Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Certificate Blunders May Mean the End For DigiNotar

timothy posted more than 3 years ago | from the web-of-trust-works-by-breaking dept.

Security 128

Certificate Authority DigiNotar is having a rough time of it. dinscott writes with these words from Help Net Security: "After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, around 4200 qualified certificates — i.e. certificates used to create digital signatures — issued by the CA are currently in the process of being revoked and their holders notified of the fact by the Dutch independent post and telecommunication authority (OPTA). Starting from yesterday, OPTA has terminated the accreditation of DigiNotar as a certificate provider for 'qualified' certificates. The revocation of this accreditation also makes DigiNotar unqualified to issue certificates under the PKIoverheid CA."

Sorry! There are no comments related to the filter you selected.

If you can't play the game, you pay the pain. (0)

Anonymous Coward | more than 3 years ago | (#37413718)

If you can't play the game, you pay the pain.

Re:If you can't play the game, you pay the pain. (0)

Anonymous Coward | more than 3 years ago | (#37413860)

Yup, it's like they couldn't even fulfill their sole reason for existing.

Thanks guys, it's been real.

Re:If you can't play the game, you pay the pain. (0)

amicusNYCL (1538833) | more than 3 years ago | (#37414028)

If only our (US) lawmakers would have had the balls to do the same thing with the banks.

Remember Arthur Anderson Accounting? (1)

billstewart (78916) | more than 3 years ago | (#37415106)

They were the ones who certified Enron's accounts, claiming their books weren't cooked. Oops, it turned out that the books were cooked, and the company whose trade was supposed to be giving you an honest estimate of a company's financial status was exposed as not doing that, and they vanished nearly overnight. (There are leftovers, like their consulting business, but even they changed their name.)

On the other hand, of course there are the bond rating agencies like Moody's and S&P who rated AIG and the banks and all those CDOs as AAA low risk, when many of them were in fact Junk--, and they're still around. But Diginotar doesn't have the same level of governmental backing that the US rating agencies have.

Re:Remember Arthur Anderson Accounting? (0)

Anonymous Coward | more than 3 years ago | (#37416054)

On the other hand, of course there are the bond rating agencies like Moody's and S&P who rated AIG and the banks and all those CDOs as AAA low risk, when many of them were in fact Junk--, and they're still around. But Diginotar doesn't have the same level of governmental backing that the US rating agencies have.

In case you didn't know, Moody's and A.I.G. are related thanks to Berkshire Hathaway (aka the Warren Buffet conglomerate). BH owns a major share of both Moody's and GenRe (aka General Reinsurance Company). After AIG was getting crushed by CDOs and needed to raise capital to preserve it's own credit rating, BH's company GenRe tried to bail out AIG with a $500M loan disguised as an insurance premium payment (so AIG could book it as revenue) which was basically accounting fraud. Moody's is basically on the payroll and does what it's told to do and thus is protected by those that pay the bills.

On the other hand, Diginotar was either corrupt or inept at doing their job and let those small-fry criminals undermine their credibility. The criminals who got the bogus certificates didn't have any incentive (or probably any means) to help Diginotar when things started going south.

The moral of the story? If you do something evil or stupid, make sure you are only doing it on behalf of someone who can help you avoid any dire consequences that may come your way. They may be able to save your butt (in AIG's case), or maybe not (in AA's case), but playing ball with small fry who can't back you up will always get you crushed (in Diginotar's case).

In other, unrelated news... (1, Interesting)

girlintraining (1395911) | more than 3 years ago | (#37413728)

In other, unrelated news, a certificate authority was compromised and it's taken months before customers were able to protect themselves. Meanwhile, the government who profited from the breach continues to smile, wave, while Microsoft complies with its request to not invalidate its unethically-obtained certificates for its own citizens.

What's not news and should be: Why the hell we're not moving to ipv6 and telling these corporations to eat a bag of dicks, and our privacy and security is not for sale anymore, rather than just handing out free master keys to anyone with a big enough wallet or gun.

Re:In other, unrelated news... (0)

Anonymous Coward | more than 3 years ago | (#37414218)

What's not news and should be: Why the hell we're not moving to ipv6 and telling these corporations to eat a bag of dicks, and our privacy and security is not for sale anymore, rather than just handing out free master keys to anyone with a big enough wallet or gun.

Wallet? Good question.

Gun? Because it's hard to tell anyone to eat a bag of dicks when the parts of your body required to do so can no longer be considered to be "parts of your body" due to them being separated from each other by terribly rude and inconvenient laws of physics and biology that do not care how loudly you whine on the internet or how many digital signatures your e-petition has.

Re:In other, unrelated news... (0)

Anonymous Coward | more than 3 years ago | (#37414366)

Rant much?

What in *HELL* does ipv6 have to do with security and SSL? IPV6 is a way to route bytes around in a uniform manner much like its predecessor ipv4. If you think it is more 'secure' I would say that is more because people have not really started playing with it yet. Talk to me again in 10 years.

Re:In other, unrelated news... (1)

chronoglass (1353185) | more than 3 years ago | (#37414442)

uhm.. ssl as a wrapper was swiped from the early ipv6 spec to add security to ipv4
it's just built in

ipv6 actually has ALOT more security by default, just liein about.

Re:In other, unrelated news... (1)

icebraining (1313345) | more than 3 years ago | (#37414984)

IPv6 has an alot [blogspot.com] ? How nice.

Ummm, No. (1)

billstewart (78916) | more than 3 years ago | (#37415156)

IPSEC as a wrapper is closely related to the early IPv6 security models. It does provide eavesdropping protection and/or session integrity protection, but it doesn't solve the problem of identifying the party at the other end of the connection - it leaves that to other applications, typically hand-installed pre-shared passwords or else password tokens.

Not only does SSL operate at a different level of the protocol stack, but the important problem it's trying to solve isn't just the eavesdropping, it's primarily the authentication of the party at the other end of the connection.

Re:Ummm, No. (1)

dzr0001 (1053034) | more than 3 years ago | (#37415884)

What the parent said. Implying IPv6 is more secure by default is the type of thing that causes people to be lazy about security. IPv6 does not imply built-in encryption or security of any kind.

