HTTPS should remain genuinely optional on the web

July 20, 2014

I recently ran across Mozilla Bug 1041087 (via HN), which has the sort of harmless sound title of 'Switch generic icon to negative feedback for non-https sites'. Let me translate this to English: 'try to scare users if they're connecting to a non-https site'. For anyone who finds this attractive, let me say it flat out; this is a stupid idea on today's web.

(For the record, I don't think it's very likely that Mozilla will take this wishlist request seriously. I just think that there are people out there who wish that they would.)

I used to be very down on SSL Certificate Authorities, basically considering the whole thing a racket. It remains a racket but in today's environment of pervasive eavesdropping it is now a useful one; one might as well make the work of those eavesdroppers somewhat harder. I would be very enthusiastic for pervasive encryption if we could deploy that across the web.

Unfortunately we can't, exactly because of the SSL CA racket. Today having a SSL certificate means either scaring users and doing things that are terrible for security overall or being beholden to a SSL CA (and often although not always forking over money for this dubious privilege). Never mind the lack of true security due to the core SSL problem, this is not an attractive solution in general. Forcing mandatory HTTPS today means giving far too much power and influence to SSL CAs, often including the ability to turn off your website at their whim or mistake.

You might say that this proposal doesn't force mandatory HTTPS. That's disingenuous. Scaring users of a major browser when they visit a non-HTTPS site is effectively forcing HTTPS for the same reason that scary warnings about self-signed certificates force the use of official CA certificates. Very few websites can afford to scare users.

The time to force people towards HTTPS is when we've solved all of these problems. In other words, when absolutely any website can make itself a certificate and then securely advertise and use that certificate. We are nowhere near this ideal world in today's SSL CA environment (and we may or may not ever get there).

(By the way, I mean really mean any website here, including a hypothetical one run by anonymous people and hosted in some place either that no one likes or that generates a lot of fraud or both. There are a lot of proposals that basically work primarily for people in the West who are willing to be officially identified and can provide money; depart from this and you can find availability going downhill rapidly. Read up on the problems of genuine Nigerian entrepreneurs someday.)

Comments on this page:

By zdw at 2014-07-20 00:36:35:

A partial solution is to run your own CA, and thus controlling everything end to end.

While this isn't a solution that is suitable in most world-facing environments, most of the places that would employ full time IT staff have control of both ends of the connection, and thus this is reasonable. Heck, OCSP and CRL's might even have a valid place in those deployments.

Most business and education environments already manage end user machines (with a variety of light to heavy touches), and adding a "corporate CA" is a fairly normal and easy to implement solution - usually a one line shell script in most Unix environments, or able to be pushed via AD to most Windows systems.

This of course couldn't be extended to the web in general, unless being able to add arbitrary CA roots from trusted organizations (vs ones decided by OS or browser makers) became normal operating procedure, which it currently isn't.

By cks at 2014-07-20 01:05:26:

I actually think that organizational CAs are extremely dangerous today because of the core SSL problem. Sure, your CA is only supposed to be used for internal hosts, but there is nothing that is actually enforcing that. This means that the security of all HTTPS connections made inside the organization is no greater than the security of your organizational CA and I am not really confident about that. How many organizations are going to use well-guarded HSMs, for example?

(I don't think that OCSP protects you in this situation unless you've already gone through a significant amount of CA hardening that strongly ensures that you can only sign certificates that include your OCSP information. If an attacker can gain enough access to sign an OCSP-less certificate, well, they win.)

This also entirely neglects the pragmatic temptation for HTTPS interception of outside secured sites on behalf of your security and antivirus and so on people. I think that having such a loaded gun around is a very bad idea.

By zdw at 2014-07-20 10:33:38:

The loaded gun analogy is a good one - as a tool a CA has both legitimate and illegitimate uses.

To extend the metaphor, a conventional CA is a howitzer, and your little organizational CA shoots rubber bands. The amount of damage done, and advantaged gained by gaining access to a "Everyone on the internet trusts them" CA is huge, whereas taking over even a larger corporate CA has limited value and scope. Attackers are smart - they're going to go for the maximum value targets, not the marginal value ones.

What it comes down to is hardening the CA creation and use process. Some ideas to resist attacks on the CA that would require minimal cost or overhead:

  • Use a secret sharing scheme to prevent a lone/rouge actor from compromising the CA, and for keeping all pass phrases and encryption keys secure.

  • Create the CA root on an air gapped machine or set of disks, using encryption on data at rest.

  • Use a hierarchy of root and intermediate CA certs, where the validity period is fairly short to temporally contain any problems that occur.

I do agree with the temptation of SSL stripping/interception would need to be addressed, but as with running your own CA, that's a policy and process issue rather than a technical one.

By David Magda at 2014-07-20 11:43:59:

Attackers are smart - they're going to go for the maximum value targets, not the marginal value ones.

Except that "maximum value" isn't the same for everyone.

If you're doing industrial espionage, the "maximum value" could be to go after the internal CA of your competitor. In a slightly-related situation, RSA Security's SecurID system was attacked and hacked, and then that was leveraged to get into Lockheed Martin:

Though one could argue that SecurID is like Verisign's CA business, and that if Lockheed Martin had been running an in-house system like Yubikey and a YubiX back-end, that would would be like LM running an in-house CA.

By David Magda at 2014-07-20 12:09:01:

The time to force people towards HTTPS is when we've solved all of these problems. In other words, when absolutely any website can make itself a certificate and then securely advertise and use that certificate.

That is certainly an important feature to have. Technically one solution is DANE: place X.509 certificates into DNS, and make sure it's secured with DNSSEC. One then holds (hopefully securely) the private keys to signing one's DNS domain, and the private key to the TLS cert for the service in question.

This solution is by no means perfect, and the (real and perceived) problems/risks of it are available if you search, but it is a useful hand-wavy example. But it allows one to have secure communications, with a minimal number of third-party dependencies.

But one problem with these no-third-party-at-all solutions is: how do Internet surfers know to trust a site is the actual one they want? I'm speaking specifically of homograph attacks:

So if you go to "www.mybank.com", the letter 'a' could be the proper Latin/ASCII 'a' (U+0061), or it could be the Cyrillic 'a' (U+0430). Though that problem exists even now, as you could register "mybank.com" (with IDN) and get certs for it. That is one of the problems the "Extended Validation" (EV) certificates are trying to solve: not only is the ownership of the domain looked at, but also the legal entity that is registered examined and put into the certificate.

It will be a good thing when anyone (good and bad) can issue certificates so that communications are "secured" from eavesdropping. But knowing that you are securely transferring data is meaningless if you're securely sending it to criminals.

Figuring out the trust issue is an important part of the total solution to getting rid of CAs.

By Aristotle Pagaltzis at 2014-07-20 18:56:57:

Attackers are smart – they’re going to go for the maximum value targets, not the marginal value ones.

https://en.wikipedia.org/wiki/Advanced_persistent_threat

By liam, UNC-CH at 2014-07-23 09:48:15:

Maximum value to them. We can't always know what value an attacker may be seeking. We can be compromised for as simple a reason as someone having been challenged - 'I bet you can't...'; 'I bet I can get n+1 compromised hosts before you...'. It may be revenge motivated.

It's most likely to be a financial value - either directly with compromised banking accounts, or value of data for resale. But it's unwise to assume that because you can't see financial riches in your site that there isn't someone out there wants something that you have.

By ch at 2014-07-30 18:41:39:

One "solution" obviously is DANE. At least in a dream.

Written on 20 July 2014.
« Some consequences of widespread use of OCSP for HTTPS
The CBL has a real false positive problem »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Jul 20 00:11:42 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.