Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Government Could Forge SSL Certificates

Soulskill posted more than 4 years ago | from the bureaucrat-in-the-middle dept.

Encryption 168

FutureDomain writes "Is SSL becoming pointless? Researchers are poking holes in the chain of trust for SSL certificates which protect sensitive data. According to these hypothesized attacks, governments could compel certificate authorities to give them phony certificates that are signed by the CA, which are then used to perform man in the middle attacks. They point out that Verisign already makes large sums of money by facilitating the disclosure of US consumers' private data to US government law enforcement. The researchers are developing a Firefox plugin (PDF) that checks past certificates and warns of anomalies in the issuing country, but not much can help if government starts spying on the secure connections of its own citizens."

cancel ×

168 comments

Sorry! There are no comments related to the filter you selected.

Is it time yet? (1)

Skarecrow77 (1714214) | more than 4 years ago | (#31625760)

For the return to tin can and string?

Re:Is it time yet? (1)

commodore64_love (1445365) | more than 4 years ago | (#31626496)

Apparently while we were not looking, our last three presidents did this to the Constitution:

(strikethrough)The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation.....(/strikethrough) ----- So what's left? Amend.10 - deleted. Amend.9 - deleted. Amend.8 - deleted. Amend.7 - deleted. Amend.6 - deleted. Amend.5 - deleted. Amend.4 - deleted. Amend.1 - deleted.

How ironic. The only rights left are those that forbid soldiers from living in our homes, and the one that allows self-defense of same.

Re:Is it time yet? (1)

Timothy Brownawell (627747) | more than 4 years ago | (#31626566)

For the return to tin can and string?

No, but it might be time for people to start using Perspectives [cmu.edu] . Which I'd guess is a better version of the new extension these people are making, although I can't really tell due to the PDF being broken (slashdotted?).

Re:Is it time yet? (1)

Z00L00K (682162) | more than 4 years ago | (#31626650)

In any case - this will work only when the CA authority is cooperating with the government, but if you are your own CA then you will be in control of the chain.

Of course - your CA server may suffer an intrusion, but it will require a physical attack from an intruder. Especially if your CA server isn't connected to the net. And there are a large number of tricks to pull to detect intrusions in your facilities. Some of them are centuries old.

Re:Is it time yet? (1)

LucidBeast (601749) | more than 4 years ago | (#31626732)

I like the way you think. You are thinking defending your CA using trebuchets, aren't you? I know they are siege weapon, but still centuries old.

Re:Is it time yet? (3, Interesting)

petermgreen (876956) | more than 4 years ago | (#31626882)

The problem is they don't need to get the cooperation of the CA that is actually in use, only that of one of the long list that your browser trusts.

Re:Is it time yet? (1)

spazdor (902907) | more than 4 years ago | (#31627102)

We need something new. A distributed certificate authority.

I'm envisioning something like a Massively Multiplayer Online Diffie-Hellman exchange. Math wonks, is something like this in principle achievable?

who can we trust? (0, Offtopic)

Mantis8 (876944) | more than 4 years ago | (#31625776)

This reminds me of a bumper sticker many of us have seen..."Don't steal, the government hates competition!"

Re:who can we trust? (1)

Pojut (1027544) | more than 4 years ago | (#31625842)

Offtopic:

My favorite bumper sticker was one that I had on my truck back when I was in high school: "I sold your honor roll student the answers."

Damn! (0)

Anonymous Coward | more than 4 years ago | (#31625804)

I'm going to have to go back to using dead drops for communication.

Can we get rid of SSL now please? (4, Informative)

TheRaven64 (641858) | more than 4 years ago | (#31625852)

SSL is, and always has been, and ugly hack. End-to-end encryption should be done at the IP layer, not the TCP layer. Now that we have IPSEC, we have a standard way of doing it properly. The only remaining part of the problem is key distribution, but with DNSSec we can put IPSEC public keys in DNS entries and get end-to-end encryption.

A government able to insert something into the chain of trust is still able to fake a connection, but distributing the chain of trust makes this a bit harder. The US government won't be able to insert something into a .cn domain, for example, although the Chinese government can. For the ultra-paranoid, you can publish the same IPSec public key on both and make clients compare the two. Unlike an SSL certificate, the IPSec key is visible to anyone, even people who don't try to make a connection, so it's much easier to spot if someone has tampered with the connection, and will be cached in ISP's DNS caches, making an unnoticed attack much harder.

Re:Can we get rid of SSL now please? (1)

Mr Thinly Sliced (73041) | more than 4 years ago | (#31625938)

Totally agree.

While we are having our christmas internet list filled, can we also start using DNSSec/IPSec and distributed trust for authentication between email servers please?

DNSSEC has a similar attack against it (3, Insightful)

tepples (727027) | more than 4 years ago | (#31625948)

with DNSSec we can put IPSEC public keys in DNS entries

Unless the government compels domain name registrars to sign phony DNS public keys.

For the ultra-paranoid, you can publish the same IPSec public key on both and make clients compare the two.

Which is little different from hosting something at two different domains with TLS certs from different registrars in different countries.

Re:DNSSEC has a similar attack against it (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#31626072)

Which is little different from hosting something at two different domains with TLS certs from different registrars in different countries.

It's very different. The server does not need modifying at all. It only needs a single IPSec private key, you are just distributing the public key via two different routes. The client doesn't even need to try connecting in order to verify the integrity of the key, it just needs to try fetching the two different DNS records and comparing their IPSECKEY entries. If they are different, don't connect at all. Importantly, individual clients don't need to do this check; you just need someone to be perform this lookup periodically to see if either of the DNS entries has been modified. Because the DNS entries are cached, you can't easily perform this attack on a single client, you need to do it on a network, and that makes it a lot harder to do secretly.

Re:DNSSEC has a similar attack against it (0)

Anonymous Coward | more than 4 years ago | (#31626444)

You're half right. Using two channels with different affiliations to make sure you got the right public key is indeed an option with DNSSEC. Of course something similar could be done with SSL, too: The server could present a certificate with one signature on one port and the other signature on the other port, both for the same public server key. If the signatures check out and the public key is the same, then you're safe, unless there's collusion between the two certificate chains.

Where you're completely wrong however is the assumption that attacks can't be performed against single clients. The government can MITM the route to the DNS server(s), so it can not be assumed that you're seeing the same responses as everybody else. The phony records can be created just for you and nobody else ever needs to receive them. Defending against an attacker who can read and modify all your connections is not trivial at all.

Re:DNSSEC has a similar attack against it (1)

Mr Thinly Sliced (73041) | more than 4 years ago | (#31626138)

DNSSEC has a similar attack against it

Except with TLS you are putting the logic and handling in every application. Putting it further down the stack makes it easier to update/patch etc.

There really needs to be just one place to put the necessary functionality and fix the bugs (which we have to fix anyway to get the implementation of IPSec/DNSSec correct).

Re:DNSSEC has a similar attack against it (3, Insightful)

iluvcapra (782887) | more than 4 years ago | (#31626254)

Putting it further down the stack makes it easier to update/patch etc.

It's worth pointing out that the technique described here isn't a "hack" that can be patched, it's an intrinsic feature of public-key crypto, and specifically a direct consequence of unreservedly trusting the CAs. The CAs are capable, using no tricks or computer hackery, of creating as many "redundant" signed certs for the same qualified name as they wish.

Re:DNSSEC has a similar attack against it (3, Insightful)

MasterOfMagic (151058) | more than 4 years ago | (#31626542)

The problem with a system that relies on trusted third parties is that these third parties have to be, well, trusted. This implies that they are trustworthy. Have you evaluated all of the CAs on the list included with your operating system and browser for trustworthiness? I know I haven't. I've delegated that to the OS vendor and the browser vendor. Should I be doing this? Do I have evidence that shows that my OS vendor and browser vendor are trustworthy? And whose interest do they work for?

These are all things that need to be evaluated when dealing with a system that requires trusted third parties. The problem, of course, is that very few people actually do this. SSL is a system that requires trusted third parties if you are to put any trust in the fact that the certificate signed by a CA really belongs to the person the CA says it belongs to.

[This is, technically not true with self-signed certificates. Anybody can be a CA. Just self-sign a certificate and use that to sign the certificates of others. The problem is that you're not included by default. Of course, there are some sites that have their own CA, either for business reasons or because they can. They have an internal CA that they use to sign certificate for business purposes. These CAs are verified and pushed to machines, either by Active Directory at Windows sites or some other mechanism. There's no reason that an individual can't do the same when they generate certificates. The problem is that the fingerprint of CA certificates needs to be validated out of band in order for you the avoid a man in the middle attack when distributing the CA certificate to somebody else. This sort of distribution of SSL certificates would not require a trusted third party, but you would need to be able to identify the person or organization giving you the fingerprint and judge their trustworthiness.]

Re:DNSSEC has a similar attack against it (1)

Sancho (17056) | more than 4 years ago | (#31627466)

This is, technically not true with self-signed certificates. Anybody can be a CA. Just self-sign a certificate and use that to sign the certificates of others. The problem is that you're not included by default. Of course, there are some sites that have their own CA, either for business reasons or because they can. They have an internal CA that they use to sign certificate for business purposes. These CAs are verified and pushed to machines, either by Active Directory at Windows sites or some other mechanism. There's no reason that an individual can't do the same when they generate certificates. The problem is that the fingerprint of CA certificates needs to be validated out of band in order for you the avoid a man in the middle attack when distributing the CA certificate to somebody else. This sort of distribution of SSL certificates would not require a trusted third party, but you would need to be able to identify the person or organization giving you the fingerprint and judge their trustworthiness.

But if you still trust the third-party CAs, then this is still subject to the same attack. Even though you've added your CA to the trusted list, a third-party could coerce another CA to sign a certificate for your domain, and then perform a MITM attack on you.

The only way to be sure is to trust no one but your own CA.

Re:Can we get rid of SSL now please? (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31626462)

The US government won't be able to insert something into a .cn domain, for example, although the Chinese government can.

I hear you're a looking for a reason for IPSEC and DNSSec not being implemented. Allow me to introduce a candidate answer.

Re:Can we get rid of SSL now please? (1)

Meneth (872868) | more than 4 years ago | (#31626854)

sudo mod me up

ok :)

Re:Can we get rid of SSL now please? (1)

Threni (635302) | more than 4 years ago | (#31627548)

He's not on my sudoers list, and the incident has been reported.

Re:Can we get rid of SSL now please? (0)

Anonymous Coward | more than 4 years ago | (#31626972)

The only remaining part of the problem is key distribution

Wow, with all the hard problems solved we just have this easy one left

Re:Can we get rid of SSL now please? (1)

TheLink (130905) | more than 4 years ago | (#31627010)

The Certlock thing should help (assuming they do it right and the software itself can be trusted), but the problem could have been fixed by the browser makers long ago if they took security seriously. If I remember right, the problem was discussed years ago in a firefox bug report.

Basically the browser should have features to allow you to be warned if:
1) The CA has changed (still vulnerable to "Gov can forge SSL certs with CA's help")
2) The cert has changed (paranoid mode- the Gov can eavesdrop only if they have the private key of the server - IIRC in the old days for some strange reason certain CAs actually made you send them everything, go figure why ;) ).

Now in paranoid mode, some load balancing sites might cause warnings because the certs could be different. For example different certs were installed on the servers serving up the same sites. This could be because they are in the middle of rolling out new certs. However this is not a huge problem, if the sites with the correct certs provide suitable warning in advance the user would realize that and accept the new certs.

FWIW, I'm wondering if this addon actually is OK: https://addons.mozilla.org/en-US/firefox/addon/6415 [mozilla.org] :).

Re:Can we get rid of SSL now please? (1)

0123456 (636235) | more than 4 years ago | (#31627088)

End-to-end encryption should be done at the IP layer, not the TCP layer.

Sorry, but that's nonsense. Encryption should be done at the IP layer as well as by the application; if encryption is only done by IPSEC at a low level, then I have no way of knowing that my connection to my bank is secure, or is even going to the correct site.

To give an example, for a long time I've had my XP laptop at home configured to use IPSEC to talk to my Ubuntu server. Yesterday I discovered that at some point the Ubuntu server had stopped running the startup script that configures it to require IPSEC for connections from the laptop, so I've been connecting to it without encryption for an indeterminate amount of time; and the only way I found that out was because I ran wireshark.

