Another demonstration of SSL Certification Authority (in)competence

December 23, 2009

Every so often, another SSL CA provides a demonstration that they are run by baboons, and not very smart ones at that. Past demonstrations have involved security, or the lack of it; the current one involves terrible business practices, which is arguably worse (at least in terms of how large a failure it is).

Put simply, the current root CA certificate for ipsCA expires on December 29th. This will orphan and invalidate all SSL certificates signed (directly or indirectly) with it, which is almost all of the certificates that ipsCA has sold.

(Full proper SSL certificate validation requires not just that the direct certificate be within its valid time range but that all certificates in the certificate chain are valid. We may be about to find out which programs do full proper cert validation, and which ones take shortcuts.)

While ipsCA has a new root CA certificate (and is re-signing their SSL certificates with it), it doesn't do them much good; it's currently included in exactly one program, that being IE 8. Their current official statement is remarkably non-informative about other browers, IMAP mail clients, and so on. This lack of broad inclusion effectively renders their root certificate and any SSL certificate signed by it useless, since the only real reason to pay a CA for a SSL cert is to avoid your users getting a scary warning, and to avoid that the CA's root cert has to be included in whatever program your users are using.

Let me repeat that in different words: having your root CA certificate included in as many programs as possible is a CA's real job. Thus, ipsCA failed to do the only thing that is essential for them to make money (and are about to experience the very harsh downside of the SSL business model), despite basically sitting on a license to print money, which is what a root certificate is.

One reason that ipsCA's new root cert is in so few programs may be because it appears to only have been generated this September (judging from its 'Not Before' date). From what I understand, getting your root certificate included in programs is a very slow process, and even once this happens there is the small issue of getting users to actually update to the new versions of all of these things. Leaving it to four months before your old certificate expires is simply not workable.

The larger lesson I draw from this is a reinforcement of my extremely cynical view of CA competence, since ipsCA fell down on this despite having practically the best motivation possible. If I can't count on CAs to merely preserve their ability to make money, what can I count on them to do?

(Obligatory attribution: I learned of this issue today from Bob Plankers, via Planet Sysadmin.)

Written on 23 December 2009.
« How not to set up your DNS (part 20)
The advantages of open source software RAID »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Dec 23 00:32:22 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.