Re:In other, unrelated news... (0)

Anonymous Coward | more than 3 years ago | (#37414466)

Umm - thought MS issued an update to toss out these certs last week....same article mentioned that Apple has yet to send out an update to invalidate the certs on OSX browsers...

Funny how that is.

Re:In other, unrelated news... (1)

marmoset (3738) | more than 3 years ago | (#37414798)

same article mentioned that Apple has yet to send out an update to invalidate the certs on OSX browsers...

Bzzt. http://support.apple.com/kb/HT4920 [apple.com]

Re:In other, unrelated news... (1)

increment1 (1722312) | more than 3 years ago | (#37414690)

I'm not sure the parent post should really be moderated up, as it is now, since it seems to be reasonably misinformed.

Firstly, Microsoft has invalidated the cert (at least to my knowledge).

Secondly, it is not at all clear how moving to ipv6 tells the corporations to eat a bag of dicks while informing them that our data is not for sale anymore. The concepts (ipv6, dicks, and our data) all seem mutually exclusive.

Re:In other, unrelated news... (1, Interesting)

girlintraining (1395911) | more than 3 years ago | (#37414726)

Firstly, Microsoft has invalidated the cert (at least to my knowledge).

Your knowledge is incorrect [google.nl] . At the request of the Dutch government, Microsoft deliberately did NOT patch its systems from that country... until several weeks later when the government's request was made public and they retracted their request.

Secondly, it is not at all clear how moving to ipv6 tells the corporations to eat a bag of dicks

Perhaps not to you, but to the rest of us who have read the standard... end to end encryption means no man in the middle attacks, no certificate authorities, etc. Every organization has access to its own key in DNS, and if someone tries to replace it, anyone who has connected to it previously would know.

Re:In other, unrelated news... (2)

increment1 (1722312) | more than 3 years ago | (#37414990)

Firstly, Microsoft has invalidated the cert (at least to my knowledge).

Your knowledge is incorrect [google.nl] . At the request of the Dutch government, Microsoft deliberately did NOT patch its systems from that country... until several weeks later when the government's request was made public and they retracted their request.

But Microsoft HAS pulled the cert, whereas your comment was written as if they have not yet done so. And my knowledge of this is not incorrect unless you are still implying that Microsoft has yet to invalidate those certs.

Secondly, it is not at all clear how moving to ipv6 tells the corporations to eat a bag of dicks

Perhaps not to you, but to the rest of us who have read the standard... end to end encryption means no man in the middle attacks, no certificate authorities, etc. Every organization has access to its own key in DNS, and if someone tries to replace it, anyone who has connected to it previously would know.

It does not mean no man in the middle attacks. Even with IPSec you still have to trust, whether you are trusting a CA or the DNS, you are still trusting. If your ISP is your DNS provider, and they are also the best positioned to implement MITM attacks, then unless you have a shared secret, using a CA in a country like Iran may actually be more secure.

Re:In other, unrelated news... (0)

Anonymous Coward | more than 3 years ago | (#37415010)

Perhaps not to you, but to the rest of us who have read the standard... end to end encryption means no man in the middle attacks, no certificate authorities, etc. Every organization has access to its own key in DNS, and if someone tries to replace it, anyone who has connected to it previously would know.

You may have read it, but you didn't understand it.

You got many things wrong in two sentences! (3, Informative)

billstewart (78916) | more than 3 years ago | (#37415280)

IPv6 security options can give you end-to-end encryption similar to what IPSEC gives you, if you always turn it on.

End to end encryption means that nobody can eavesdrop on connections that you've set up to the party on the far end. If that party is actually the party you think they are, and they're somebody you should trust, that's a Good Thing - if they're a Man In The Middle, you lose (though it reduces the number of ankle-biters who might be trying to eavesdrop on you, and it's kind of comforting to know that your credit card is only being stolen by the Russian Mafia and not by the other people in the coffee shop with you.)

End to End Encryption doesn't give you a way to authenticate connections to people you don't already know. That's a job for certification authorities, or somebody doing a similar job. If you do already know the party at the other end, and have an authenticated connection of some kind (like a pre-shared key or a SecureID token or a courier with a briefcase handcuffed to his arm or a yellow sticky note or a PGP key on a business card that somebody who wasn't an impostor handed you ), end-to-end encryption systems can do things like Diffie-Hellman key exchange to bootstrap that into a full connection.

"Every organization has access to its own key in DNS" is an assertion about the DNS system, not the network or transport protocols. It sounds like you're thinking about DNSSEC, which _should_ have been deployed decades ago (but among other problems, they were blocked by the US ITAR anti-crypto mafiosi.) If DNSSEC had been deployed properly along with the DNS system, you could be sure that if you had the correct IP address for microsoft.com, you'd also have the correct public key for setting up connections to microsoft.com's web site, and if you have the correct IP address for m1cr0s0tf.com, you'd also have the correct public key for setting up connections to m1cr0s0tf.com, which might or might not be somebody you want to talk to.

Re:In other, unrelated news... (1)

Anonymous Coward | more than 3 years ago | (#37418306)

Excellent spin. You should find an ambitious governor or lawyer to work for.

At the request of the Dutch government, Microsoft deliberately did NOT patch its systems from that country

Both Mozilla and Microsoft received a request from the Dutch government not to remove the Staat Der Nederlanden root, of which DigiNotar was a CSP. The rationale was based on two mitigating factors:
- there was no evidence of fraudulent certificates issued under this root
- the Dutch citizens were not under immediate threat

Both Mozilla and Microsoft complied initially. Mozilla fucked up their whitelisting (only kept SdN root, removed SdN G2), then changed their mind when the full extent of the breach became apparent. Microsoft merely delayed removing the SdN root for two weeks, and only for the Dutch version. Most businesses around here run the English version.

until several weeks later when the government's request was made public and they retracted their request.

There is no causal relationship between these two statements. GOVcert has not tried to hide or deny these requests, and the government did not publicly revoke their trust in DigiNotar until after the official Fox-IT report was completed.

Our government is clueless about anything IT. You seem to be implying malice where there is none.

re your assertions about IPv6: they have nothing to do with IPv6. See sibling post. IPSEC has been backported to IPv4 as well, DNSSEC is a) not part of the IPv6 spec and b) does not make these attacks impossible.

