CA and Browser Trust Models Need Overhaul, Experts Say

The cryptographic underpinnings of the Internet, as presently constituted, are messy, chaotic and rather randomly constructed. And that infrastructure is not only ripe for a variety of attacks, but is not easily fixable, a group of experts said Friday.

The cryptographic underpinnings of the Internet, as presently constituted, are messy, chaotic and rather randomly constructed. And that infrastructure is not only ripe for a variety of attacks, but is not easily fixable, a group of experts said Friday.

At a forum on browser security sponsored by a Washington policy think tank, a group of technologists and policy experts from industry and government outlined the serious architectural and implementation problems with SSL, the certificate authority infrastructure and the way that browsers handle certificates. It was not a pretty picture. The problems extend from the way that CAs issue certificates to how certificates are handled by the major browsers to the way that attackers are able to take advantage of the weaknesses throughout the system.

One of the key problems that many of the speakers focused on is that the ecosystem of CAs, who issue the digital certificates used by Web sites to assert their identity and help secure traffic to and from their servers, is inherently flawed. The CAs all issue certificates that have essentially the same value, regardless of how–or if–they check up on the sites applying for the certificates and there’s no way for consumers to differentiate among them and know whether one is better than another.

“As soon as one CA lowers its price, the others are pushed economically to that path and the end users can’t tell the difference between certificates,” said Stephen Schultze, the associate director of Princeton’s Center for Information Technology Policy. “The browsers and OS makers don’t drop CAs from their lists for bad behavior.”

The CAs know this, of course, and have almost no incentive to spend money to research the companies they issue certificates to or the third parties that issue certificates on their behalf. And because the CA ecosystem is so intertwined, one lax or malicious CA can cause far-reaching problems for site owners and users alike.

“It only takes one CA to have signed an attacker’s certificate, and then it will work. The practices of the best CA don’t matter very much,” said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, one of the panelists at the event, The Emerging Threats to Online Trust, put on by the New America Foundation and the CITP. “What matters is that there’s one that’s malicious or merely make a mistake. We only have the security that’s as good as the worst certificate authority.”

The problems with CAs and the way that browsers handle and trust certificates are not new. Experts have been warning about these issues for more than a decade and there have been a number of practical attacks developed that allow people to forge legitimate certificates or create valid wildcard certificates. But many of the problems are architectural ones that have proven difficult to fix without a major overhaul of the entire system.

And while cryptographers and other security experts have been discussing the problems with CAs and browser trust models for some time, they tend to be overshadowed by more immediate, higher profile problems such as malware attacks or bugs in major software applications. But some experts think that tide may turn relatively soon.

“The pressure on transport security might increase very rapidly, and very soon,” said Adam Langley, a senior software engineer at Google. He said that as major vendors continue to improve their software development practices and root out more vulnerabilities, the problems with transport security will become more prominent and draw the attention of users and policymakers.

“As a browser vendor, we have to consider the browser ecosystem as a whole. More than half of users are still using Windows XP and Internet Explorer, so if we come up with some great idea and Microsoft puts it in the next release, I’ll be retired by the time 50 percent of users have it,” Langley said. “We still have to deal with a lot of sites that don’t implement the latest version of things because they don’t have to, because everything works fine.”

Thought this seems like mainly a technology problem, it’s not something that’s gone unnoticed at the highest levels of government. Andrew McLaughlin, the deputy CTO at the White House, said that there are a number of problems that can be addressed through more prudent use of available technology, including DNSSEC.

“We now for ths first time have a single globally rooted PKI in DNSSEC, and very soon I think mass adoption up and down the Internet ecosystem,” McLaughlin said. “What’s interesting is when you have a single rooted cryptographic infrastructure, you could use that for other things than just names and number resolution. You could in fact deliver keys to users to associate with their domain names”

But, as McLaughlin pointed out, the problem is a thorny one, given the globally distributed nature of the DNS and CA systems.

“This is the classic Internet policy problem,” he said.

Suggested articles


  • Larry Seltzer on

    Did they go through this conference and actually not mention EV-SSL? This problem is exactly what EV-SSL was designed to address. And users can tell the difference because of the green browser bar.


  • Anonymous on

    I was shocked a number of years ago when discovering that the Certificate Authority 'system' is a free-for all.  Had assumed that like IANA, there was some 'authorized' top level CA.  Still shaking my head whenever the topic comes up.


    If anyone and everyone can be a CA (as is now effectively the case), then there is no assurance that any certificate is worth a damn.  While the 'big names' do try to vet the identities of certificate requests, there is just too much slack in the the system, and too many ways to get a certificate that means nothing. 


    Then there's the issue of some CA's not still using MD5 in their hashes, which was well publicized last year.


    The browser situation is a diaster.  IE and Firefox come with way too many CA's preinstalled as trusted.  Way, way, too many.  And most people don't know how to evaluate them.


    Many people don't even understand that all a certificate means (in the best case) is a verification of the identity of the certificate holder was undertaken when issued.  Many people assume that a certificate somehow vouches for the integrity of the holder, which it does not.



    Certificates can be a very effective way to secure communications, if used within a well designed operational protocol.  Unfortunately the common browser/https configuration is not.



  • Anonymous on

    oops: should have reviewed my post before publishing, the sentence:


    "Then there's the issue of some CA's not still using MD5 in their hashes, which was well publicized last year."


    Should say ".. CA's still using MD5...".  The  word "not" was a typo....






  • mike on

    From operating systems to multimedia, PC & mobile games to anti-virus, from drivers to registry cleaners and internet tools our website    features all the latest soft wares for  safe and <a href=""> free downloading </a> enjoy.

  • Phil on

    The article is basically right -- the X.509 model is a hopeless mess. It's basically a license for the CAs to print money. We should jettison it and switch to decentralized, simple public key system along the lines of SSH and PGP. SSH, in particular, is one of a very few Internet security success stories.


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.