[SSL Observatory] Using observatory data to check CAcert

Hanno Böck hanno at hboeck.de
Sat Jul 30 06:47:22 PDT 2011


I've used the observatory data to check CAcert for weak certificates -
and found quite a lot. I'll just paste the blog entry I just published.

http://hboeck.de/archives/785-Using-EFF-SSL-Observatory-to-find-weak-keys-in-CAcert.html

----------------------

I've written in the past about the EFF SSL Observatory. It's a great
project that has scanned the whole IP space for SSL-certificates used
in HTTPS. They provide a database with meta information and their
project found a couple of issues where CAs have issued certificates
with weak security settings and violation of their own policies. CAcert
is a project which tries to be the "better SSL authority" - it issues
certificates for free, based on a web-of-trust community. The CAcert
root certificate is not part of any major web browser. The EFF has
mainly analyzed the browser-accepted CAs - but they provide the data,
so I could do it myself.

I did some checks on the all_certs table selecting the certificates
from cacert. I found out that there were 143 valid certificates with
512 bit. That is completely insecure and breakable by a home computer
today. I also found that the majority of certificates still has 1024
bit, which by today's standards should be considered harmful - there
have been no public breaks yet, but it's expected that it's possible to
build an RSA-1024 cracker for an attacker with enough money.

I did the following query on the database:
SELECT RSA_Modulus_Bits, count(*) FROM all_certs WHERE `Validity:Not
After datetime` > '2010-03-08' AND ( `Issuer` like '%CAcert.org%' OR
`Issuer` like '%cacert.org') GROUP BY `RSA_Modulus_Bits` ORDER BY
count(*); +------------------+----------+

| RSA_Modulus_Bits | count(*) |
+------------------+----------+
[...]
| 512              |      143 |
| 4096             |      632 |
| 2048             |     3716 |
| 1024             |     5790 |
+------------------+----------+

Now, what further checks can we do? I checked for the RSA exponent. I
found two certificates in the database with exponent 3. RSA with low
exponent is also considered insecure, although one has to state that
this is not a serious issue. RSA with low exponents is not insecure by
itself, but it can create vulnerabilities in combination with other
issues (if you're interested in details, read my diploma thesis).

I have not checked the CAcert database for the Debian SSL
vulnerability, as that would've been non-trivial. There were scripts
shipped with the SSL Observatory data, but I found them not easy to
use, so I skipped that part. 

My suggestions to cacert were to revoke all certificates with serious
issues (like the 512 bit certificates). Also, I suggested that new
certificates with insecure settings like RSA below 2048 bits or a low
exponent should not be allowed. CAcert did most of this. By now, all
512 bit certificates should be revoked and it is impossible to create
new ones below 1024 bit or with low exponents. It is however still
possible to create 1024 bit certificates, which is due to a limitation
in the client certificate creation script for the Internet Explorer.
They say they're working on this and plan to prevent 1024 bit
certificates in the future. They also told me that they've checked for
the Debian SSL bug.

I've reported the issue on the 11th March and got a reply on the same
day - that's pretty okay, one slight thing still: There was no security
contact with a PGP key listed on the webpage (but I got a PGP-encrypted
contact once I asked for it). That's not good, I expect especially from
a security project that I can contact them for security issues with
encrypted mail. One can also argue if four months is a bit long to fix
such an issue, but as it was far away from being trivial, this can be
apologized.

I'd say that I'm quite satisfied with the reactions of CAcert. I always
got fast replies to questions I had and the issues were resolved in a
proper way. I have other points of criticism on the security of CAcert,
the issue that bothers me most is that they still use SHA-1 and refuse
to switch to a more secure hashing algorithm like SHA-512, although all
major browsers have support for this since a long time.

I want to encourage others to do further tests on CAcert. I'd like to
see CAcert being an authority that does better than the commercial
ones. The database from the observatory is a treasure and should be
used by projects like CAcert to improve their security.


-- 
Hanno Böck		mail/jabber: hanno at hboeck.de
GPG: BBB51E42		http://www.hboeck.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110730/e33939a1/attachment.sig>


More information about the Observatory mailing list