There is an expectation that URLs which do not produce "this certificate is not trusted" messages are safe for people to use to disclose sensitive information like credit card numbers. The average consumer has been educated to this effect at great length by commerce-oriented websites and browser vendors. It doesn't matter whether the expectation is reasonable; what matters is that the expectation exists. If there's a risk that people will be afraid to type credit card details into a merchant's web page, and that risk can be reduced by spending some relatively small number of dollars with a CA, then merchants will spend the dollars, and the myth is perpetuated. You could try and re-educate the market, but since there's no money in teaching people not to trust CAs, it's difficult to see who would do the re-education. Joe
There is an expectation that URLs which do not produce "this certificate is not trusted" messages are safe for people to use to disclose sensitive information like credit card numbers. The average consumer has been educated to this effect at great length by commerce-oriented websites and browser vendors.
Sorry, this is the night soil of a large and very well fed male ox. Anyone who believes that more than 20% of the users have been educated to do this hasn't gone around spoofing their own https sites on their wireless lans and measuring how many passwords they get. and I'm being *generous* with the 20% - I typically get a valid password 9 out of 10 connections to a spoof site. What lusers have been educated to do is "Oh look, an annoying box has popped up. click the button to make it go away so I can keep going." I seriously doubt they differentiate it too much from popup ads for porn sites or herbal viagra. -Bob
On 5 Dec 2003, at 11:55, Bob Beck wrote:
There is an expectation that URLs which do not produce "this certificate is not trusted" messages are safe for people to use to disclose sensitive information like credit card numbers. The average consumer has been educated to this effect at great length by commerce-oriented websites and browser vendors.
Sorry, this is the night soil of a large and very well fed male ox. Anyone who believes that more than 20% of the users have been educated to do this hasn't gone around spoofing their own https sites on their wireless lans and measuring how many passwords they get.
20% of users is more than enough to create a helpdesk nightmare for a web hosting company, and represents sufficient potential lost revenue to make any merchant give money to a CA.
On Fri, 05 Dec 2003 10:26:33 CST, Adi Linden said:
So what does the PKI actually buy you that using a throwaway self-signed cert doesn't provide?
No popup box on the browser asking to accept the certificate.
"Pay us $1,000 or we'll annoy your users with popups". Sounds suspiciously like the extortion angle used recently against somebody who was using Windows Messenger pop-op spam to advertise their "stop pop-up spam" product. I'm however missing the actual security angle (remember that the lack of a warning doesn't mean you actually connected securely with who you thought you did).
Valdis.Kletnieks@vt.edu wrote:
On Fri, 05 Dec 2003 10:26:33 CST, Adi Linden said:
So what does the PKI actually buy you that using a throwaway self-signed cert doesn't provide?
No popup box on the browser asking to accept the certificate.
"Pay us $1,000 or we'll annoy your users with popups".
The CA does not popup a warning. It is the browser or client application that does this. -- => Mark Foster <mark@foster.cc> http://mark.foster.cc/
On Fri, 05 Dec 2003 10:14:48 PST, Mark Foster said:
The CA does not popup a warning. It is the browser or client application that does this.
The three ways to disable the popup: 1) Have the user accept a CA cert for your site. Help Desk Nightmare. 2) Have the user disable the popup. Help Desk Nightmare. 3) Get the top-level-CA cartel to accept your CA cert in the list of ones bundled into IE. Yes, it's a cartel, and yes, actions taken by said cartel are at least partially responsible for the pop-up happening.
Valdis.Kletnieks@vt.edu writes on 12/5/2003 1:28 PM:
The three ways to disable the popup:
1) Have the user accept a CA cert for your site. Help Desk Nightmare. 2) Have the user disable the popup. Help Desk Nightmare. 3) Get the top-level-CA cartel to accept your CA cert in the list of ones bundled into IE.
4. For ISPs looking to run SSL sites for their own users - distribute copies of IE and Mozilla / Netscape that have your cert embedded in already. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
In message <000d01c3bb6e$397966c0$36e0a8c0@petersdesktopho>, "Peter Galbavy" wr ites:
Deepak Jain wrote:
Is there a documented process for a new CA to get their certs approved/added or is it a clandestine process?
"You are in a twisty little maze of corporate back scratching, all political."
s/political/financial/ I believe. --Steve Bellovin, http://www.research.att.com/~smb
Thus spake Deepak Jain (deepak@ai.net) [05/12/03 15:22]:
Is there a documented process for a new CA to get their certs approved/added or is it a clandestine process?
AFAIK, clandestine. cacert.org has been trying to get their CA included in Mozilla for some time now, but hasn't been able to. It really depends on which browser you're trying to get included in to. - Damian
Valdis.Kletnieks@vt.edu writes on 12/5/2003 11:01 AM:
So what does the PKI actually buy you that using a throwaway self-signed cert doesn't provide?
Less headaches handling hundreds of support tickets that basically say "browser displayed an alert about the cert being self signed", with or without 2 MB bitmap screenshots of the same? srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Matt Blaze said it well some years ago: "A CA will protect you against anyone from whom it won't take money." --Steve Bellovin, http://www.research.att.com/~smb
participants (10)
-
Adi Linden
-
Bob Beck
-
Damian Gerow
-
Deepak Jain
-
Joe Abley
-
Mark Foster
-
Peter Galbavy
-
Steven M. Bellovin
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu