|
|
Subscribe / Log in / New account

Fallout from the fraudulent SSL certificates

By Jake Edge
March 30, 2011

In last week's edition, we looked into a late-breaking disclosure of some fraudulent SSL certificates that had been issued. Due to problems with certificate revocation, it was necessary for Mozilla, Google, and other browser makers to release updates that blacklisted the certificates in question. Since that article was published, we have learned some more about the incident via postings from some of those involved. An update would seem indicated, along with some ideas of possible ways to deal with these kinds of problems in the future.

An attack from Iran?

Perhaps the most interesting update came from Comodo, which is the certificate authority (CA) that is responsible for the fraudulent certificates. Based on the information Comodo gathered from the attack, it would appear that the attacker was based in Iran. The set of domain names for which fraudulent certificates were issued (mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org, and login.live.com) strongly point to a government-sponsored attack. A "regular" criminal attacker would seem more likely to go after certificates for banks and payment sites, but that is circumstantial evidence at best.

Another interesting, if unconfirmed, update is the message from the "Comodo hacker". That message indicates that the Comodo partner (the InstantSSL.it registration authority) had some alarmingly lax security. It also claims that the attack was not sponsored by the "Iranian Cyber Army", and was, instead, just the work of single person. The message contains fairly convincing sounding details of the attack, but there has been speculation that it could have come from the Iranian government as it tries to cover its tracks. We may never know the truth of the matter, as there are interests on all sides with reasons to obfuscate. Authentic or not, the lack of security attributed to the registration authority unfortunately rings true.

Mozilla also followed up its earlier message about the certificates with a recognition that the project should have been more forthcoming. Withholding information about the existence of the fraudulent certificates was really only helpful to the attacker. Knowledge of the certificates would have allowed users to make their own decisions about mitigating the threat posed by a man-in-the-middle (MITM) attack that used them.

Mitigating the risks

MITM attacks are, by their very nature, focused on a small subset of the internet—or a small subset of its users—as the risk of detection rises as a function of the number of users affected. That means that checking certificates from multiple locations in the internet will be quite successful in detecting a local MITM attack. That is exactly what the Perspectives project is working on.

The project provides multiple "network notaries" that are located in different places, both physically and based on internet routing, which monitor the certificates presented by different sites. These notaries store the certificate fingerprint, along with a date and time, so that they have a history of the certificates presented by a given site. When a client wishes to connect to a domain using SSL, it can compare the certificate fingerprint it gets with those stored by several notaries. If they all match, the chances are extremely low that there is some kind of MITM attack going on.

Rather than doing all of that checking manually, though, the project has a Firefox extension that will do that checking, and alert the user if it detects something has gone awry. In addition, the Perspectives extension can override the Firefox error page that comes up for self-signed certificates if it finds that multiple notaries have all recently seen the same certificate.

Obviously, clients must make secure connections to the notaries, so that the attacker can't just spoof their response, so the notary list includes each notary's public key. In addition, notaries could keep track of the responses of other notaries so that malicious notaries could be detected. Each notary would act as a "shadow server" for several other notaries, and clients could check with the shadow server to ensure that the information it received is consistent with what the notary has reported in the past. The shadow server idea is described in the Perspective paper [PDF], but does not seem to be implemented yet. If and when notaries that are not under the control of the project are added, one would imagine that shadow server functionality would be added.

Detecting changed certificates

A simpler mechanism for detecting possible MITM attacks is embodied in the Certificate Patrol Firefox add-on. Essentially, it locally keeps track of which certificate has been seen for a given domain, and alerts the user if that certificate changes. The idea behind it is "trust on first use" (aka TOFU), which means that the first time a valid certificate is seen, it should be trusted. Certificate Patrol (CP) does display the certificate information it receives on first use so that the user can potentially note any red flags. If ever the certificate changes down the road, though, the user will be alerted to that change.

There are plenty of valid reasons why a site might change its certificate, however, so there could be various false positives from CP. When a certificate changes, CP will examine the new certificate and rate the likelihood that it indicates some kind of attack. For example, CP tries to detect certificates that were replaced because they were near to their expiration, and rates that change appropriately. It also tracks the CA used to sign the certificate, as a new certificate from the same CA as the old is less likely to have been issued fraudulently.

One good outcome of the attack

One good thing that resulted from these fraudulent certificates is that folks are thinking and talking about better ways to handle problems like that in the future. Some would claim that the CA model is broken, but we have to have something to replace it before we can even consider dumping it, or reducing its role. Neither Perspectives nor Certificate Patrol are targeted at that particular problem, but may provide reasonable stopgap measures for now.

Toward the end of Jacob Appelbaum's post outlining his detective work in discovering that there were fraudulent SSL certificates floating around "in the wild", he mentions a number of proposals and projects that might offer some alternatives to the current system. We looked at one of those, Monkeysphere, early last year. The others he mentions, DANE, CAA, and HASTLS seem worthy of a look at some point as well. There were already plenty of grumbles about the CA system before this particular incident, but the volume of those complaints is growing, so thinking about alternative solutions is certainly useful.


