Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: Trust and verify for network certificate roots

Glenn Fleishman | March 27, 2015
In a post on March 23, Google's security team explained that it had discovered that someone was delivering digital certificates to users for Google domains that weren't authorized by Google. A quick investigation discovered that a Chinese certificate authority (CA), CNNIC, had improperly given a reseller enough power to create verifiable certificates for any domain in the world.

Instead, OS and browser makers release warnings and push micro-updates, often as automatic fixes, either to disable a particular certificate or a set of certificates, or to block an "intermediate" root certificate assigned from a CA to another party, like a reseller.

Two approaches have risen to the fore in providing sites and users with notification, though, one of which I mentioned in passing in 2011.

On the client side, "pinning" is a partial panacea for illegitimate certificates. Before pinning, any CA in the world, and any party they authorized, could issue a certificate that was valid for any domain in the world. Terrifying. It's like letting a guy in an office in Brazil (or Kenya or Ukraine or Utah) make and sell keys to your apartment in Barcelona.

Pinning provides an explicit list of which CAs out of the hundreds that exist are entitled to issue a certificate for a domain. If a certificate appears that was signed by any other CA, bells and alarms go off. Google pioneered this and it's now being expanded. Google pinned its domains inside of its Chrome browser starting in 2011, and let Chrome users enter local pins as well, useful for companies that installed Chrome in large numbers.

Mozilla (Firefox's maker) added pinning in 2014 with version 32 for a set of domains, including its own and Twitter's. It expanded those over subsequent releases to add Google and others.

That's fine for these special cases, but shouldn't this tool be available for all secure sites? I've used just a couple of CAs (though resellers) for the last few years for my web certificates, and it would be delightful to lock off any theoretical attacks against users fooled into thinking they've connected to one of my sites -- much less a small credit union's banking site or a major retailer.

A generic way to let any site publish via its web server which certificate authorities are valid has been in the works for a few years, and is now heavily deployed. HTTPS Strict Transport Security (HSTS) is the moniker, and Apple added it in Safari 7.1 (in Mavericks) and mobile Safari in iOS 8.1. Firefox, Chrome, Opera (desktop), the Android browser and Chrome for Android all support it as well. (Opera Mini and Internet Explorer do not, but IE 12 will.)

I can see right through this exploit

A second bit of help is coming from certificate transparency (CT), which Google is promoting and is still in the process of rolling out. With CT, every CA will have to publish information in a central log whenever (or even some number of hours before) a new certificate is issued. This allows Google and any other entity around the world to keep track of all legitimate certificates while also noting any that are issued by an authority without the authority to do so, based on pinning.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.