I think we should just pull the rug out. Site operators need to be more aware of which CAs they're using, and need to feel some of the pain from the failure if they're going to shop for CAs based on anything except price.
The behavior of consumers in the certificate marketplace is part of the systemic problem: nobody cares very much about their CA, as long as it causes the little padlock to display correctly (and, more importantly, for warnings to not display) in users' browsers. That's it; beyond that it's a race to the bottom on price.
If a few CAs went down in flames and in doing so created a nasty firedrill for all their customers (which, on the scale of firedrills, getting new certs issued really shouldn't be that big of a deal, compared to a zero-day vulnerability in some piece of the server stack, which happens fairly regularly), suddenly there might be an interest in acquiring certificates from somewhere other than the cheapest-possible source.
Site operators need to be more aware of which CAs they're using
How? I've got no way to judge the security / responsibility of any CA. The amount of money that they charge may have no relation to their behaviour. I don't think anyone has claimed that the CAs who issued wrong certs were charging less than their competitors. You can't blame the CA customers for this.
One sign is that if Symantec has issued rogue certificates, and Google publishes the problem, then it's time to leave.
Of course, the CA would then be incentivized to publish their procedures and show how they intend to fix the breach, which shouldn't have happened in the first place, to regain customer's trust. Or go bankrupt. Let me tell you they wouldn't let their employees do mistakes.
Customers who stay, in the situation that it is discovered that Symantec issues another rogue cert, which causes Mozilla to completely revoke Symantec, can later sue Symantec for harming their business by not applying their public procedures. And here's how the economy gets rid of bad actors. The rule is much tougher for cloud machine providers (EC2 and DO): Should they lose one customers' data, everyone would leave them and go bankrupt, that's why they don't.
In parallel, losing a CA doesn't harm the customers very much, even for amazon.com. They can buy a new certificate in a matter of hours. bzbarsky even says it's commonplace to have the certificates signed by 2 CAs.
Absolutely agree. Pulling the rug is a powerful incentive both for the customers and the CAs. Customers will have to consider the likelihood the CA will be revoked due to poor security practices, CAs will have to show that they're not rubbish.
That's a chicken-and-egg problem, but it would be solved when there's suddenly a lot of site operators with a vested interest in knowing which CAs are likely to fail and which aren't. Right now there's not a ton of interest. CAs are basically selling a fungible, commodity product, so you just buy from the cheapest ones. Searching for "best SSL certificates" thus gets you a lot of articles reviewing CAs, but largely on the basis of stuff like price and ease of issuance. Because that's what people care about.
There would be a slew of reviews of CAs, judging their perceived odds of vanishing in a puff of paperwork, if there was an interest in issuer stability. CAs themselves could probably offer value-added features like guarantees backed by outside parties (i.e. an insurance product) that would pay costs associated with certificate reissuance in the event of malfeasance or incompetence on the part of the CA.
The market would provide, but there has to be demand. Right now there's no demand, because the consequences of getting a cert from a crap issuer has, historically, been approximately zero.
Very often, marketing material and the language used for for that is a good indicator on whether a particular service knows their stuff, or if they appear to peddle fluff... :)
How CAs respond to issues on these mailing lists and in bugzilla is also pretty telling.
In this particular case, there's been concerns raised for several days. An extra vigilant web site operator who sees these discussions might perhaps come to the conclusion that it would be wise to evaluate switching CAs today, perhaps.
Very often, marketing material and the language used for for that is a good indicator on whether a particular service knows their stuff, or if they appear to peddle fluff... :)
We're all doomed then! Asides from LetsEncrypt, most CA web pages are full of marketing fluff :)
I've just been reading through the mailing list discussion, and from that I agree with you completely, WoSign looks pretty incompetent in their responses. If I had a WoSign certificate, I'd definitely be looking around to get an alternative now. However, that's a bit late for 'people power' to force CAs to act better.
You could say the same about your bank - even though you don't really know how they invest your deposit money, you try and gain an intuition based on other factors (stock price, professionalism, reputation, prestige, etc). Not saying these factors -> a good analysis of the creditworthiness of a financial institution but you get the idea.
> Site operators need to be more aware of which CAs they're using, and need to feel some of the pain from the failure if they're going to shop for CAs based on anything except price.
Why? CAs just operate as a tax on sites. Having a certificate doesn't buy a site much; it's typically more for the _users'_ convenience, since they are the ones relying on the CA.
Really, users should pay CAs (probably indirectly), and CAs should issue certs for free. But I doubt that'll ever happen.
For commercial sites, the users are paying indirectly - since the cost of CA would be surely rolled into the maintenance costs, which are surely part of the price of whatever the site is selling.
A viable solution to big CAs is to have all sites have their certs cross-signed by at least two different CAs. Then any single CA can be revoked without affecting any sites at all.
Note that this is also how a new CA is bootstrapped: initially the certs it issues are cross-signed by some existing CA so they work even in UAs that don't have the new CA in their trust root.
The obvious drawback is that now sites need certs signed by two CAs, and getting them to use even one CA is hard enough...
I was thinking the same thing. Assuming it's technically feasible I don't see this as being a huge problem. If your site is important enough that you can't have any downtime due to a CA revocation then you spend the extra time/money up front to get get cross-signed certs. If you don't care, then you just fix the problem when it comes up. If CAs start getting revoked more often then this will just become standard practice.
The solution for big banks is the orderly failure. Things like bail-in, where a bank is required to be able to go through a flash chapter-11 process over a week end. Or the "living will", basically the bank preparing a contingency plan in advance if it needs to wind down its activity.
In the CA world, I would assume this would require a standard protocol across CA to request, renew and transfer certificates from CA providers automatically. A sort of commercial version of the ACME protocol. But that requires lots of infrastructure change not just on the CA side, all servers would have to be updated.