Re:In other, unrelated news... (1)

hydrofix (1253498) | more than 3 years ago | (#37415050)

Please mod parent down. IPv6 has nothing to do with preventing invalid SSL certs being issued.

Re:In other, unrelated news... (0)

Anonymous Coward | more than 3 years ago | (#37415508)

Uh, IPv6 IPSec isn't enough; you still need CAs or something like the Convergence system that was recently showed off during BlackHat.

Re:In other, unrelated news... (0)

Anonymous Coward | more than 3 years ago | (#37418258)

We're not moving to IPv6 because it's the new SSN (world-wide). They haven't figured out
how to "market" to the public yet, though...

But, I've never trusted anything (really) unless I can authenticate it (myself) first. It's
not always possible to do so, however, so it limits my on-line choices. So far, it has
not negatively affected the quality of my life...

But not the end for the CA system? (3, Insightful)

betterunixthanunix (980855) | more than 3 years ago | (#37413732)

It's not like we have reason to think that other CAs have not had unreported blunders. In fact, we have every reason to think that the whole CA system is broken, and is just hanging on because nobody is willing to put in the effort needed to replace it.

Re:But not the end for the CA system? (1)

vadim_t (324782) | more than 3 years ago | (#37413916)

So what would you replace it with?

Re:But not the end for the CA system? (1)

houstonbofh (602064) | more than 3 years ago | (#37414148)

Gee... If only someone else had an idea... http://convergence.io/ [convergence.io]

Re:But not the end for the CA system? (1)

vadim_t (324782) | more than 3 years ago | (#37414310)

There are lots of problems with that.

Let's see:

It depends on the availability of a third party. SSL works fine with just the server you connect to, but for this you need to talk to the same set of servers for any certificate check. That makes it easy to block. Somebody doing MITM will just block you off Convergence, then you won't know if the self-signed cert is any good.

It doesn't do many of the duties of a CA. It will happily mark as valid a certificate for gma1l.com, with the metadata copied from the gmail certificate.

It's still a CA, except one that follows a different policy. It's just as breakable. What guarantee do you have that their servers return accurate information?

There's this and Perspectives, so we're back to the CA system again. There are multiple providers of this service, and they're going to the CA system of having a list of trusted providers. Except at least the browser vendors require things of a CA. How do you know what's more secure, Convergence or Perspectives? What about when there are 50 of those?

Re:But not the end for the CA system? (3, Insightful)

icebraining (1313345) | more than 3 years ago | (#37415122)

The main benefit from this system is "trust agility". If someone hacks and obtains a root cert from Verisign, what are you (or the browser vendor) going to do? Keep the cert on the browser and risk being MITMed, or removing it and break half of encrypted websites? Diginotar was just a small CA, but what if a big one is hacked?

Convergence/Perspectives lets you have more than one notary verifying each cert, which means you won't break anything if you need to remove trust on one of them. By itself this makes it much better than the CA system, in my opinion.

Re:But not the end for the CA system? (1)

vadim_t (324782) | more than 3 years ago | (#37415396)

The main benefit from this system is "trust agility". If someone hacks and obtains a root cert from Verisign, what are you (or the browser vendor) going to do? Keep the cert on the browser and risk being MITMed, or removing it and break half of encrypted websites? Diginotar was just a small CA, but what if a big one is hacked?

I suggested an alternative in an earlier article: Change to a system of having multiple CA signatures on a cert, so that a CA can revoke without invalidating a certificate. Eg, min 3 signatures required, you get 5, so two can be revoked with no harm.

Convergence/Perspectives lets you have more than one notary verifying each cert, which means you won't break anything if you need to remove trust on one of them. By itself this makes it much better than the CA system, in my opinion.

Yes, but the notaries are much less safe. A CA at least verifies that you control the domain/email address the cert is for, notaries don't even do that, let alone checking that the metadata is correct.

Notaries are also necessarily accessible directly, so they're more vulnerable to attack, and notaries of the same system all work in the same way.

Also, being able to untrust a notary is nice, but how do you know when you need to? It's a run your own if you want deal. I can imagine what will happen: enthusiastic people will set up their notary, forget about it 3 months later, and soon enough there will be lots of unmaintained ones. Your list of notaries will eventually include those running on a forgotten 486 in a closet, insecure multiuser systems, unreliable connections, and so on. Some of that can be policed intentionally, but security can't.

Re:But not the end for the CA system? (1)

icebraining (1313345) | more than 3 years ago | (#37415690)

Yes, but the notaries are much less safe. A CA at least verifies that you control the domain/email address the cert is for, notaries don't even do that, let alone checking that the metadata is correct.

Maybe the existing ones don't, but you could perfectly have ones that do, and you could trust just those. Or have them with different trust levels.

Also, being able to untrust a notary is nice, but how do you know when you need to? It's a run your own if you want deal. I can imagine what will happen: enthusiastic people will set up their notary, forget about it 3 months later, and soon enough there will be lots of unmaintained ones. Your list of notaries will eventually include those running on a forgotten 486 in a closet, insecure multiuser systems, unreliable connections, and so on. Some of that can be policed intentionally, but security can't.

Anyone can run a CA too, doesn't mean most people will trust their signature. Why would you (or your browser's vendor) add some random guy's notary to the trust list?

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37417472)

Gee, that sounds swell!

The public key you sign your electronic documents with could get signed by More than One other Entity, and if you trust an entity that trusts that cert, then it's valid to you. Plus, no one could create a false cert but the original cert holder... so Diginotar could not just sign Google's key without Google's consent...

Man, if ONLY SOMEONE WOULD INVENT PGP!!!

(screw you guys, I'm going home)

Re:But not the end for the CA system? (1)

raynet (51803) | more than 3 years ago | (#37415310)

One thing I like about Convergence is that I can ask it to validate the cert with n+1 notaries which I hope would make it more likely that a "faked" cert and MITM would create an alert at my end. This way, as long as I am using notaries in different countries, I should be able to detect if my country has forced some CA to create wildcard cert for them to listen in to my SSL traffic.

