[SSL Observatory] SSL CA compromise in the wild

Jacob Appelbaum jacob at appelbaum.net
Wed Mar 23 16:41:36 PDT 2011


On 03/23/2011 04:32 PM, Chris Palmer wrote:
> On 03/23/2011 04:02 PM, Jacob Appelbaum wrote:
> 
>> The Browser Vendors are afraid that people will simply jump ship to a
>> browser that "works" out of the box. Removal of a root will supposedly
>> decrease browser share and so browser vendors refuse to remove roots
>> unless absolutely forced.
> 
> We can use the Observatory to measure the cost of un-trusting a CA (root
> or intermediate). Some of the 1,400+ signers have never signed anything,
> or signed one thing once, and so on. (My favorite example is the DHS'
> CA, which has signed one site that says "This site is going away soon.")
> In fact, the distribution is highly polarized: very few CAs sign almost
> all the in-use HTTPS certificates; most CAs sign very few certificates.

Right. I made that argument with the observatory data in the bug report
that I filed with Mozilla. I don't know where they get their numbers or
how they make that internal decision.

> 
> If we can bring real numbers to browser vendors, they might respond.

Perhaps. I think the incentives are all wrong.

> 
> Unfortunately, the USERTRUST CA that was compromised is one of the CAs
> that is Too Big To Fail. Nasko Oskov had a blog post a while back about
> how he manually reduced Firefox' CA certificate list to the few big ones.

I don't agree that they're Too Big To Fail.

If someone produced a secret key, what then? Too big to fail? Is that
really the best we can do? I'm not so sure.

> 
> http://netsekure.org/2010/05/results-after-30-days-of-almost-no-trusted-cas/
> 

Andrew did that on the Tor blog as well:
https://blog.torproject.org/blog/life-without-ca

>>> Inconvenient and annoying? Likely. But so is a 0300 knock and potato
>>> bagged escort out of your home in Tehran, Iran.. -Ali
> 
> Apparently some people in Syria were inconvenienced today when they
> tried to use Facebook.
> 

Could you share a little more about this with the list?

All the best,
Jacob



More information about the Observatory mailing list