IPSEC is a good idea, but it's definitely not a substitute for application-level encryption and authentication. It's also insanely difficult to configure and debug; I took about two days just to get a handful of PCs in my house talking to each other and even now I have to run a cron job on the Ubuntu server to ping the two Windows PCs every minute in order to ensure that IPSEC does get set up correctly once they're booted as initiating the connection from XP is very unreliable.

Re:Can we get rid of SSL now please? (1)

TheRaven64 (641858) | more than 4 years ago | (#31627446)

You are confusing so many issues here that it's difficult to know how to reply. First, you are not using DNS to distribute your keys, so your experience is not particularly relevant. You are also talking about using IPSec for a VPN, rather than for individual connections. Second, there is no reason why the TCP/IP stack could not expose a single function for getting the security state of the connection, telling you whether:
  • The connection to the DNS server is secure (using IPSec)
  • The DNS record was signed.
  • The DNS record contained the IPSECKEY entry.
  • The IPSEC negotiation worked.

After calling connect() on a socket created via gethostent(), you would (if your app cared about security) call this function and then present a UI element like the padlock in browsers. There is absolutely no point in using SSL over an end-to-end IPSEC connection.

Re:Can we get rid of SSL now please? (1)

0123456 (636235) | more than 4 years ago | (#31627662)

You are confusing so many issues here that it's difficult to know how to reply. First, you are not using DNS to distribute your keys, so your experience is not particularly relevant.

How does using DNS to distribute keys tell me whether the connection is really, actually, physically encrypted?

You are also talking about using IPSec for a VPN, rather than for individual connections.

I'm talking about using it for individual connections between PCs..

Second, there is no reason why the TCP/IP stack could not expose a single function for getting the security state of the connection

Why should I trust the TCP stack's idea of whether the connection is secure when my web browser can determine that itself?

There is absolutely no point in using SSL over an end-to-end IPSEC connection.

Unless you actually want to ensure that your connection is actually, really secure, and the only way to do that is for your application to incorporate its own encryption and authentication. Rule #1 of security is to never trust what software outside your control tells you.

Other than performance or really, really badly implemented encryption schemes (e.g. two layers of ROT13), there is no downside to adding another layer of encryption.

Re:Can we get rid of SSL now please? (1)

TheRaven64 (641858) | more than 4 years ago | (#31627802)

So I presume your web browser doesn't use OpenSSL / GNUTLS or whatever your host platform's native SSL library is?

If security is really important to you (5, Insightful)

DarkOx (621550) | more than 4 years ago | (#31625860)

If you really want to be secure and you are using certificates you should be self signing and exchanging the self signed certs with your partners out of band.

Re:If security is really important to you (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31625994)

I like the way OpenSSH does it -- Trust On First Use (TOFU). First time you visit a server you're warned of possible MITM and given a fingerprint (which you could have, say, confirmed in person). After that you never see a warning again unless the server's key unexpectedly changes. No forcing you to automatically trust CAs, and no overstated warnings about self-signed certs.

Re:If security is really important to you (1)

mpe (36238) | more than 4 years ago | (#31627094)

I like the way OpenSSH does it -- Trust On First Use (TOFU). First time you visit a server you're warned of possible MITM and given a fingerprint (which you could have, say, confirmed in person). After that you never see a warning again unless the server's key unexpectedly changes. No forcing you to automatically trust CAs, and no overstated warnings about self-signed certs.

Whereas the way web browsers typically do things you could be communicating with several hundred different entities and not know it.

Re:If security is really important to you (2, Interesting)

thijsh (910751) | more than 4 years ago | (#31627320)

I really want web-browsers to support this properly, with a dialog that shows that it's self-signed and provides encryption but no verification. Self-signed certificates have a lot of advantages, and the only thing holding back widespread use is those crappy browser dialogs warning you that this website is going to cause the end of life as you know it. There is a legitemate use for encryption without a CA, and this article only confirms that.

The way I see it you have the following levels:
- HTTP (unencrypted, but free)
- HTTPS SSC TOFU (encrypted and free + as a bonus no government can mess with certs apparently)
- HTTPS CA (encrypted + verified)
- HTTPS CA+ (better verification + whatever extra shit they can sell for overpriced certificates)

The question is now: which browser will be the first to support true free and 'open' HTTPS?

Re:If security is really important to you (0)

Anonymous Coward | more than 4 years ago | (#31627584)

My Firefox at home already pokes me about "This host has a key that isn't signed by (suchandsuch). Do you want to confirm an exception?"

Then, if changed, it warns me again. Which is nice.

Seems the same thing, to me.

Re:If security is really important to you (1)

Cassini2 (956052) | more than 4 years ago | (#31626214)

If you really want to be secure and you are using certificates you should be self signing and exchanging the self signed certs with your partners out of band.

Precisely. Otherwise, you are always open to a sufficiently sophisticated man in the middle attack.

Re:If security is really important to you (1)

mordejai (702496) | more than 4 years ago | (#31627366)

This is how we did it in the pre-internet years (early 90s) with PGP.

There are two problems with this approach, however:
1. While it works fine for use between friends and with your company's sites, it's not practical to do with every site you interact with.
2. The tools (browsers, OSs) don't make it easy to add certificates. And, if they did, this would be quickly taken advantage of by malware.

what no one wants you to know (5, Informative)

yup2000 (182755) | more than 4 years ago | (#31625862)

And it took you how long to figure this out? Anyone with real security in mind would create their own certificates and sign them. What's always been missing is a convenient way to verify the identify of the person you're communicating with. CAs only help in certain situations. SSL has always been more about encrypted content than identification no matter what people try to tell you.

Re:what no one wants you to know (1)

Dr. Evil (3501) | more than 4 years ago | (#31626202)

Well... it *is* about identity, and limiting the scope of who you have to trust.

With SSL, you trust the computer manufacturer, your hardware configuration, your Operating system, your web browser (and root certificates in your web browser) and the Certificate Authority (which is a corporation under the U.S. government).

Self signed certs are better, but you need a second channel to communicate the certificates securely.