Re:But not the end for the CA system? (1)

vadim_t (324782) | more than 3 years ago | (#37415420)

I don't mind the idea of it in general, I think it can be an useful tool for somebody who knows what's going on, and what the results those systems produce mean.

But I don't think they Covergence or Perspectives should replace the CA system. They can augment it, but they lack too many of the functions of a CA to be a good replacement.

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37416022)

CAs are also third parties. You aren't going to get past the need for some trusted third party to authenticate the server you want to connect to. Convergence at least allows more than one intermediary to be trusted, as opposed to SSL where you are allowed precisely one and only one signature.

Most CAs will give you a cert for gma1l because most CAs are robo-signers. That's why we added the EV-CA system, which is what CAs were supposed to be initially. The problem is that if people can get a domain-validated cert for tw1tter or yah0o, then Twitter and Yahoo are going to have to get EV-certs. And when everyone wants EV certs (because domain-validated certs are too easy to get) then Verisign is going to cheapen EV-CA certs the same way they cheapened CA certs just to keep up with demand.

This is a DNS problem, not a CA problem... DNS stores strings, not perceptually unique shapes.

The difference between Convergence and a CA is that there's no relationship between the website owner and the notary. Any notary in your list can tell you what the server's cert is, and you can ask as many notaries as you want. In a further comment you said that multi-signing existing SSL certs might be preferable, but that's actually the wrong approach. Now, browsers are going to want three or more CA certs, which means you have to pay three times as much to get HTTPS. And CAs get three times as much demand for new certs, now, so the market gets even shadier because CAs have to cheapen their services even more.

The thing is, all of the 'duties' of a CA aren't actually being done. They're an illusion. You aren't getting anything by keeping them around, the financial incentives for running them are completely broken, they don't do any of the validation they were supposed to do, they're quite easy to subvert from the perspective of a government, just one CA can spy on the entire internet, CAs can make other people CAs because they need that in order to have a certificate hierarchy, it's too easy to get a trusted CA cert from an nth-level CA, and CAs are protected by the amount of things they sign because every signature means another thing that breaks if the CA is untrusted. CAs provide no guarantee that even a moderately interested adversary isn't MITMing you - in fact, if you have the resources to execute an MITM attack, you probably have the resources to get the proper SSL certs in order to do so.

notary systems aren't hard to understand (1)

Onymous Coward (97719) | more than 3 years ago | (#37416270)

It depends on the availability of a third party. SSL works fine with just the server you connect to, but for this you need to talk to the same set of servers for any certificate check. That makes it easy to block. Somebody doing MITM will just block you off Convergence, then you won't know if the self-signed cert is any good.

  • CA SSL requires "third party" net access for certificate revocation checks (OCSP).
  • That CA SSL cert revocation using third parties is (as it's handled in most situations) susceptible to replay attack.
  • Blocking a potential victim's access to n out of m notaries (where n equals something of the user's choice and m equals a potentially huge number of systems) is an unlikely attack.
  • The user may decide to change their current list of notaries to circumvent a block. ("trust agility")
  • Convergence notaries appear to use HTTPS, so blocking becomes yet more challenging.
  • Convergence caches good certs, so the block has to occur at the right time.

It doesn't do many of the duties of a CA. It will happily mark as valid a certificate for gma1l.com, with the metadata copied from the gmail certificate.

It's not the metadata that's the threat during a phishing attack. The threat comes from being a CA-signed cert, which, regardless of the name in the cert, your browser tells you is "secure".

Or maybe you're saying that CAs protect against people registering look-alike domains? I doubt that.

And (simple) notaries don't mark certs as valid, they report them as seen. Then you (via configuration of your software) decide on what is valid.

I would believe a handful of trusted notaries who all say they've seen gmail.com using certificate abc123 for a whole week. More so than I would trust when just one of several hundred race-to-the-bottom CAs in my browser says that certificate xyz789 is gmail.com.

It's still a CA, except one that follows a different policy. It's just as breakable. What guarantee do you have that their servers return accurate information?

I think maybe you're not clear on the concept of notaries or "multiple perspectives". Or "trust agility".

Anyone unclear on the concept should check out this great video on how notary systems work [youtube.com] .

Re:notary systems aren't hard to understand (1)

vadim_t (324782) | more than 3 years ago | (#37418102)

CA SSL requires "third party" net access for certificate revocation checks (OCSP).

That's a lot harder to abuse, though. Revocations are rare. A site that keeps using a revoked cert for very long is even rarer.

That CA SSL cert revocation using third parties is (as it's handled in most situations) susceptible to replay attack.

But to exploit that, you need to find a site that has something valuable, that's still using a compromised cert, to have the private key to that cert, and to replay OCSP. That's pretty tough. That needs to be a specific, targeted attack.

In comparison, an open wifi network that blocks Convergence can be set up once and just left there until somebody falls for it.

Blocking a potential victim's access to n out of m notaries (where n equals something of the user's choice and m equals a potentially huge number of systems) is an unlikely attack.

The user may decide to change their current list of notaries to circumvent a block. ("trust agility")

Extremely easy, actually. Just run a wireless AP. The notary list is public. You can block every notary automatically with a shell script, or blocking by port.

Convergence notaries appear to use HTTPS, so blocking becomes yet more challenging.

Not in the slightest, you fetch the public notary list and firewall off everything in there. SSL doesn't help.

Now with the current CA system that doesn't do you any good. You can block access to OCSP, but as I said above you need a number of other things for that to allow you to compromise something. Or you can block the server the user is trying to connect to, but that's pointless.

Convergence caches good certs, so the block has to occur at the right time.

It's still a lot easier though. Run an AP in a public place and you'll catch somebody sooner or later.

The Browser-trusts-many-CAs system (3, Interesting)

billstewart (78916) | more than 3 years ago | (#37415540)

The current system is that your browser ships with a bunch of CA's listed in it, many of which are currently in business, and some of which are trustable, and some of which are random corporate leftovers run by shadowy anonymous figures, and if you're like most people you haven't bothered listing them (or if you did, it was years ago.) So from a technical standpoint, perhaps you're in deep trouble, but it's your own fault because you didn't look. See figure 1.

