[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Larry Seltzer
larry at larryseltzer.com
Tue Sep 6 16:36:59 PDT 2011
I've never heard of pinning before. There is a proposed IETF spec for a DNS
record to specify an authorized CA:
http://tools.ietf.org/html/draft-hallambaker-donotissue-03
Some big names on it, but I'm not sure it's actually gone anywhere.
LJS
On Mon, Sep 5, 2011 at 7:35 PM, Ian G <iang at iang.org> wrote:
> On 5/09/11 7:23 PM, Gervase Markham wrote:
>
> The thing which makes the entire system as weak as its weakest link is
>> the lack of CA pinning.
>>
>
>
> Just a question of understanding: how is the CA pinning information
> delivered to the browser?
>
> (For those who don't know, I also had to look it up too :) CA pinning is
> where a particular CA is the only one permitted to issue certs for a
> website. I think, it's a very new feature, in some browsers only?)
>
> An HSM or smart card that does anything the PC that it's attached to
>>> tells
>>> it to is only slightly more secure than simply storing the key directly
>>> on
>>> the PC. You need to do more to secure a high-value signing process
>>> than
>>> sprinkling smart card/HSM pixie dust around and declaring victory.
>>>
>>
>> This is true, but I'm not sure it's particularly relevant.
>>
>
> Well, what's relevant is whether the security processes are doing the job.
> Evidence over the last year says no. Why?
>
> What Peter's saying is that there are signs that the processes are weaker
> than they appear. One clue is when they go for expensive solutions rather
> than smart solutions, and declare it done.
>
> (Who claims
>> that HSMs are magic pixie dust?)
>>
>
> CABForum, in BR15.6. "CA must use a HSM" approx.
>
> Monkey-see-monkey-do. Which, amusingly, contradicts most of the rest of
> section 15 :)
>
> Lack of breach disclosure requirements for CAs means that they'll cover
>>> problems up if they can get away with it:
>>>
>>
>> Do you think that remains true?
>>
>
> We don't know. There is no full disclosure mechanism, so we don't know
> what is disclosed and what not. and even when the full disclosure mechanism
> is in place, we'll need 20 or so events to gain confidence in it.
>
> Recall SB1386? It actually didn't do anything until 2 years had passed.
> Then someone paniced. And attitudes shifted...
>
> Comodo didn't cover their problems up,
>>
>
> Have they released the full report of the issue? Has Mozilla?
>
> Or do we just know the headline, and what people have dug up against their
> best wishes?
>
> You saw the chat on mozilla list, another CA declined to report, dressed up
> by lots of buts, ifs, maybes, not-us's and other rantings.
>
> Non-disclosure is certainly in place.
>
> and are still in business. DigiNotar covered theirs up, and are not.
>> Covering up is a massive business gamble, because if anyone finds the
>> certs in the wild (as happened here), you are toast. Particularly given
>> that browsers are deploying more technologies like pinning which makes
>> this sort of attack easier to find, it would be a brave CA who covered a
>> breach up after the lesson we had last week. You'd have to be pretty
>> darn confident any misissued certs didn't get obtained by the attackers
>> - and if they didn't get out, is there actually a problem?
>>
>
>
> What is of current concern is that CAs may now be "disclosing" to the
> vendors. And calling that disclosure.
>
> This is of concern for several reasons: firstly, it likely puts the
> vendors in a very difficult position, even to the point of corrupting them.
> Secondly, it creates a liability-shifting mechanism: the broken CA can now
> point to this as its industry-standard disclosure mechanism (regardless of
> utility and user damages) which reduces its own liability, without a
> commensurate payment; and the vendor now has to take on the risk of suits.
> Thirdly, it's being done in an ad hoc knee jerk fashion, again in secret,
> and there is no particular faith that the parties involved will be able to
> keep their interests of the table.
>
> (For Mozilla alone, private disclosure goes against their principles.)
>
> I'm not denying that disclosure to vendors may help. But I have no faith
> in the risk managers at the other side to analyse that risk.
>
> If you feel that they can do a good job, post their risk analysis.
>
> Right, I thought so, they haven't done one. All vendors are in breach of
> BR. Doesn't auger well does it :)
>
> there's nothing protecting the user. Even the most trivial checks by
>>> browsers would have caught the fake Google wildcard cert that started
>>> all
>>> this.
>>>
>>
>> What sort of "trivial checks" are you suggesting?
>>
>
> Perhaps CA pinning! But in the browser :)
>
>
> Diginotar both passed audits in order to get on the browser gravy train
>>> and
>>> then passed a second level of auditing after the compromise was
>>> discovered.
>>> The auditors somehow missed that fact that the Diginotar site showed a
>>> two-
>>> year history of compromise by multiple hacking groups, something that a
>>> bunch of random commentators on blogs had no problem finding.
>>>
>>
>> I think there are definitely searching questions to ask of DigiNotar's
>> auditors.
>>
>
> :) and, any other CA audited by that organisation. And any CA audited to
> that standard....
>
> And ... wait, all of them! Oops!
>
> Short story -- you won't be able to blame the auditor for this.
>
> Sure, you can embarrass them a lot! But, it's pretty obvious on one
> reading of webtrust that it's a farce. It's also pretty obvious reading BR
> that an audit would not have picked this up.
>
> We could do it ten times over and it's still be the same thing. Audit
> isn't up to solving this problem, it's only up to lifting the basic game of
> low-end CAs to some reasonable best-practices level at the governance side.
>
> (Another sign that the processes aren't doing the job is that CABForum's
> solution is to add more audits. We're up to 4, now, right? WebTrust, BR,
> EV, vendor. Would 5 do it? 6?)
>
>
> available. There is no fallback. Site owners who are concerned about
>>> the
>>> security of their users can't do anything, because the browser vendors
>>> have
>>> chosen to prevent them from employing any other option (I can't, for
>>> example, turn on TLS-PSK or TLS-SRP in my server, because no browsers
>>> support it - it would make the CAs look bad if it were deployed).
>>>
>>
>> Patches welcome? (Or did we reject them already? :-)
>>
>
> Yep, I'm afraid that's the case ;)
>
> It's at the attitude level, not any particular patch. Patches aren't
> welcome. E.g., CA pinning was proposed in the mid-00s and people were told
> to go away. And take their code with them...
>
> I mean, we could be wrong. But who's going to take the chance and spend a
> month on code, or a year, only to be told no? Again? Who's gonna bother to
> fight through the human-shield to get to the coders?
>
> It's up to the vendors, really. We wait and we watch and we groan.
>
>
>
> iang
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110906/97e47c21/attachment.html>
More information about the Observatory
mailing list