Generate your own certificates... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31625870)

and distribute them by mail or something. That doesn't help taking to your bank,
but then again if the government wants your bank balance they'll just ask the bank.

Re:Generate your own certificates... (1)

MasterOfMagic (151058) | more than 4 years ago | (#31626386)

That doesn't help taking to your bank

It sure does. When someone signs up for online banking, make them go to the branch to set a password and give them documentation showing how to verify the certificate and set it up in their browser. Bonus points for making this a bank-specific CA and then having rotating certificates on the bank website that are signed by this bank-specific CA so that this only needs to be done once per computer/browser.

Re:Generate your own certificates... (0)

Anonymous Coward | more than 4 years ago | (#31626560)

First of all, most people would be completely overwhelmed by the technical aspects of this requirement. Secondly, all cryptographic key information must expire at some point, even CA keys. Right now the browser makers take care of updating the root CA certificates. If you're going the independent route, you'll have to recheck the certificate occasionally. There is no "needs to be done once per computer/browser". And, if you're going to install a bank's CA certificate, remember that this CA can sign certificates for other domains too. There is no provision for limiting the scope of a CA to particular domains (which is a stupid omission IMHO).

Re:Generate your own certificates... (2, Insightful)

plover (150551) | more than 4 years ago | (#31627014)

Actually, the banks already have a way to distribute the certs: put them on smart cards. The bank can trust the cert because they issued it. The customer can trust the cert because the bank handed it to them.

There are many good security features a smart-card based solution brings to the table. First, the bank is entirely in charge of their own security from end-to-end. There is no trusting of third parties*. The bank is able to uniquely verify the presence of your card, and can refuse to transfer money without it. And if the bank is compelled by a warrant to cooperate with the government, they just hand over the data without fooling around with a clumsy man-in-the-middle attack, .

What's really needed is a ubiquitous smart card reader to be included on standard computer builds.

*Actually, you still have to trust the third parties who provide the applications, operating systems and hardware. The only completely secure way around that is for the bank to provide the actual computer to the customer, via a handheld card device like Vasco makes. A close second is by providing a custom bootable image on read-only media. [slashdot.org]

Re:Generate your own certificates... (1)

iluvcapra (782887) | more than 4 years ago | (#31628028)

Actually, the banks already have a way to distribute the certs: put them on smart cards. The bank can trust the cert because they issued it. The customer can trust the cert because the bank handed it to them.

An even EASIER solution would just be for them to post the fingerprint for their self-signed certificate on a large sign behind the teller window at all of their branches, essentially staging a signing party -- the area behind the glass is protected by lock and key. They simply tell their customers the option to either use an SSL link with a Verisign-signed cert, or a bank self-signed cert, provided the customer checks the fingerprint and trusts it before continuing. Public certs don't have to be moved out of band, only verified out-of-band. Once the customers can validate the fingerprint they'll know they're talking to the same institution that controls the airspace behind the teller window.

But as it pertains to this problem, it's useless since it's a bank and the gov can just subpoena all of your information anyways.

Re:Generate your own certificates... (0)

Anonymous Coward | more than 4 years ago | (#31627032)

or just give them a self signed cert on a cd

and remember... (1)

presarioD (771260) | more than 4 years ago | (#31625878)

...all this is for your own good...government by the people for the people type of thing...smile...

SSL / HTTPS (2, Funny)

bbroerman (715822) | more than 4 years ago | (#31625884)

One more nail in the coffin... (See http://nearlyperfectsoftware.com/secureajax.html [nearlyperf...ftware.com] for other hacks). Good thing I'm working on a protocol and libraries / utilities that can be used to replace it for all of my work, and my clients... Starting with a secure ajax framework, then on to things like POP, IMAP, SMTP, FTP, Telnet, etc. Should be cool once I get them all done.

Re:SSL / HTTPS (1)

WrongSizeGlass (838941) | more than 4 years ago | (#31626180)

I'm interested in your views and would like to subscribe to your newsletter, but I'm not sure if I trust the certificate governing your 'Subscribe To Our Newsletter' page.

I call bullsh*t (1)

Sardonis (596687) | more than 4 years ago | (#31626188)

Quoth the website:

Distribution of encryption keys and code is performed with a Patent Pending process that is immune to man-in-the-middle attacks

Does NOT use SSL or third party certificates.

Can't do authentication without some trusted authority or web-of-trust. I'd like to see this 'Patent Pending process' examined by experts...

Re:I call bullsh*t (1)

bbroerman (715822) | more than 4 years ago | (#31626424)

I am looking forward to that. Unfortunately, as a one man shop, I don't have the money to pay experts. I am offering free licenses to the library (with the applicable NDA) for the first 20 or so medium size businesses that want to give it a trial run. I am also working with the company that I work for (my day job) to see if they will sponsor the testing / trial of the software with some of their clients. Additionally, I have many software professionals as friends whom I have asked to do code reviews and in-house trials.

Re:I call bullsh*t (1)

Sardonis (596687) | more than 4 years ago | (#31626608)

Thanks for your response. I hope the patent gets issued soon, so I can read it. No serious expert will probably touch your procedure as long as it is secret. What is the point of reviewing a protocol/procedure if your peers can't check your work?

Re:I call bullsh*t (1)

bbroerman (715822) | more than 4 years ago | (#31626942)

well. I've put a LOT of hours into this, and I would really like to reap some benefit from it... I do FOSS from time to time, and I've put some things out there over the years, but this one is one I'd like to get something back out of... I have trusted peers checking my work currently. I am looking for some security experts (and in the mean time, I'm reading all of the security books I can get) that will do it at no or minimal cost.

Re:I call bullsh*t (1)

david_thornley (598059) | more than 4 years ago | (#31627696)

Okay, so how many security experts will put in serious work just to make money for you? If what you're doing is any good, then it will take a lot of work to examine it for weaknesses. They will doubtless want to bill you at their usual rates. At the end of that, at best, what you'll have is a statement that Joe Security Expert couldn't find a serious problem in as many hours as you're willing to pay for, and that's not going to convince anybody competent in the field.

The only way anybody is going to take this seriously is if you publish all the details. That way, anybody who wants will be able to analyze it. Whether they'll bother for a new protocol that costs money to implement is another question.