Index entries for this article
SecurityCertificate Authorities (CAs)
SecuritySecure Sockets Layer (SSL)/Certificates

to post comments

Replacing an expired certificate with a new one

Posted Mar 31, 2011 9:46 UTC (Thu) by epa (subscriber, #39769) [Link] (3 responses)

When a certificate changes, CP will examine the new certificate and rate the likelihood that it indicates some kind of attack. For example, CP tries to detect certificates that were replaced because they were near to their expiration, and rates that change appropriately.
When a certificate is replaced, a keypair certified by the old certificate could be used to sign the new certificate. Then you'd be able to check that the new certificate was issued to the same person, in some sense, as the old certificate. This is an additional check, as well as choosing which CAs to trust.

Replacing an expired certificate with a new one

Posted Mar 31, 2011 13:27 UTC (Thu) by erwbgy (subscriber, #4104) [Link] (2 responses)

I don't see how that would work. Certificates are just signed public keys and if you encrypt something with a public key (a signature is basically an encrypted digest) it can only be decrypted by the corresponding private key. If you sign the new certificate with the old certificate then only someone with the private key would be able to verify the signature and third-parties don't have that.

Or perhaps your proposed scheme doesn't work like that?

Replacing an expired certificate with a new one

Posted Mar 31, 2011 13:43 UTC (Thu) by epa (subscriber, #39769) [Link] (1 responses)

Yes, I'm a bit shaky on the terminology here and I thought somebody might spot that.

So, a certificate is a signed public key. That public key has a corresponding private key. Use the old private key to sign the new certificate. Then somebody who has your old public key (given by the old certificate) can use it to verify the new certificate. Even if the old certificate is expired, you can still use it for the limited task of checking the new one (or better, the cert should have two expiry dates, one for general use, and a longer one just for validating its successor).

This makes sure that whoever has the new keypair, identified by the new certificate, also has the old keypair. In other words it provides some measure of making sure the same person or entity controls the new private key as the old. If, additionally, the old certificate is near or past its expiry date, and the new certificate is signed by one or more CAs that you trust, then you have a reasonable certainty that the new cert is genuine. This is better than relying on CAs alone.

Replacing an expired certificate with a new one

Posted Apr 1, 2011 13:29 UTC (Fri) by knobunc (subscriber, #4678) [Link]

It is a good idea, but it only helps you if you have the old public key. It certainly adds another layer of trust that Certificate Patrol can make use of.

DNSSEC PKI alternative

Posted Mar 31, 2011 15:08 UTC (Thu) by copsewood (subscriber, #199) [Link]

At the moment it seems with HTTPS as currently implemented, the primary trust for most people and purposes is the choice of browser and the trusted CA certs which are packaged by Mozilla or Microsoft. HTTPS validation is a binary 1 or 0, but for identity trust to be useful in some contexts this could more usefully be graduated. I think the PKI which DNSSEC will build may be used in a similar way in practice, but I suspect that for some applications with specific client software, it will also become possible to weight trust anchors based upon registry reputation. So for example, if a future TLD registry called .bank implements much more rigorous checks over subdomains such as lloyds.bank, then financial applications or plugins might indicate and take other actions based upon a higher trust level than over financial organisations within .com where cheaper identity verifications are exercised.

DNSSEC will come with the advantage that domain registrations and rollovers automatically come with a somewhat more flexible certificate allowing for signed and delegated subdomain zones, but not all trust anchors will be inherently equal in security, integrity, reliability or reputation.

Another useful certificate security extention

Posted Mar 31, 2011 18:49 UTC (Thu) by pspinler (subscriber, #2922) [Link] (1 responses)

Another useful certificate security extension is 'Perspectives', available here: http://www.networknotary.org/firefox.html

It compares the certificate received for a https site from different locations on the internet, on the assumption that a man in the middle attack would not be able to hijack all locations. If the received certificate differs at different sites, a flag is raised.

-- Pat

Another useful certificate security extention

Posted Apr 1, 2011 15:21 UTC (Fri) by nix (subscriber, #2304) [Link]

Um, yes. Half the article was talking about it. :)

Fallout from the fraudulent SSL certificates

Posted Apr 3, 2011 0:25 UTC (Sun) by giraffedata (guest, #1954) [Link]

Perspectives perverts the notary metaphor. The function of a notary (aka notary public) is to prevent a signer from repudiating his signature -- claiming later he didn't sign the document. I "acknowledge" my signature on a document to a notary who one way or another knows my identity, and if I later try to say I didn't sign it, testimony of the notary will prove I did.

What Perspective creates is known in legal circles as a "certificate." Yes, in the very same sense that the SSL certificate uses the term. It's a known and trusted agent backing up my own claim to have signed a document.

And that makes me wonder if it wouldn't be simpler just to have multiple independent CAs sign the certificate in the existing cryptographic way. Or, alternatively, to skip the whole cryptographic signing component and just have interactive servers with secure connections certify keys to begin with.


Copyright © 2011, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy