My gut feel is that "rogue root CAs" need to have the fear of having their entire business shut down if they're caught out acting badly, and that CNNIC is the ideal opportunity for US-centric technology companies to take a stand without treading on too many profitable toes. If Microsoft and Apple joined in solidarity and announce they're taking CNNIC out of trusted roots (and, to a lesser extent, Mozilla), then it will be clear that the threats to CA's business/profit have some teeth.
If they let this slide - it'll pretty much be open season for root trusted MITM certs to anyone with a few kilo or mega bucks to spare. It won't stop state-level actors from doing state-level bad-stuff(tm), but it might at least stop them from selling that ability to random big-corps as well.
(And surely the opportunity to stand up to the Chinese Government with broad internet-community backing, especially in the face of the recent Github DDOS - the timing is about as perfect as it's ever likely to get, right?)
How far away are we from being able to kill this ridiculous system? I'm sick of trusting a bunch of certs that are deemed acceptable. Forget security concerns, I'm just appalled that to acceptably do encryption today I need to pay some company! That's wrong.
Okay, so the question isn't actually "how we're going to kill it". It's going to die when there's a better alternative. So the question is really, "What can we do to build a strong web-of-trust system while continuing to use the broken one?"
I see no reason we can't make some browser plugins, get some activism going in the tech community, and start building it. Just report back what cert was served to you.
With that being said, there needs to be a selling point other than building a better internet, otherwise no one will use this plugin. I think there is one, though, and that's security. When your browser comes across a cert that differs, alert the user. You might not get grandma to use it, but it's something.
There are issues with this. I want to anonymously report what cert a website serves me, rather than giving anyone curious my entire browsing history. And also poisoning. But the latter is fixed by using this both the existing CA model and the WoT.
So yes, there are some problems. But c'mon, it's 2015, let's fix this already.
> Forget security concerns, I'm just appalled that to acceptably do encryption today I need to pay some company! That's wrong.
Well, you don't need to pay anyone to do encryption. You do need to do pay people to do identity verification. That's a more-than-pedantic difference, even though encryption without identity verification is generally meaningless.
First off, you're already paying someone to have a domain name. I sorta understand the distaste on principle, but I've never really understood, as a practical matter, why paying $10+/year for a domain name is totally fine, but paying $5/year on top of that for SSL isn't. (And yes, the race-to-the-bottom has hit $5, see ssls.com. This isn't even counting StartCom and the future Let's Encrypt.)
Second, and related to that, what you're paying them for is the human element in key continuity. If you ever lose your key, you're going to want to be able to regain a key for the same website that you've already published everywhere, that everyone already has localStorage for, etc. And be careful about saying that you don't care: Crypto.cat (which, at this point, definitely knows what they're doing) managed to lock themselves out from SSL by requesting a hardcoded public-key pin and then losing all the public keys they'd pinned. This isn't really a risk that you think is realistic until disaster strikes, and the last thing you want in the middle of a disaster is to have to rename your website and convince everyone that they should use the new site.
And the process of maintaining infrastructure to re-provision certificates to people costs money. It's possible that it could be funded in different ways (just like, e.g., all of the work that goes into the browsers themselves is funded in ways that don't involve charging website owners or users). But there is a thing there that involves humans, there are advantages to it involving humans, and humans need to be paid.
> And yes, the race-to-the-bottom has hit $5, see ssls.com
What's the race to the bottom for wildcard certs though? Looks like $80+/year, which is frankly completely ridiculous seeing as it's exactly the same amount of work for the CA.
The whole thing's a racket, we would honestly be better off using self-signed certs and certificate pinning (perhaps with a global list of cert pins stored in the browser/a server the browser implicitly trusts)
I mean, we have to trust the browser anyway, might as well make it handle all the security
The $59.90 account only buys you identity verification so that you can get a cert for your own personal domains. When you want to get certs for a company's domains, you also have to pay for organisation verification for another $59.50.
In neither case are you allowed to request certificates for domains owned by other entities, even if you are authorized to do so by the owner (e.g. as a service provider). See here: https://www.startssl.com/policy.pdf
https://letsencrypt.com will be offering free certificates this year and will hopefully completely transform the SSL business. Given that extended validation certificates have little if any consumer value, letsencrypt could quickly take over the whole SSL world.
Just to clarify, when I said "acceptably do encryption" I meant "do encryption without requiring a user to wrestle their browser and install my certificate".