From a business/financial standpoint, it's different. Many of those CAs are run by reputable firms, whose business models are that they'll give a certificate to anybody who pays them $100 (or whatever the going rate is this year), and they'll certify that the payer's credit card was good, and maybe, just maybe, they'll only deliver the SSL certificate to an email address or web site that matches the keys they just certified, or do some similarly minimal level of validation. Some of the CAs, of course, require more documentation, charge more money, and provide methods for a user to validate one of their certificates other than using it and seeing if their browser flagged it. But not everybody uses those CAs - Microsoft.com probably does, and Microsfot.cm probably doesn't. So from a business/financial standpoint, you're in sort of the same condition you were in in the previous paragraph, except that you can rely on the financial guarantees that the CA gave you, the user of a browser that trusted their certificate, unless you didn't pay them anything, in which case you should also see figure 1.

Back to technology, there's the problem of whether a certificate is still good. That's backed by three things, expiration dates on the certificates, ability to validate a certificate chain, and revocation lists that the CAs provide to deal with the problem of certificates that were compromised before they expired. Expiration dates on most certificates tend to either be the remaining fraction of one year (because the CA is charging for them on an annual bases) or "already expired". And that certificate chain's useful, if the CAs on it are still in business and their certificates haven't already expired, unless their certification system has been compromised without being detected, in which case see figure 1.

And then there's the user interface issue - if you're directly using a browser, and everything's good, it'll probably turn a little lock icon green, which you won't notice. Otherwise, it'll give you a dialog box, "Security problem - See figure 1 [Click OK]", and you'll click OK, and you'll either feel fine, or you'll have this little nagging feeling that something was wrong, but you're not sure what.

And then there's the financial layer again. If the certificate was protecting your credit card number, and you're in the US, you're liable for at most $50 if it got stolen, and otherwise it was probably just protecting your Facebook account, in which case the worst that'll happen is somebody posting rude notes to your friends, or overwatering the shrubbery in your farm. So fundamentally, you don't care that the CA system is broken.

One of the advantages of having been one of the early cypherpunks is that I got to watch a lot of this stuff develop, see many of the things that were done right or wrong, and know a lot of people who are either much smarter than I am (too many of them to list here) or who went out and Did The Right Thing at the Right Time (special shout-out to the Netscape folks, who went and shipped encryption for free even though the legality was dubious, which not only catalyzed the internet commerce business but broke the government's anti-crypto stronghold.) Lots of the solutions that shipped weren't perfect, and lots of the solutions that were Perfect never shipped, and lots of the solutions people spent time on didn't have problems associated with them, but it did still transform the world.

DNSSEC could have been a better solution (1)

billstewart (78916) | more than 3 years ago | (#37415630)

If we had shipped DNSSEC back before web commerce became widespread, we'd be in a lot better shape. You'd be able to know that the public key you had for microsoft.com was owned by the people who'd registered the name microsoft.com with the .com domain registry, and that the public key you had for www.microsoft.com was certified by the people who owned the name microsoft.com. It's not perfect - you'd have just as much certainty that the public key you had for mocrosoft.cm was owned by the people who'd registered that name with the .cm domain registry, which wouldn't tell you anything about whether it was really Bill Gates's company - but at least you'd know that if you were talking to www.microsoft.com, the only people who could eavesdrop were the people who ran the website you were talking to.

There were organizational/political reasons this didn't happen. The NSA/FBI/etc. used the anti-Communist ITAR rules to prevent export of DNSSEC code, even a "bones" version that John Gilmore developed that didn't include the crypto modules, and the RSA patent made it difficult to use it even in the US. And once ICANN took over the domain name business, it was obvious that the only IP they cared about was Intellectual Property, not the Internet Protocol, and they dragged their heels for years, probably partly as a favor to the US government, who'd given them their quasi-monopoly position and could take it away from them if it wanted.

There were also technical issues - the protocol had to make tradeoffs between the people who wanted perfect security and the people who wanted scalability, and while certifying the properties of domain names that do exist scales really well, certifying the non-existence of domain names that don't exist is a lot trickier, but the perfect-security folks thought it needed to be done. And error handling is hard - DNS resolvers usually live at a part of the protocol stack and applications infrastructure that doesn't have a user interface, and they have to handle cases like "here's the IP address but the certificate's invalid, do you want to connect anyway?" and "here's the IP address but the cert's invalid" and "that IP address has a reverse-lookup that resolves to 42 different names, 13 of which have matching forward certificates" and such.

It's not like the current CA system doesn't have serious problems as well, but it did get there first, which carries a lot of infrastructural weight, especially when the people running the DNS system are also selling CAs.

Re:But not the end for the CA system? (1)

SmurfButcher Bob (313810) | more than 3 years ago | (#37415996)

TSA Agents!

Re:But not the end for the CA system? (1)

0123456 (636235) | more than 3 years ago | (#37413946)

It's not like we have reason to think that other CAs have not had unreported blunders.

If they had, then someone should have copies of the fake certificates and could demonstrate that the CA was broken; any widespread use would have handed the cerfiticate to so many people that it should easily be provable.

Otherwise that's about as logical an argument as saying there's no reason to think that I have not slept with Natalie Portman.

Re:But not the end for the CA system? (1)

Amouth (879122) | more than 3 years ago | (#37413994)

problem is - for the people who break the CA's there is ALOT of money to be made. Very few people who that that chance would pass up the money to show the world that xCorp is corrupt.

Re:But not the end for the CA system? (1)

0123456 (636235) | more than 3 years ago | (#37414074)

problem is - for the people who break the CA's there is ALOT of money to be made. Very few people who that that chance would pass up the money to show the world that xCorp is corrupt.

They're not the ones who would be showing it. If you hack into xCorp and generate a fake certificate it's useless to you unless you then hand that certificate to your victims. Those victims can then show that certificate as proof that xCorp is handing out fake certificates.

Since no-one has shown such certificates for CAs who aren't yet known to be compromised, we can be fairly sure the others haven't been.

Of course that may be luck rather than good security practices.

Re:But not the end for the CA system? (1)

houstonbofh (602064) | more than 3 years ago | (#37414172)

And how does the PHB know the certificate is fake to present it?

