Last week and the week before I explained how the cryptographic side of digital certificates and secure web site identity works, as we discuss in in Learning Tree’s System and Network Security Introduction course, but there are continuing problems with corporate trust caused by what many see as misbehavior by root CAs..
ANSSI was discovered in December 2013 to be issuing certificates to their customers that would allow masquerading as any sites on the Internet.
That followed a very similar case from February 2012, when Trustwave had issued a subordinate CA certificate to a customer for use inspecting SSL traffic on their internal networks for DLP or data loss prevention. This brought negative attention and ominous announcements from Mozilla that this likely violated Mozilla’s CA Certificate Policy regardless of the precautions taken by Trustwave. Trustwave announced that they would no longer issue this type of certificate.
A year later, just over a year ago now, on 15 February 2013 Mozilla announced a change to their CA Certificate Policy. They will now require that subordinate CA certificates be constrained through technical measures defined in RFC 5280, or else they must be subject to the same requirements imposed on root CA certificates.
RFC 5280 addresses certification path validation, how you can make an informed trust decision about a certificate that is not already explicitly trusted.
The problem here is that in the existing Internet-wide PKI the browser maintainers are deciding on our behalf which organization deserve trust as our collection of root CAs. That has to do with their reliability as introducers, whether we should take their word for which certificate belongs to which owner.
But when they start issuing sub-CA certificates, that changes the situation radically. Since the sub-CA holders can create arbitrary certificates, all at once we find ourselves obligated to also trust them. Instead of saying “This is who this is”, the issuers of sub-CAs are saying “This is my customer, and you must believe everything my customer tells you.”
That’s not what all of us bargained for.
I’ve seen some criticism of Google’s frequent announcement of Chrome patches. They are announced — quite appropriately, I think — as patches that increase security. Some people have grumbled that Google is using patch announcements as something like a way of getting CERT promote your product. “Don’t forget, Chrome is frequently patched. Use Chrome!”
But I don’t see it that way at all. They are important, security-enhancing patches. Patches that remove trust in certain certificates place significant pressure on the CAs issuing these worrying sub-CA certificates, even more pressure because if Google does something, Mozilla, Apple, Microsoft and others are likely to follow soon.
Well, I’m just fine with that. As someone who likes to be able to trust at least some of what I see on the Internet, this seems like a very good thing.
Next week I’ll go a little further back, to one of the early cases that really got everyone’s attention.