It's just that lots of other browsers are hesitant to follow suit, because OE doesn't protect you from most attacks that the average internet user would expect encryption to protect you from (e.g., you shouldn't type credit card numbers into an OE webpage). And even Firefox treats the site as http, not https, although the physical connection is over TLS on port 443. That's what, in the browsers' eyes, is "acceptable" encryption, which is what translates to the user experience of having to override the browsers' warning.
I don't get how it's ridiculous. How do I know that Bank of America's website is actually Bank of America? At least I know _somebody_ checked that it was BoA who is controlling the domain.
It's obviously far from 100%, but the web of trust has to start somewhere. Distributed web-of-trust works for individuals, but am I supposed to go see Jeff Beezos in meatspace before going to amazon.com?
The solution is, of course, delegation. But the end result is you end up with exactly the same CA system as today!
Somebody checked that in the past, yes, but that check doesn't matter for your current connection. Your browser will accept any CA signed cert as valid for the site it's for... if a hacker hacks into a low-profile CA, not even the one that verified BoA, they can MITM you every bit as easily as if they hacked BoA's actual cert authority.
The problem here is that the delegation is too broad; we're delegating verifying all websites to all CAs and assume that all CAs are absolutely trustworthy for it to work. That's ridiculous.
Chrome has a sort-of-solution built on top of this with certificate pinning where the organization gets a cert from the CA, and then gives it to chrome and claims "Only this cert is valid for our site" rather than all CA's certs...
Continuing with our example of BoA, this doesn't matter because they have not opted in [0] to that and in any case that won't apply to non-chrome requests.
"Chrome has a sort-of-solution built on top of this"
… which scales up about as far as every domain Google owns/cares about, and a few of their friends/partners/sites-that're-politically-or-business-beneficial-to-Google-to-pin.
I suspect in my 20 odd years of working with ssl protected websites, there's maybe 2 or 3 sites I've worked on that hav a hope in hell of getting into Chrome's pin list. If you're outside the US Fortune500 or any other countries Fortune100, how easy is it gonne be to get Google to pin your cert? It's nice if you're Twitter - it's _never_ gonna work for mygreatcatphotos.org.au...
It's useful, and a great thing they're doing, but as you say, it's _very much_ a sort-of-solution. Perhaps more like a very good two or three bandaid solution, directed at the problem of someone with 99% full body covered 3rd degree burns. "Here, I've got your left thumb and your right big toe covered!"
They've been pushing back against new people preloading public key pins because it's hard to make sure that someone else understands exactly what the consequences are. (Cryptocat, notably, got this wrong.)
But yes, HSTS preloading is totally open, and has been scaling as well as it's been needed.
this is a really good point. So would a good solutioon be to divy up the delegation? Though I don't know how that could work (how would you know you're on a bank website? a .bank tld?)
This is tricky, but I still don't get how decentralisation solves things, because the problem is still the same, except now it's a risk of whatever web-of-trust node you're a part of being compromised instead of a CA.
- The Perspectives project (http://perspectives-project.org/) aimed to deploy a range of servers (called notaries), through which you can ask "What cert do you see for https://google.com ?", and compare the response. The idea was that certificates should be mostly the same wherever you're asking from.
The issue with both of them is, of course, privacy leaks, which the latest version of convergence (https://github.com/mk-fg/convergence#changes-from-upstream) solves with a custom onion routing. The other problem I see is that it still (in the current form) requires the user to manually edit the notaries list.
So, it does exist, maybe it's just lacking publicity ?
Trustworthy entities (e.g, Mr Schneier and Krebs and whoever they trust) could just offer a signed list of pub-key - identity pairs which can be stored in the block chain.
The amount of work needed should be pretty low, they start with the current certificate tree and they just need to update in case of a certificate incident (they probably get this info fast and the update should be easy to do via software). Probably they could sustain this service via donations.
According to Tim Cook, China is becoming Apple's biggest Market. Microsoft software is similarly entrenched in China. There is no way those companies will do anything that jeopardizes that relationship.
I salute Google. For all its forgivable flaws, it stands alone among large corporations in protecting free speech. And the nerve to pull out of the largest internet market on the planet. Kudos.
Your browser, or trusted cert provider, should just have a clear policy that once trust is broken, according to well defined rules, the cert is auto-revoked with no appeal. Then it is only a matter of executing the policy, not an ex post facto political game.
If your trusted source does not have such a policy, drop them.
Do you have any suggestions about where to look for such a "trusted source"?
I fear my comfortable life with iOS/Android/OSX/Windows/mainstram-Linux OSen at my bidding in various devices and niches, would need to change radically to approach that ideal.
It's the reverse; there are no Google services in China because they already took a stand.
When the Chinese government demanded to be able to sniff all traffic, Google fought back, refused to play cozy enough with the government, and gave up its chance at a foothold.
> it stands alone among large corporations in protecting free speech.
As seen in the last few years, Google has a fairly cozy relationship with the US government and intelligence community, so I don't think they're doing this just to "protect free speech". Besides, breaking SSL goes well beyond free speech (e.g. industrial espionage etc).
Really? Everything I've read suggests Google does its best to resist subpoenas, takedowns, etc. Meanwhile, Microsoft was caught red-handed installing backdoors. What am I missing about Google "cozying up to" the US gov?
I know it's a bit off topic but I would seriously love to have been a fly on the wall when Apple secured a deal with the likes of China Mobile. There must be conditions attached to access to the largest carrier in the world that just happens to be owned by the Chinese state - especially for a US company with their data collection abilities.
There certainly are. Iphones smuggled into mainland form Hong Kong are sold at a premium. Whatever the reasons for that are among the conditions that Apple must have conceded to to sell legally in the mainland.
The business is between Apple and Chinese people, not between Apple and CNNIC or its evil spawn. They have no reason to keep that rogue root of CNNIC's to protect its users for greater good.
CNNIC is no ordinary CA we are talking about that fears out-of-service. Just like what its name states: China NIC, it is the entity that runs and manages whole block of Chinese part of internet, doing IP allocations and things like that.
even if everybody decides to take CNNIC root out of their system, I doubt how much it would influence the CNNIC.
At a first guess - any Chinese business wanting to do business with non-Chinese would then have websites which throw up warnings about their CNNIC issued SSL Certs. Surely _some_ of them would see a competitive advantage o the market by going to a non-CNNIC cert? And if the rules make that awkward, surey some of them will choose to host competitive customer marketing sites outside The Great Firewall? By selling inappropriately powerful certs to MCS Holdings, there's a chance they're going to lose some of their understood-but-ignored ability to MITM some (many?) Chinese corporate connections from outside China.
> If they let this slide - it'll pretty much be open season for root trusted MITM certs to anyone with a few kilo or mega bucks to spare.
It's too late. TrustWave got a pass when they did the exact same thing. The message has been sent, there are no repercussions for willfully abusing your CA status. Only incompetence will be punished (DigiNotar).
The CA system is broken. We will never find any authority that everyone in the world agrees to trust.
CNNICs users' rights and interests are not being taken into consideration. Make no mistake, they are looking to protect their customers, not you and I.
I think the argument here goes "CNNIC is a government department in China. Government departments 'customers' are rarely the people from whom they take money or provide services - their actual 'customers' are other more-powerful government departments, or the current political powerholders."
With great power comes great responsibility. It's not because there were no misuse of the certificates this time that it didn't happen or would have not happen.
I personally have removed their certificates from my system. This is the responsible move to do if you care about your security or don't want your computers to be used as part of the DDoS like we've seen against GitHub.
It prevents your computer from loading undesired piece of JavaScript in case of a MITM attack.
It doesn't prevent things if the server itself serve you malware, but that's another story.
> It prevents your computer from loading undesired piece of JavaScript in case of a MITM attack.
Only if the site you were visiting was over HTTPS, which it was not in the Github attack. Saying that you should remove this certificate if you don't want to participate in the Github attack or similar attacks is simply not true.
security: SecTrustSettingsRemoveTrustSettings (user): No Trust Settings were found.
security: SecTrustSettingsRemoveTrustSettings (admin): No Trust Settings were found.
Or edit /etc/ca-certificates.conf directly and run update-ca-certificates afterwards (as the file advises).
I'm normally a fan of dpkg-reconfigure, but in this case, paging through 25 screens of 6 certs at a time, without search, is a far worse case than firing up your preferred browser, finding the root you want to revoke, and planting a bang '!' in front of it.
Otherwise, the processes vilda and I describe are identical.
Not really much of a response from CNNIC here. Notice how they spin this situation as Google taking away the rights of others? Google isn't the bad guy here, they're doing the reasonable thing and CNNIC have a lot of explaining to do...
Very true said. Gaining security is always in favor of public and organizations. Google is a authority, and many people take its statement seriously rather than others. And this approach may really take internet to safe side at some point. Nowadays ssl can be found at no price. Letsencrypt is going to provide at free of cost and vendors (like ssl.com and cheapsslshop.com ) selling such certs from nominal fee of $4 - $5 per year. Infact Government organization should shake hand with Google and motivate people to adopt such security asap.