Re:But not the end for the CA system? (1)

Amouth (879122) | more than 3 years ago | (#37414414)

if you have successfully created a fake cert from a CA - the only people who can verify that it is rouge are:

A) the CA via audit on what they have issued (which might not show it as fake as it might be in their logs)
B) the domain it says it's for, who ever owns it should be able to audit against their requested certs (for some places this might take awhile)
C) the person who faked it.

Notice NONE of the people are the end users, a actual faked cert from a CA is indistinguishable from an authentic cert from the same CA to the end client. Hence the very real danger and very severe problem we are faced with.

Re:But not the end for the CA system? (1)

0123456 (636235) | more than 3 years ago | (#37414578)

B) the domain it says it's for, who ever owns it should be able to audit against their requested certs (for some places this might take awhile)

Exactly. If I produce a certificate for www.google.com signed by BadCA, then you can easily verify that it's not the certificate that www.google.com is sending to you over SSL, and then Google can verify that it's a certificate they've never used. And if it's a CA that Google don't use then a simple 'there's something odd going on here' check is trivial ('why is www.google.com sending me a certificate from a CA in Nowhereistan?').

Re:But not the end for the CA system? (1)

Amouth (879122) | more than 3 years ago | (#37414788)

i'm sorry but do you not understand the basics of a Man In The Middle attack? and the value of a fake cert in that scenario?

in any decent MITM attack - if i'm trying to spoof google for you - then any request from you for google will go through me and i will respond with the right answer, currently under this scenario the 3rd party trusted CA on your local machine is the only way an end user has to verify that what i say is true or false.. compromising the CA in this case allows me to make a cert that your local machine will think what i say is true.

what you are wanting is something that Moxie Marlinspike thought up called convergence

http://convergence.io/ [convergence.io]

Basically moving away from a single CA signing and allowing for more than one verification path. In this case the only way to MITM would be to compromise all of your trusts.

Re:But not the end for the CA system? (1)

dgatwood (11270) | more than 3 years ago | (#37415152)

Mandatory DNSSEC with public keys stored in the DNS record would achieve the exact same level of security without adding all sorts of unnecessary P2P traffic.

The only thing that the CAs ostensibly offered was some indication that the site was owned by an actual brick-and-mortar identity at some physical address, and when they switched to domain validation, even that advantage went away. Thus, they're basically vestigial. I similarly see no reason why a scheme like the one linked above would be any better in a DNSSEC-enabled world.

Re:But not the end for the CA system? (1)

raynet (51803) | more than 3 years ago | (#37415348)

Doesn't DNSSEC still require a point of trust, the root dns providers in this case? How is that any better than we now have with SSL CA's?

Re:But not the end for the CA system? (1)

Amouth (879122) | more than 3 years ago | (#37415448)

it isn't - DNSSEC in it's current incarnation has the exact same single point of failure as the current CA system.

Also DNSSEC is useless to a local MITM as long as clients support normal DNS as you can arp poison clients to believe you are their DNS server and respond with no DNSSEC records for the host and use your faked CA cert.

the point of the p2p traffic is that for a MITM to work they would have to intercept all points of trust, which while not impossible is far more difficult than exploiting a single point of failure.

Re:But not the end for the CA system? (1)

chronoglass (1353185) | more than 3 years ago | (#37414614)

this is true.. really a faked cert from a CA.. isn't fake.. it's real. it's like getting your "fake" ID from the DMV..

Re:But not the end for the CA system? (1)

El Capitaine (973850) | more than 3 years ago | (#37415198)

If you manage to hack the CA that issues the cert that Google uses and issue your own cert for www.google.com, then yes.

Otherwise, it's like getting your "fake" ID from whatever the DMV is called in the Netherlands.

Re:But not the end for the CA system? (0)

robably (1044462) | more than 3 years ago | (#37414202)

ALOT ISNOT AWORD

Re:But not the end for the CA system? (1)

Amouth (879122) | more than 3 years ago | (#37414368)

But it is two (A LOT) and /. doesn't let you edit posts..

I'm so glad that a single missing space is more important to you then the discussion of weather the CA's we use to trust transactions on the internet are, well trustworthy.

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37414438)

Because you elected to reply to that post...

You wanted to use the word 'whether' and not 'weather'. Weather has to do if it's raining or sunny, etc...

And now someone else will say something and this cycle will rinse and repeat.

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37414634)

I'm so glad that a single miss-spelled word is more important to you then the discussion of if the CA's we use to trust transactions on the internet are, well trustworthy.

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37414802)

Because you elected to reply to that post...

You misspelled "misspelled". Also, you wanted to use "than" rather than "then". "Than" refers to a comparison, while "then" refers to a chain of events or period of time. I realize that you were attempting to keep the cycle going and copied then pasted the original quote while making slight modifications to ensure the continuance of the cycle.

P.S. C-C-C-Combo Breaker!

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37414834)

I'll sea your too words and raise you tree.

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37414456)

You hurt my ALOT's feelings. You should apologize, his species has been discriminated all across the web for far too long.

Re:But not the end for the CA system? (1)

lennier (44736) | more than 3 years ago | (#37414520)

I care about this Alot [blogspot.com] .

Re:But not the end for the CA system? (0)

Anonymous Coward | more than 3 years ago | (#37414124)

Otherwise that's about as logical an argument as saying there's no reason to think that I have not slept with Natalie Portman.

You lucky bastard.

Re:But not the end for the CA system? (1)

networkBoy (774728) | more than 3 years ago | (#37414204)

I am soooo jealous.

I assume you are truthful in all your statements.

Re:But not the end for the CA system? (1)

sjames (1099) | more than 3 years ago | (#37415090)

Unless nobody happens to have noticed because the the browser display for a fake (but "valid") cert and the genuine article are identical unless you right click-page info-security just to be sure, exactly like practically nobody ever does.

Excellent (2)

vadim_t (324782) | more than 3 years ago | (#37413752)

Hopefully this will get the others CAs worried and motivate them to get better security.

Re:Excellent (1)

h4rr4r (612664) | more than 3 years ago | (#37413802)

Why?
They had a good run with no security at all and could pocket lots of money because of that. Clearly the lesson here is to not do any security, fold up shop if you lose accreditation and start up another CA.