At that point, there will be a new patent-encumbered protocol available, with very limited use because the security community isn't going to examine it in depth until it's either in heavy use or open for free use. (If it starts getting used, the cracker community will be happy to examine it, but they don't publish in the same journals.)

Sorry, guy, but your chances of making a noticeable profit from royalties is really slim. You might do better publishing openly and doing consulting.

Re:I call bullsh*t (1)

bbroerman (715822) | more than 4 years ago | (#31628050)

Well, I've got a year to see. If I don't get anything in that time, I've already planned on releasing it as FOSS. Who knows, maybe a company will see it, like it, and buy the rights. Oh, and I already do consulting. Have been for years.

Re:SSL / HTTPS (1)

ArsenneLupin (766289) | more than 4 years ago | (#31626278)

How would this secure ajax framework work? A (trusted) plugin to be installed in the client's browser?

Because, if the client-side javascript is being served by the server over the Web, it's vulnerable: an attacker could just intercept the javascript and insert whatever he wants inside, and pass that on to the client, who would be none the wiser. And as it is non-standard, there'd be no tell-tale signs such as http instead of https, that an astute user could see.

Re:SSL / HTTPS (1)

bbroerman (715822) | more than 4 years ago | (#31626460)

That's the "secret sauce" so to speak of the library. Like I mentioned in a previous post, I have been working with other expert software developers (who are close friends of mine) on code reviews, in-house testing, etc. I don't have the money for expert security people yet, but I am working on other avenues on testing the security of the protocol. I've been working on this library for the past 2 years...

Re:SSL / HTTPS (1)

ArsenneLupin (766289) | more than 4 years ago | (#31626760)

That's the "secret sauce" so to speak of the library.

Security through obscurity... Given enough time and determination, an attacker can intercept and reverse-engineer your library and add as much salt into your secret sauce as he wishes...

The only way to make it secure is to deliver the client part out-of-band over a known secure channel. Anything else may just delay an attack, but not prevent it.

Re:SSL / HTTPS (1)

bbroerman (715822) | more than 4 years ago | (#31626996)

Possibly, but time will tell. I've been working on this for 2 years now. I've got some close friends who are long time software experts looking at it. I would love it if I could find some security experts who would review it free, or low cost. In the mean-time, I have been reading every security book I can find. And, like I do with all of my other software testing, I have been going through it looking for different ways to "hack" it and then going back and tweaking the design.

Re:SSL / HTTPS (1)

ArsenneLupin (766289) | more than 4 years ago | (#31627120)

And I mean, with all your reading, and all those smart friends, it never occurred to you, and nobody told you, that somebody ill-intentioned could just replace your library with something that does what it does, but that additionally XmlHttpRequests a copy of the "secure" data to http://evilsite.com [evilsite.com] ?

Re:SSL / HTTPS (1)

bbroerman (715822) | more than 4 years ago | (#31627308)

That's taken into account. I spent many months working through that. Again, that was a key factor in the initial design of the initialization protocol.

Re:SSL / HTTPS (1)

ArsenneLupin (766289) | more than 4 years ago | (#31627538)

And, what solution did you use to avoid such tampering? Loading the library via https? Or just praying to God that hackers wouldn't know how to fake a checksum?

Re:SSL / HTTPS (1)

bbroerman (715822) | more than 4 years ago | (#31627772)

That's the key part that led to the patent app. and no, it doesn't use https or prayer. And... the basic principal can be applied to other applications and protocols as well. Once I get the latest version of this library tested, optimized, and done, I'm going to start writing other apps that use the basic protocol, starting with FTP, POP3, and Telnet. Sorry I can't get more into it here, but I am waiting on the patent for the base protocol first.

Re:SSL / HTTPS (0)

Anonymous Coward | more than 4 years ago | (#31626932)

Why don't you just cut out all the unnecessary middlemen and submit all your stuff to thedailywtf.com directly?

The Obama govt isn't evil (1, Informative)

Anonymous Coward | more than 4 years ago | (#31625886)

Well, at least it would be Obama watching our every move instead of Bush, so it's not that bad. //head-smack

Re:The Obama govt isn't evil (1)

Errol backfiring (1280012) | more than 4 years ago | (#31626018)

It's usually not the head puppet who is watching. It is the people in government who are not rotated at the elections who do this.

Does that mean... (1)

alexhs (877055) | more than 4 years ago | (#31625946)

Does that mean that self-signed certificates are now more secure ? :)

Re:Does that mean... (1)

TheRaven64 (641858) | more than 4 years ago | (#31626186)

No. This is not a passive attack, it is a man-in-the-middle attack. The government gets an SSL certificate that looks like the remote one. You connect to their computer, thinking it's the remote computer, authenticate, and it then does the same with the remote machine. With a self-signed certificate, this is even easier because any certificate looks the same as the self-signed one.

It does mean that pre-shared certificates (whether signed by a third-party or not) are more secure. Unfortunately, these are not practical for most purposes. The entire point of the SSL chain of trust is that you only need to pre-share a small number of certificates and these can then sign others.

Re:Does that mean... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31626242)

Self-signed certs are more secure; but only if you have some way of distinguishing them. "Self signed certs" as a generic class, are man-in-the-middle city because anybody can produce one. The feds don't even have to coerce the CA, they can just sign their own.

A specific self-signed cert, that you have some out-of-band reason for trusting, is extremely secure because only by compromising the computer storing the signing key could an adversary produce a fake one of those.

The problem is, outside of fairly trivial scenarios(corporate intranet with self-signed certs, worker drones' browsers trust that cert by group policy; small group of paranoics who know each other IRL exchange keys under the bridge at midnight), establishing that out of band reason for trusting a cert is a pain in the ass, and not amenable to any particularly clear solution.

CAs are basically the ugly-not-really-all-that-good solution that has the virtue of working in practice. You trust the cert because the big corporation whose business is attesting to the trustworthiness of certs says you should trust it. Easy, simple, and actually works ok from a strictly financial perspective(ie. the amount of money that Verisign can make by selling overpriced sequences of bits that make the magic green bar appear in consumer browsers is greater than the amount that they could make by MiTM attacking a whole bunch of banking sessions and then fleeing to Namibia with their reputation in tatters).

