Tuesday, August 30, 2011

global CA Infrastructure reminds us again its broken

via an attack using a fraudulent SSL certificate apparently targeted at users in Iran.

Google statement here: http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

EFF here: https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google

Apparently Google Chrome browser detected the bad certificate out of the box, and Mozilla Firefox and Microsoft IE moved rapidly to revoke the root cert of the issuing CA. Thanks are due an observant Google Chrome user who first noticed and reported the certificate warning.  The browser community moved rapidly to address this problem, which is good.  Reporting and action channels for problems are clearly improving and indicate a focus on this issue at the major vendors.

Some points I draw from this:

Good reaction is required, but pro-activity  (as seen with Google Chrome) is critically important in making the global CA infrastructure stronger and more resilient.

Google's pinning worked in this case, but I agree with this Hacker News discussion - that pinning is needed, and works, only emphasizes that the CA infrastructure is broken.   I'm not sure we can find a "golden band-aid" to address how broken it is.    Its ironic or not I suppose that browser technology is needed to identify weaknesses in the security infrastructure used to protect browser activities. Browsers as the early-wanting systems for CA compromise.  Browser updates as the new revocation system.

I think the goals the EFF has with its SSL Observatory are important and I think the work they are doing in general in this area is really valuable.

I guess I better start learning more about Convergence http://convergence.io/

* UPDATE: For the reader interested in an advanced analysis, this from Dan Kaminsky: http://dankaminsky.com/2011/08/31/notnotar/

Here is a related risk analysis: http://security.blogoverflow.com/2011/08/31/a-risk-based-look-at-fixing-the-certificate-authority-problem/

Further Update: two informative posts from TOR:
https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
and: https://blog.torproject.org/blog/diginotar-damage-disclosure

You know you have a broken system when well-meaning people provide their own best-effort solutions:
https://kuix.de/blog/index.php?entry=Firefox-Add-On:-CA-Knockout

No comments: