CA and Browser Trust Models Need Overhaul, Experts Say

The cryptographic underpinnings of the Internet, as presently constituted, are messy, chaotic and rather randomly constructed. And that infrastructure is not only ripe for a variety of attacks, but is not easily fixable, a group of experts said Friday.

The cryptographic underpinnings of the Internet, as presently constituted, are messy, chaotic and rather randomly constructed. And that infrastructure is not only ripe for a variety of attacks, but is not easily fixable, a group of experts said Friday.

At a forum on browser security sponsored by a Washington policy think tank, a group of technologists and policy experts from industry and government outlined the serious architectural and implementation problems with SSL, the certificate authority infrastructure and the way that browsers handle certificates. It was not a pretty picture. The problems extend from the way that CAs issue certificates to how certificates are handled by the major browsers to the way that attackers are able to take advantage of the weaknesses throughout the system.

One of the key problems that many of the speakers focused on is that the ecosystem of CAs, who issue the digital certificates used by Web sites to assert their identity and help secure traffic to and from their servers, is inherently flawed. The CAs all issue certificates that have essentially the same value, regardless of how–or if–they check up on the sites applying for the certificates and there’s no way for consumers to differentiate among them and know whether one is better than another.

“As soon as one CA lowers its price, the others are pushed economically to that path and the end users can’t tell the difference between certificates,” said Stephen Schultze, the associate director of Princeton’s Center for Information Technology Policy. “The browsers and OS makers don’t drop CAs from their lists for bad behavior.”

The CAs know this, of course, and have almost no incentive to spend money to research the companies they issue certificates to or the third parties that issue certificates on their behalf. And because the CA ecosystem is so intertwined, one lax or malicious CA can cause far-reaching problems for site owners and users alike.

“It only takes one CA to have signed an attacker’s certificate, and then it will work. The practices of the best CA don’t matter very much,” said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, one of the panelists at the event, The Emerging Threats to Online Trust, put on by the New America Foundation and the CITP. “What matters is that there’s one that’s malicious or merely make a mistake. We only have the security that’s as good as the worst certificate authority.”

The problems with CAs and the way that browsers handle and trust certificates are not new. Experts have been warning about these issues for more than a decade and there have been a number of practical attacks developed that allow people to forge legitimate certificates or create valid wildcard certificates. But many of the problems are architectural ones that have proven difficult to fix without a major overhaul of the entire system.

And while cryptographers and other security experts have been discussing the problems with CAs and browser trust models for some time, they tend to be overshadowed by more immediate, higher profile problems such as malware attacks or bugs in major software applications. But some experts think that tide may turn relatively soon.

“The pressure on transport security might increase very rapidly, and very soon,” said Adam Langley, a senior software engineer at Google. He said that as major vendors continue to improve their software development practices and root out more vulnerabilities, the problems with transport security will become more prominent and draw the attention of users and policymakers.

“As a browser vendor, we have to consider the browser ecosystem as a whole. More than half of users are still using Windows XP and Internet Explorer, so if we come up with some great idea and Microsoft puts it in the next release, I’ll be retired by the time 50 percent of users have it,” Langley said. “We still have to deal with a lot of sites that don’t implement the latest version of things because they don’t have to, because everything works fine.”

Thought this seems like mainly a technology problem, it’s not something that’s gone unnoticed at the highest levels of government. Andrew McLaughlin, the deputy CTO at the White House, said that there are a number of problems that can be addressed through more prudent use of available technology, including DNSSEC.

“We now for ths first time have a single globally rooted PKI in DNSSEC, and very soon I think mass adoption up and down the Internet ecosystem,” McLaughlin said. “What’s interesting is when you have a single rooted cryptographic infrastructure, you could use that for other things than just names and number resolution. You could in fact deliver keys to users to associate with their domain names”

But, as McLaughlin pointed out, the problem is a thorny one, given the globally distributed nature of the DNS and CA systems.

“This is the classic Internet policy problem,” he said.

Suggested articles