Where it breaks down is non-strictly-financial situations. It is highly unlikely that clandestine cooperation, for surveillance purposes, with state agencies is all that costly to Verisign, or their ilk(and may in fact be lucrative, as doing various sorts of wiretaps is for the telcomms). If your threat space is just occupied by script-kiddies and Ukranian cyber criminals, commercial CAs work pretty well. If it is occupied by state entities who want information rather than money, there is no particular reason to expect them to work.

Re:Does that mean... (1)

alexhs (877055) | more than 4 years ago | (#31627438)

I wrote my previous post under the misunderstanding that governmental agencies could get a copy of the original certificate private key, not that they could get a different private key with the same certification information.

That second case of course mean that "trusted" certificates are neither better nor worse than self-signed certificate. This is a MITM attack that only works well in the case of a first connection (as you should be wary of a certificate change as long as the preexisting certificate didn't expire).

In the first case, however, it would mean than the government could impersonate the certificate owner at any time, which is not possible with a self-signed certificate, as you're only ever giving the public key.

This is of course overlooking the fact that you're not giving your private key to the certification organism either, but a certificate signing request.

Re:Does that mean... (1)

u38cg (607297) | more than 4 years ago | (#31627628)

I complain about this every time the subject comes up, but the problem is a contractual one. You are having to place trust in a CA you have no contractual relationship, so what mechanism causes that CA to work in your favour? None. Browsers should ship without any root certificates, and users should pay to subscribe to whoever they choose to provide them with root signing services. Economics would help enforce the trust issues. It isn't a magic bullet, of course, but to me it takes the biggest weakness out of the way.

Re:Does that mean... (1)

ArsenneLupin (766289) | more than 4 years ago | (#31626342)

No. Without any further verifications, self-signed certificates can be spoofed by the common crook, whereas CA-signed certificates can only be spoofed by governments.

With further verification (customer manually checks certificates finger-print), both self-signed and CA-signed would be secure, but then you wouldn't really rely on the signature at all, but rather on the fingerprint.

Re:Does that mean... (1)

X.25 (255792) | more than 4 years ago | (#31627454)

No. Without any further verifications, self-signed certificates can be spoofed by the common crook, whereas CA-signed certificates can only be spoofed by governments.

Hi.

Please spoof my self-signed certificate.

Thank you.

They've Always Been Pointless (3, Insightful)

segedunum (883035) | more than 4 years ago | (#31625958)

SSL certificates only provide the ability to encrypt communication between a browser and a server. That's all it's for. Alas, many people have have tried to build in some level of 'trust' to SSL as well, and the money racket that has grown up around issuing SSL certificates on an ad-hoc basis just so someone's browser doesn't complain needs to go the journey. Those root certificates in your browser are just money for old rope. We definitely need something better.

Re:They've Always Been Pointless (1)

petermgreen (876956) | more than 4 years ago | (#31627246)

Encryption is of limited utility if you aren't sure who your encrypted session is with. Since manual key exchange has practical problems browsers went for the

Unfortunately the major browser vendors have put WAY too many CAs on the trust list meaning that pretty much any significant governement in the world can ask/order someone to generate them a cert for any domain. Some criminals probablly can too.

IMO the proper way to do it would be to have a chain of trust system as part of DNS so the only people who can vouch for you are the operators of the registry containing your domain. I think dnssec may be trying to do this but it will have an uphill battle to replace the current broken system.

Re:They've Always Been Pointless (1)

owlstead (636356) | more than 4 years ago | (#31627496)

SSL certificates only provide the ability to encrypt communication between a browser and a server. That's all it's for.

No they are not. They are for providing authentication. You would not need any certificates to encrypt communications. Of course, you can then do a man in the middle attack, but you can only get around that by authentication anyway.

Alas, many people have have tried to build in some level of 'trust' to SSL as well, and the money racket that has grown up around issuing SSL certificates on an ad-hoc basis just so someone's browser doesn't complain needs to go the journey.

This has indeed be identified. There are a couple of things with that. 1) SSL certificates are, normally, just issued to the owner of the site. That already provides some security. 2) you can get certificates that provide more trust nowadays.

Those root certificates in your browser are just money for old rope. We definitely need something better.

I'm not so sure that the current SSL certificate scheme could not be fixed. Just saying we need something better does not fix anything.

People could e.g. vote for SSL certificates for a specific site (same as PGP uses certificates signed by many persons to create trust). Another idea is to very clearly notify the user when a previously unused root certificate is used (I'll get suspicious when a banking site suddenly uses the [insert suspicious country of choice] certificate for its root. An option to display changeover of server certificates may also be a good idea.

Especially if you try and trick users on a large scale, it only takes one person to alert the authorities that something is amiss.

Government CA's (0)

Anonymous Coward | more than 4 years ago | (#31626084)

This isn't any news.. The Dutch government got it's root certificate imported in all popular browsers (named Staat der Nederlanden CA). So they can issue a certificate for a site and no browser would warn you about a invalid certificate or something..

Banking secrecy laws (4, Interesting)

ArsenneLupin (766289) | more than 4 years ago | (#31626096)

Not a theoretical concern, but a very real one.

Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.

When Luxembourg introduced a similar system [luxtrust.lu] they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.

You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.

The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.

Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French [gemalto.com] ... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.

And the BSI [www.bsi.de] institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.

Re:Banking secrecy laws (1)

owlstead (636356) | more than 4 years ago | (#31627316)

"And the BSI [www.bsi.de] institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL."

That's a pretty serious accusation - personally I would put this strictly in the "paranoid scheming" box unless you've got anything to back up that claim.

Re:Banking secrecy laws (0)

Anonymous Coward | more than 4 years ago | (#31628018)

So they just overlooked it instead of "overlooked" it then? Doesn't sound much better.

Quis custodiet ipsos custodes? (1)

Bearhouse (1034238) | more than 4 years ago | (#31626122)

I think we've had this debate on /. before, no?
Who do you trust to issue certs? Certainly not Verisign...the UN, then?

no duh (2, Insightful)

Sloppy (14984) | more than 4 years ago | (#31626166)

Nobody would ever seriously say that x.509's single point of failure for trusted introducers is a good idea; it just happened to be easy to deploy and got some encouragement along the way because some people could make money on it. But as soon as you look at it in terms of security, it doesn't fare very well.