Re:Excellent (1)

MozeeToby (1163751) | more than 3 years ago | (#37414054)

Your argument only works if several conditions are met:

A) They made more money than the fallout is going to cost them. It isn't cheap to close down a major business, there are lots of bills to be paid and lots of backseat accountants from both the creditors and the government making sure you don't fudge the math in your favor.

B) The people who profited DigiNotar have enough capital or credit left over to start another major corporation

C) Most doubtful of all, that they can convince people to trust them again. I don't see any of the major browser manufaturers touching the people responsible for this with a 10 foot pole. I'd be shocked if some of the fraudulent certificates weren't for websites owned by one of the big four browser developers (Google, Microsoft, Firefox, Apple). I'd think any one of those would be prime targets.

Re:Excellent (1)

h4rr4r (612664) | more than 3 years ago | (#37415226)

A) the CxOs will get their golden parachutes first, and that will be legal since employees are paid before anyone else.

B) See A

C) They will then buy up a small CA to get its trusted status. For profit colleges do this all the time. They buy up small struggling universities/colleges just to get their accreditation.

Re:Excellent (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#37413808)

For values of "security" that include "PR", I have no doubt that it will...

Re:Excellent (1)

amorsen (7485) | more than 3 years ago | (#37414062)

In a free market, if you can sell certificates for $5 with lousy security and $10 with decent security, and you have a 10% risk of losing everything with lousy security and 0% with decent security, the companies with decent security go bankrupt rapidly. After all, why pay $10 when you get the same for $5? A breach of ANY registrar is as bad as a breach of YOUR registrar.

Re:Excellent (0)

Anonymous Coward | more than 3 years ago | (#37418376)

No, an immmediate, no-forewarning revocation of CA root certificate across all systems means that if it is your CA you are out of business until you get a new certificate.
If it's some other CA there's only a risk of MITM attacks against you, which is no real risk for you as a business.
Of course this means that things like Microsoft delaying the revocation patch (even if only in some regions) or as in previous cases no revocation at all causes severe long-term damage to the security of the system.

The Price Of Trust (5, Insightful)

Wiz-Hum-Mal-Cha (2443796) | more than 3 years ago | (#37413774)

If getting compromised and issuing bad certificates *didn't* cost you your position of trust, then what credibility would the certification process have anyway?

And good riddance to them... (5, Insightful)

SigILL (6475) | more than 3 years ago | (#37413776)

If you won't properly separate your security-critical systems from your Internet-facing systems, or cannot even keep them from being rooted multiple times, you have no business being a CA.

Honestly, it's understandable DigiNotar didn't want this information out: bankrupcy is inevitable now, and that's bad for shareholder value.

Re:And good riddance to them... (1)

msobkow (48369) | more than 3 years ago | (#37413900)

Yeah, it's pretty hard to avoid bankruptcy when your primary business has been shut down.

Re:And good riddance to them... (1)

SigILL (6475) | more than 3 years ago | (#37413948)

I wonder why they don't just wind down all activities and give up. That has to be the cheapest way to resolve this. I don't think even a name change will help them now.

Re:And good riddance to them... (4, Informative)

maxume (22995) | more than 3 years ago | (#37414322)

The Dutch government took over operation of the company more than a week ago. It is basically already defunct.

http://www.govcert.nl/english/service-provision/knowledge-and-publications/factsheets/factsheet-fraudulently-issued-security-certificate-discovered.html [govcert.nl]

Re:And good riddance to them... (1)

drolli (522659) | more than 3 years ago | (#37414490)

Well, in SCOs case it took some time....

Re:And good riddance to them... (0)

Anonymous Coward | more than 3 years ago | (#37414052)

Sadly, shareholder means Staat der Nederlanden here.

Re:And good riddance to them... (1)

SigILL (6475) | more than 3 years ago | (#37414448)

Nope, it's owned by VASCO [wikipedia.org] , which is publicly traded.

Re:And good riddance to them... (0)

Anonymous Coward | more than 3 years ago | (#37414922)

Poor shareholders. I'm in tears.

The people that will really suffer from this are the employees of DigiNotar. Now the incompetent management (oh we know we got rooted but why would we tell anyone?) and possibly (don't have enough info to actually judge them) the administrators in charge of the system might deserve loosing their jobs but there will be a lot of people at DigiNotar that could have done nothing to prevent this. They are the ones suffering from this.

Unfortunately... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#37413854)

Those responsible at Diginotar are unlikely to feel anything more than (possible) economic consequences. Based on the location of the MiTM attacks, their incompetence wasn't responsible for some penny-ante credit card scamming, it was employed to advance surveillance by a somewhat ideologically touchy state. It would be entirely within the realm of possibility that somebody is doing hard time right now because they fucked up...

Re:Unfortunately... (1)

idontgno (624372) | more than 3 years ago | (#37414544)

Or, to look at it from a business perspective, no meaningful liability until someone can press some kind of human-rights-related lawsuit. Whereas if money had been lost, LOOK OUT.

Sounds like Diginotar came out ahead in the client liability front.

"Certificate Blunders May Mean the End.." (3, Insightful)

Dynamoo (527749) | more than 3 years ago | (#37413924)

What.. you reckon? They were tasked to do ONE THING and ended up in an epic case of fail and pwnage.

I'm sure they're already working on this (1)

dingen (958134) | more than 3 years ago | (#37413964)

This is a popular Dutch comic: http://foksuk.nl/nl?cm=79&ctime=1315260000 [foksuk.nl]

The guy on the left says something like "Don't panic, people. In about three months..." and the other guy continues: "...we'll have a different name and a different corporate identity!"

alternatives to DigiNotar (0)

nimbius (983462) | more than 3 years ago | (#37414170)

include Pidgy and Dragonite. both are formidable but the latter is a fully realized dragon type so its pretty powerful.

What did they think was going to happen? (1)

Synerg1y (2169962) | more than 3 years ago | (#37414936)

Having your product proved defective spells the end for most companies, GM almost went under and they are 1000x the size. PR and image > everything.