This is long overdue anyway. It is currently way too complex to request, install and keep updated a certificate. And there isn't enough competition in this market.
Transferring certificates from an untrustworthy CA makes no sense. Burn the certificates. Websites should just obtain brand new ones from a different CA. If you are running a website that's important to you, this should be at most a one hour operation (or, if politics and procedures delay you in obtaining a new cert, maybe you should have planned ahead and kept two different certificates on hand already)
By transferring I meant re-issuing automatically a new certificate, not keeping the signature. Of course this requires to re-authenticate the request. And that process has to be automated. A bit like the renewal of the certificate should also be automated.
No, existing certificates should not be reissued. We can't trust that they were issued to the rightful owner originally by the failed CA. Clients should request new certificates and validate their ownership from scratch.
Getting a certificate is an hour's work tops if you are doing the csr dance manually. If you use ACME and letsencrypt it's done in seconds.
EV certificates are more work but if this matters to you then perhaps you should source multiple certificates to begin with, or act quickly when a CA is dropped (I'm sure browser vendors will give at least a few days notice)
Edit: Maybe I misunderstood you. If you just meant that software in general should offer requesting certificates from any provider, then sure, why not just use ACME. CertBot appears to be designed with multiple providers in mind. But this doesn't really have much to do specificially with the case of CAs being dropped from the root. (At first I got the impression you wanted other CAs to "bail out" certificates from the revoked CA)
The validation requirements for 'Extended Validation' certificates can be onerous - complete with in-person ID checks, and photocopies of passports and driving licenses signed by public notaries. I'm not sure automated transfers would be possible.
I suppose you could downgrade on automatic transfer. I've heard people question the value of EV certs, and certainly a working DV cert is better than a revoked EV cert. Or you could insist every EV cert applicant verify their identity with two different CAs.
The certificate system - like the federal reserve - doesn't just fail us in these specifics, but is generally incompatible with the underlying philosophies of distributed technology.
One is to reengineer the CA trust system to delegate limited authority to CAs (e.g. there is no good reason for a CA in the US to be able to sign certificates with Chinese TLD CNs, and vice versa).
The second is to build out the Certificate Transparency project to the point where the revocation of trust due to a mis-issued certificate is immediate, widespread, and automatic.
(e.g. there is no good reason for a CA in the US to be able to sign certificates with Chinese TLD CNs, and vice versa).
Sure there is. If you have a .cn domain but don't trust Chinese companies not to MITM your site, you can get a cert from a foreign CA and then pin it using the HSTS preload list.
That way, even if the registry hijacks the domain and sends people to a server with a valid (but fraudulent) cert, you're still protected by the pin.
But why not do both? It's unreasonable that there is a mountain of CAs out there that never sign certs for .us but they still have the capability to do so. The more CAs that can sign a cert for my domain, the more chances that someone screws up. At the very least I agree with limiting CAs to a subset of TLDs for protection from hypothetical things like the Turkish government demanding that a Turkish CA signs a cert for facebook.com. If it was a countrywide attack pinning the valid cert wouldn't be very effective if the browser has never been to your site before.
Because then you're stuck using that country's CAs, and so you can't pin the root or intermediate certs without giving them the keys. You could pin your cert, but that has other disadvantages.
> The second is to build out the Certificate Transparency project to the point where the revocation of trust due to a mis-issued certificate is immediate, widespread, and automatic.
I'd love to hear more about this. How would it work?
Lets Encrypt gets a lot of flack because their certs need to renew every three months. I can't imagine why bad actors wouldn't immediately try to swamp any system of revocation with requests.
Imagine a new flag for certificates issued by CAs that support CT, indicating that the domain owner (e.g. github.com) intends to continue to only use CT-capable authorities.
Any certificate issued for e.g. github.com by any other CA immediately become evidence of malicious conduct attributable directly to that CA, and grounds for automated revocation of trust.
I'm not sure what the lifetime of Let's Encrypt certs has to do with this. I'm also not certain how the bad actors would exploit this process, can you explain?
Chrome is experimenting with something called Expect-CT[1], which allows site operators to indicate that only certificates with valid SCTs should be trusted. The implementation is quite similar to HSTS. It's report-only for now, but will probably evolve to something like Require-CT (i.e. CT enforcement) in the future.
Sounds like the right way to go. Thanks for the pointer.
As these things develop and become increasingly security-critical parts of the protocol, it would be nice if programs like libcurl and other HTTP client libraries gained support for them.
You need the CA to either have been cooperating with CT all along, or have kept a copy of all the certs it ever issued, neither of which an incompetent CA is likely to have done.
But Google did require them to use CT for all new certificates, which I think they are enforcing by assuming Symantec won't lie about the issuance date of new certs.
You may not be able to immediately spot a bad CA, but the more major CAs buy in to CT, the easier it is to spot fraudulent certs through fingerprint reporting. SSL clients can then choose to have a side-channel trust revocation mechanism. Once adoption snowballs, the overall level of trust in the system will rise.
The other problem is that CAs need to be regionally confined in which TLD CNs they can issue certs for.
There are some good arguments in both directions on that thread. I do happen to like the world in which, say, Let's Encrypt is capable of issuing for any TLD. If we don't think WoSign is good enough for signing .com, we probably shouldn't be exposing .cn users to those attacks, either.
I find the arguments from "it's wrong to recognize borders on the Internet" a bit naive, or impractical. The borders recognize us, and state-sponsored attacks will continue, and have very far-reaching implications. We need better tools to fight them, including this one.
I like the discussion in that thread about how to make the scheme reasonably flexible, though. Thanks for the link.