OpenPGP encourages multiple certifiers for an identity: so they're all required to conspire to sell you out. Conspiracies are hard. Build your next network app on top of Gnu TLS and make sure you test with OpenPGP, so that some day we can switch to modern (and by modern, I mean about 1990-level tech) crypto.

BTW, governments are a great example, but always remember that they are not the only entities with capability or motivation to point a gun at someone. And even if you don't believe that, you've got to admit there are multiple governments, and only one of them at most, is accountable to you. Anyone who says that the cert system should be left vulnerable because the public has an interest in making sure that communications aren't "too secure," definitely isn't thinking about all the angles. The inherent weaknesses of X.509 should never have been used as an argument for building the web on it.

Re:no duh (1)

Bearhouse (1034238) | more than 4 years ago | (#31626336)

Agree.
BTW, I thought that X.509, (OK in later versions), could support WOT topologies?
Was just not implemented that way; presumably because central authorities liked the 'simple' hierarchical structure...
Of course, regarding 'too secure' systems, look what happens to people who promote them...
http://en.wikipedia.org/wiki/Philip_Zimmermann#Criminal_investigation_by_US_Customs [wikipedia.org]

So trust the CAs a little less (2, Interesting)

johndoe42 (179131) | more than 4 years ago | (#31626184)

There a "fix" that should help a lot: have browsers cache all certificates that they've accepted. Then, whenever a site *changes* its certificate, give a bit fat warning and optionally send the new certificate to some repository of questionable certificates.

If that repository starts to see bogus certificates signed by a CA, revoke that CA's root certificate.

To really make it work, HTTPS should have a mechanism to indicate that a certificate may not be changed until such-and-such a time, and there should be a way to (later, when using a different internet connection) tell a website what certificates you've seen that claim to identify it. That way the web site operator can go after bad CAs itself.

Story misses the point (2, Insightful)

Old97 (1341297) | more than 4 years ago | (#31626196)

The fact that governments can use or abuse technology to spy on its citizens is not news. That's as newsworthy as saying that if I had possession of your computer long enough I could find out all your secrets. If you want protection from your government, you have to do something about your government. In democracies you have some options and generally have laws and the rule of law (mostly). In such countries being vigilant and vocal can make the government behave if enough citizens participate. In autocratic countries you have to expect the worst I suppose and try to work around it. Which ever is the situation, you can't trust technology, especially one relying on a shared infrastructure (e.g. internet, ca's, etc.) to safeguard your secrets from everyone, especially anyone who has physical access to it.

Re:Story misses the point (1)

JesseMcDonald (536341) | more than 4 years ago | (#31627476)

If you want protection from your government, you have to do something about your government.

Even assuming this were a practical solution, what about all the other governments out there, and the CAs within their jurisdictions? It only takes one CA caving to one government—not necessarily yours—to circumvent the trust authentication for any site.

Paranoia is all well and good... (5, Insightful)

DrgnDancer (137700) | more than 4 years ago | (#31626326)

Essentially if you really want secure end to end communication with someone that is more or less fool proof and not subject to outside interference you have to manually exchange keys. It's always been this way. Any time you do less you are trusting *someone* other than yourself and person at the remote end. The simple point is that we *have* to trust someone to exist in society. We trust that the government will not suddenly decide to print "Braquats" and declare Dollars (or Pounds, or Euros, or whatever) useless. We trust that the bank won't wander off with all our money. We trust that our ISP isn't just putting up servers that pretend to be the Internet and are slowly stealing everything we type into our browsers. We trust that the grocery store hasn't poisoned all the produce. Virtually every social action we take involves some modicum of trust that the "other guy" is acting in reasonably good faith.

Thus far the certificate authorities have been trustworthy. Could they be compromised? Of course. Could the clerk at the grocery store be bribed to poison all the produce? Of course. Do we have any reason to think the CAs *have* been compromised? Not that I'm aware of. It's pretty straightforward. Are you doing something that needs to be *completely* secret? Exchange keys with the remote end manually. Are you doing something that needs to be as secret as one can reasonably expect while still dealing public entities? Use the CAs. They have an extremely good track record and seem to be about as trustworthy as anyone can reasonably expect.

Re:Paranoia is all well and good... (1)

0123456 (636235) | more than 4 years ago | (#31627398)

Do we have any reason to think the CAs *have* been compromised? Not that I'm aware of.

The fact that someone's selling a box allowing MITM attacks with forged keys is a little bit suspicious... and since there are now so many CAs around the world it should be easy for governments to find one who'll happily sign a fake key for them, or set up trustuswerefromthegovernment.com as a new CA to sign any key they want.

Re:Paranoia is all well and good... (1)

pixelpusher220 (529617) | more than 4 years ago | (#31627872)

Thus far the certificate authorities have been trustworthy.

not exactly, we only don't know that they haven't been untrustworthy. There's a pretty big difference.

A couple interesting quotes I've seen about CA's: (1)

rwyoder (759998) | more than 4 years ago | (#31626452)

"A CA will protect you from anyone from whom they won't take money."
-- Paul Vixie - on the NANOG mailing list
(Going from memory here, so the quote may not be exact.)

"In the real world, you prove your identity with documents provided by a government.
In the digital world, why are we trusting certificates provided by 3rd-party business???"
-- a former coworker

YOU FAIL IT!? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31626470)

words, don't gemt B7ig picture. What

Told you so (1)

ugen (93902) | more than 4 years ago | (#31626510)

Here is a link to my own reply previously: http://slashdot.org/comments.pl?sid=1534366&cid=31004066 [slashdot.org]

To summarize - I don't see how the "trust system" has any meaning. I don't actually know anyone at those 160+ companies and I sure as hell don't *trust* any one of them, not as far as I can throw them.

In fact, I don't really trust anyone :) and based on that - see no reason that my SSL connection is more or less safe whether the cert for counterparty is signed by a "good" or "bad" CA. Frankly, I trust my bank or Google mail even less than a CA - so what exactly is there to protect?