Shame certs are set up in a manner where it is very difficult to fix... anything wrong with them. I believe in the whole handshake principle, but why are there root certs on my computer by default? I feel I should have to sign a EULA for those outside of the windows EULA.

  Sure it's inconvenient, but I really really really don't need MS or DigiNotar telling me what/ who to trust out of the box. Maybe I don't want to trust microsoft.com cause ms just got owned by a monopoly suite..

The correct implementation would be every site has a cert and YOU choose which ones to trust, this would require the browser to implement features such as warnings on when a cert is expiring as well as user education, but if you want security, you typically need to trade convenience for it, thus my banks 4 step login process, I had to re-memorize my answers several times and call customer service twice to unlock my account, but in the end, its nearly impossible to break at least through front facing means make sense? Such is life.

Re:What did they think was going to happen? (0)

Anonymous Coward | more than 3 years ago | (#37415148)

I presume you didn't mean

"PR & Image are greater then everything"

IMHO: being part of "everything" and all, it would be rather difficult to be greater then the sum of it's parts.

More hush hush (1)

Billly Gates (198444) | more than 3 years ago | (#37415064)

So if this happened to one CA who got compromised what makes you think others will now disclose they were hacked?

If it happens again to someone else they sure as hell wont announce it as any CEO will want to keep his job more than protect the web. If anything this could make the web less safe

Re:More hush hush (1)

brinebold (1209806) | more than 3 years ago | (#37416532)

They haven't been revoked by these major software developers (essentially destroyed as a CA) because they were hacked. They were kiled because they didn't tell anyone about it when they found the invalid certificate and revoked it themselves. It's the failure to come clean and say 'we were hacked, here's what was compromised, and here's how we fixed it.' They lost thier entire business instead of getting some bad PR because they tried to cover it up and assumptions are that next time they are hacked, we might never hear about it while someone quietly impersonates a trusted entity for years. Comodo is still around in spite of being hacked because they handled the incident openly.

Already dead (4, Interesting)

plsuh (129598) | more than 3 years ago | (#37415076)

This is just going through the motions. DigiNotar has been dead since August 30, when Google, Mozilla, and Microsoft all revoked trust in their certificates. Anyone with at least two brain cells (which seems to exclude a large number of managers, unfortunately) could see the writing on the wall. No one would ever buy a new DigiNotar certificate, since it would always pop up a scary warning to the user in a web browser. Why bother with buying a certificate from DigiNotar and dealing with the resulting end-user support issues, when you can buy from someone else and not have to deal with the problem?

More interesting to me is what will happen to DigiNotar's corporate parent, Vasco Data Security? The purchase of DigiNotar is relatively recent (January 10, 2011), so it's not clear how much influence Vasco's management had over DigiNotar's operations. At the very least, Vasco is going to need to pay for an audit of its own systems to reassure its direct customers.

--Paul

Re:Already dead (0)

Anonymous Coward | more than 3 years ago | (#37417106)

so it's not clear how much influence Vasco's management had over DigiNotar's operations.

What's not clear? As of January 10, Vasco had complete and total control over DigiNotar's operations. Vasco could have replaced DigiNotar's management team with a dead parrot (which, come to think of it, would have been about the same effectiveness as whatever they did do).

Re:Already dead (0)

Anonymous Coward | more than 3 years ago | (#37417918)

But it is also not clear how much influence DigiNotar's management had over the operations.
Management usually are not involved in technical details like those that DigiNotar is now so widely criticized for.

What their management did wrong was not disclosing that there was a problem, once it was known.

Why hasn't this happened to Comodo as well? (0)

Anonymous Coward | more than 3 years ago | (#37415314)

What is different?

Sudden break out of common sense (0)

Anonymous Coward | more than 3 years ago | (#37415810)

Certificate authority, runs Windows. Amazing.

http://nakedsecurity.sophos.com/2011/09/05/operation-black-tulip-fox-its-report-on-the-diginotar-breach/

Thank god they're closed.

T-bag (0)

Anonymous Coward | more than 3 years ago | (#37416056)

Only seeing their CEO being t-bagged would be better than bankruptcy.

Too bad ... (1)

PPH (736903) | more than 3 years ago | (#37416686)

.... they're not a bank. We might have saved them.

Akamai issues SSL cert for www.ice.gov (1)

Animats (122034) | more than 3 years ago | (#37417128)

On a related note, take a look at the certificate on www.ice.gov [ice.gov] .

The certificate hierarchy is

  • GTE CyberTrust Global Root
  • Akamai Subordinate CA 3
  • www.ice.gov

Now that's interesting, and worrisome. Akamai possesses a wildcard subordinate CA cert that permits them to impersonate any site, even U.S. Government sites. Even the chief security officer of Akamai is worried about this. [csoandy.com]

Comodo? (0)

Anonymous Coward | more than 3 years ago | (#37417822)

Can somebody explain what is different between the DigiNotar case and the Comodo case earlier this year? The two cases look similar, but Comodo is still truested and DigiNotar is not. I hope it is not because Comodo issued so many certificates that it would be inconvenient to not trust them anymore.

Re:Comodo? (0)

Anonymous Coward | more than 3 years ago | (#37417944)

I the Comodo case, there were a limited number of fraudulent certs issued and they were revoked and explicitly distrusted by the browsers.
It was known which certificates were issued.
Comodo immediately told the browser developers that there was a problem.

DigiNotar, on the other hand, swept the whole issue under the rug, did not tell anything to the browser developers, and
did not know how many certificates were issued because the breach was such that certificates had been issued for which
there was no logging.
All the companies statements were not taking the issue seriously and mainly focused on the well being of DigiNotar itself,
not considering the effects of its problems to the rest of the world.

SSL needs national/international backing (1)

MrNthDegree (2429298) | more than 3 years ago | (#37418106)

Why can't we have quangos do the signing? Governments can sign for companies, performing EV using their large, centralised databases of companies (e.g. Companies House in the UK).

Individuals may be signed off by the domain registrar subject to receiving basic identity documentation as individuals don't really need full EV'ing for their personal sites.

Anonymous individuals can be signed by a 3rd party and warnings can be given in-browser as to how the identity has not been verified.

Problem solved.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?