China's response is kind of funny. But if they have no bad intentions, they can just implement CT and not have to worry about it. Of course, if you read between the lines in the last paragraph, you realize that they do have bad intentions. That last line is quite 1984-ish.
It probably means that the CNNIC certs will still be valid in China, as Google doesn't directly distribute any software there directly and the Chinese government can tell the Chinese software vendors to trust its cert regardless of what google thinks.
Their lawful rights and interests will not be affected because, in the opinion of the Chinese government, anyone who uses Chrome in China is doing so unlawfully! (Last time I checked, the GFW blocked Chrome downloads.)
Except there are plenty of Chinese websites (including Baidu) that offer the latest Chrome downloads. In fact, the majority of my friends (I am a Chinese) all use Chrome and they are not software developers. Many Chinese websites are tested against Google Chrome (in addition to IE and Firefox). Put simply, people in China act as if Google Chrome were not blocked at all.
Well, the binaries from reputable sites are not modified. I just downloaded a Google Chrome for OS X from Baidu and successfully verified it with digital signature. Of course, there are also shoddy sites, but that is equally true for American websites.
Microsoft is using CNNIC certs for their Windows Azure services in China (, which of course is independent from Azure services in other regions, and is jointly operated with Chinese partners).
If I marked CNNIC CA as untrustworthy, I would be expecting some alert in my Dashboard page, I guess.
Who are the people and companies that use CNNIC-issued certificates?
CNNIC is a relatively recent addition to most browsers' lists of trusted CAs. Moreover, given the popularity of pirated & never-updated Windows XP in China, it would have been foolish for any serious Chinese business to use an SSL certificate from any vendor other than globally recognized ones like Comodo and Verisign.
360 browser accepts all certs, incl self signed. no warnings.
also lol: 'high usage numbers are in large part due to the software being very difficult to uninstall. Furthermore, whenever a user attempts to install another browser, a warning pop-up claims that the new browser is unsafe and should not be run'
I find it interesting that visiting the https version of cnnic.cn in Chrome neither displays a lock icon nor a warning, but the certificate is displayed as valid: http://i.imgur.com/fTzxpBh.png
Google is explicitly whitelisting the legitimate end-user certificates CNNIC has issued, and then revoking the root.
Basically they had to hand over a list of all issued certificates, Google reviewed them, and CNNIC can't issue any new ones without asking Google to whitelist it.
Yup, this is it. The cnnic.cn end-entity certificate is SHA-1, which would do it. (I believe there's some sadness involved like Windows XP being excessively prevalent in China, or something... I vaguely recall a discussion of this on the cabforum public list, but I can't find it now.)
If you click on the white page icon and go to the "Connection" tab, it'll say "This site is using outdated security settings," which generally (always, in current Chrome versions?) means SHA-1.
For something like that, I have always thought they should be disseminating their cert via some other means besides an untrusted computer network (i.e., the internet). Or at least give customers another option.
Perhaps making their cert available at branches (e.g., printed on business cards), mailing it to customers with an expository cover letter, or even publishing it in a newspaper or some publicly available printed source.
Maybe these printed copies would be OCR-friendly, maybe not. I think two blobs of text can be compared to each other for differences without using a computer, and I can think of a few ways to make that easier. In any event, this does not seem an insurmoutable problem by any stretch of the imagination, at least for me, and in my mind the benefit outweighs the cost.
Not sure about others, but I still get plenty of "official" notifications via postal mail. And with increasing frequency they relate to computer issues.
This makes me wonder why certs "must" to be obtained and verified using (a) an untrusted computer network (the internet) and (b) why we need the aid of untrusted third parties often with obvious conflicts of interest to decide for us who else we can trust.
Are these not the two things that that "SSL" authentication and encryption is designed to protect against?
My gut feel is that "rogue root CAs" need to have the fear of having their entire business shut down if they're caught out acting badly, and that CNNIC is the ideal opportunity for US-centric technology companies to take a stand without treading on too many profitable toes. If Microsoft and Apple joined in solidarity and announce they're taking CNNIC out of trusted roots (and, to a lesser extent, Mozilla), then it will be clear that the threats to CA's business/profit have some teeth.
If they let this slide - it'll pretty much be open season for root trusted MITM certs to anyone with a few kilo or mega bucks to spare. It won't stop state-level actors from doing state-level bad-stuff(tm), but it might at least stop them from selling that ability to random big-corps as well.
(And surely the opportunity to stand up to the Chinese Government with broad internet-community backing, especially in the face of the recent Github DDOS - the timing is about as perfect as it's ever likely to get, right?)