"Is SSL becoming pointless?" (1)

John Hasler (414242) | more than 4 years ago | (#31626874)

Only a fool would rely on SSL based on the certificates that come with a browser to protect against government. That isn't what it is for. While I object to government snooping in principle (I object to pretty much all government activity in principle) I really have nothing to fear from the NSA learning what parts I am ordering from Jameco. Firefox, HTTPS, and Perspectives provide adequate assurance that I am communicating with the company I intend and that some clerk at some ISP can't snoop my credit card number. For more important stuff I have GPG.

Self-signed certs are now more secure. Silly. (1)

X.25 (255792) | more than 4 years ago | (#31626992)

Use self-signed certs. I am not talking about being more secure when doing online shopping and other silly things, but for personal/company usage.

For example, if I create my own CA and sign my own certs for my mailserver, I will import my CA cert (or accept cert once, on 1st mail retrieval, although more risky), and no matter what certificate government puts when doing mitm - I'll get a warning.

But if I buy a cert from Verisign and think that I am totally safe now, I would never get any warnings if government inserts their own certificate (generated on-fly by using Verisign issued intermediate cert with CA=TRUE constrain set, for example, if I remember the mechanics right :), when doing mitm. Can be done with sslsniff, if I remember correctly (been a while since I bothered with SSL/TLS stuff)

And government won't be able to get a cert issued by my own CA, so they won't be able to get past the checks, and I will eventually get a popup when any of their certificates show up.

I think this was a known issue since 2002 or so (look up Moxie's work).

What about a DNS TXT record with hints? (1)

DdJ (10790) | more than 4 years ago | (#31627280)

So the problem is that two different CAs could issue certs for the same host, and some have essentially back doors?

Know what I'd like to see? How about a DNS TXT record that tells you what the real, trusted CA for a given site is? Like, let people assert "for my domain, do not trust any certs unless they come from this particular CA", using DNS as an out-of-band channel that would have to be compromised separately from the SSL negotiation.

Wouldn't that be relatively easy to implement (for those who care to), and reasonably effective against anyone who can't compromise the root DNS servers?

Re:What about a DNS TXT record with hints? (0)

Anonymous Coward | more than 4 years ago | (#31627554)

because DNS is certainly a secure system

That's what Government is supposed to do... (1)

mi (197448) | more than 4 years ago | (#31627286)

Enforcing the Law — using, among other things, eavesdropping on communications — and prosecuting wars, are practically the only things, a government of a free country is supposed to do. Because no one else can be allowed to do these things...

Everything else — and I do mean everything: elementary and higher education, personal retirement, health care, communications, transportation — should be left to the competing enterprises. If only because they are much easier to switch from one to another, than it is to change the government...

mi8us 1, Troll) (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#31627416)

kn0ws that ever

There's a simlpe way to do this yourself. (1)

DamnStupidElf (649844) | more than 4 years ago | (#31627536)

Disable trust in the root certificates so that your browser always prompts you to verify an SSL certificate until you mark it as trusted. The first time you visit a site, hit it from a few different IP addresses and make sure the SSL cert matches on all the different connections to rule out a MITM attack, then verify the chain of trust up to the now-untrusted root CAs. If you think you can still trust whichever root CA signed the cert, mark the site's cert as fully trusted and the browser won't bug you until the cert changes (either due to legitimate replacement or a MITM attack).

Of course this is mostly a moot point because just about any company will happily comply with law enforcement requests to intercept your connections through a legitimate SSL session.

Certificate Patrol (1)

hile (110782) | more than 4 years ago | (#31627610)

While not a perfect solution, this https://addons.mozilla.org/en-US/firefox/addon/6415" for firefox helps a little bit: it stores the certificates to a sqlite database in your profile and warns if the certificate changes.

If you get mitm on the first connection, you still have a problem, but the extension can at least detect if someone is trying to do it in future...

Provable (1)

fulldecent (598482) | more than 4 years ago | (#31627648)

A single false, signed certificate from anywhere provides undeniable cause to revoke a CA from all browsers.

About time (0)

Anonymous Coward | more than 4 years ago | (#31627706)

I've been crying foul about this for years, and get flame-modded every time. But even here, the researcher missed the issue. If I'm going to wiretap somebody, I'm not going to freaking request a fake key for the domain. I'm going to request the CA's signing key, and *issue* a fake certificate for *EVERY* domain my target goes to. Maybe their first connection times out at times for some reason...whatever...DNS hickup.

Most of the math can be precomputed anyway--the average user would never notice.

My only question is given that somebody "reputable" finally "published" this vulnerability, will firefox finally take self signed keys seriously? Because their attitude in recent releases is freaking disgusting. Just give me a tool to know when the key changes already--and give me some extra cautions if it changes outside a specific window of its expiration date.

Mechanisms exist to prevent these "attacks" (1)

Halo- (175936) | more than 4 years ago | (#31627840)

A lot of these "attacks" can be prevented by properly implementing your PKI. For example, some of the articles (and several commenters) make mention of "using a Root CA to generate sub-CA's which then generate rogue certs". Sure, the system allows this to happen, but it also provides constraints to prevent it. One of usual "basic constraints" (which is an X.509 attribute) of a certificate is: "Max path length" which means: "how deep can a signature chain extend from me, if I am trusted" For most people, there should never be a trusted CA in their keystore which has a max path length greater than 1. (Meaning it can vouch for others, but those others cannot vouch for a second level of trust).

Additionally, all X.509 certificates contain a "Key Usage" field, which specifies what the key can be used to validly sign. For most people, they should never have a certificate in their root store which has the "CA signing" bit set. This is another way to prevent a "trusted" CA from creating a rogue CA which can then issue bad certs.

Finally, there are multiple methods for checking if a certificate is still trusted as part of a regular, ongoing, and sometimes even per-use basis. (OCSP [wikipedia.org] , CRL, etc...) In the past, when I worked on PKI's, these often weren't implemented, but increasingly they are today most browsers support them. (Which is not to say browsers are the only users of X.509 certs.)

What this should mean is that as soon as evidence emerges that a formally "trusted" CA has done something shady, it can quickly be disabled in the field.

In a perfect world, a CA should be sufficiently incented by the threat of being "revoked" via OCSP or whatever that it would never entertain the idea of creating a rogue cert. Imagine the pressure on a large CA like Verisign if they got a root cert yanked. Suddenly ALL of their customers get labeled as compromised.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>