-7

Why are they certificate authorities? What do they do that ensures the information is 'secure'? I know that they verify if a 'certificate' is from a 'trusted' source but who decides which sources are 'trusted' and which aren't?

UPDATE: The question is not answered by the other question.

Why can you trust Google.com by trusting GeoTrust? A website wants to communicate with you securely. In order to prove its identity and make sure that it is not an attacker, you must have the server's public key. However, you can hardly store all keys from all websites on earth, the database would be huge and updates would have to run every hour!

The solution to this is Certificate Authorities, or CA for short. When you installed your operating system or browser, a list of trusted CAs probably came with it. This list can be modified at will; you can remove whom you don't trust, add others, or even make your own CA (though you will be the only one trusting this CA, so it's not much use for public website). In this CA list, the CA's public key is also stored.

I get the public key private key aspect. I understand the tech, but I guess I wasnt specific enough. My question was who chooses the list of trusted CAs? The quote above suggests that you can 'remove whom you don't trust, add others, or even make your own CA...' but it isn't that simple. If you remove geotrust you basically can't use any chromium based browsers(so almost all of them), youtube, gmail, or any other alphabet company. The quote above also suggests "you can hardly store all keys from all websites on earth, the database would be huge and updates would have to run every hour!" There are 1.5 billion websites, using 4096 bit pub key its around 715gb worth of keys. Taken from that standpoint it sounds like a rational decision, except only 200million of those sites are actually active which amounts to 95gbs worth of keys at 4096 bit encryption. 95gbs is easily manageable in todays world but its still pretty steep. Do you think any 1 user would ever visit all 200 million active sites? No it would never happen. An average user visits 10 or so unique websites per day, and most likely wont regularly visit more than a 100 unique websites in a year. If its 100 unique websites then thats only 0.0000512gbs or 0.0512mbs or 51.2kbs. 100 unique websites might be average but what about the upper end of users, lets say its 100,000 a year, thats only 0.0512gbs or 51.2mbs or 51200kbs. That is absolutely nothing compared to the 5gigs that google keeps in a users local cache. Its absolutely absurd that we are forced to go through these corrupt corporations in order to freely use the internet. If a major website wants to secure its site then it should use its own encryption methods like an adult, not a child that needs to hold daddy's hand when it comes to security. So who decides what CAs are trusted? Why cant a regular users CA become trusted? I just find it frustrating that so many intelligent tech people are so incredibly naive and gullible.

SpellsOfTruth
  • 13
  • 3

2 Answers2

5

So who decides what CAs are trusted?

The browser and OS vendors do.

Why cant a regular users CA become trusted?

He can apply to be a public CA, but it is unlikely that the user is able to match all the security guarantees required by the browser/OS vendors for a publicly trusted CA. Even several commercial CA failed these requirements. But nothing prevents a user to run its own CA and install it as trusted in the various devices she owns.

The quote ... using 4096 bit pub key its around 715gb worth of keys .... except only 200million of those sites are actually active which amounts to 95gbs ... An average user visits 10 or so unique websites per day, and most likely wont regularly visit more than a 100 unique websites in a year. If its 100 unique websites then thats only 0.0000512gbs or 0.0512mbs or 51.2kbs. ....

Your rambling basically assumes that the few certificates that the user needs are somehow propagated to all the browsers which need these. Only you fail to describe the way how they get securely propagated there. TLS with certificates and a public PKI is exactly the way how this propagation is done, i.e. build some initial trust with the root CA so that one can trust the certificates issued by these CA.

If a major website wants to secure its site then it should use its own encryption methods like an adult, not a child that needs to hold daddy's hand when it comes to security. ... I just find it frustrating that so many intelligent tech people are so incredibly naive and gullible.

Yes, it seems to be strange that always all the others are dumb but only oneself is smart.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • You're missing the point. 'it is unlikely that the user is able to match all the security guarantees required by the browser/OS vendors for a publicly trusted CA'. 'Security gurantees' mean you use a specific encryption method or system, usually an encryption method/system that they and the government can easily break. I didn't call all the others dumb. Read it again, slower this time. You are proving my point, you are clearly intelligent, but you blindly trust giant corporations and governments that have lied to your face thousands of times. – SpellsOfTruth Jun 27 '19 at 02:59
3

I feel that a technical answer is not really possible here, or would really be accepted (as that is dealt with in the linked answer), but something more esoteric, if not the direct answer to your question, will at least provide interesting reading for some and food for thought for others.

Moxie Marlinspike has long held the belief that the CA trust model is broken. As a quick intro, he started a cryptography company in SF (Whisper Systems), it got bought by Twitter, he left, now is the head of the company that develops Signal, and his encryption protocol is used by all the biggest companies who incorporate messaging systems.

In a blog post from 2011, he puts forward that the trust model is not so trustworthy, citing research from Chris Soghoian alleging that some so called trustworthy companies (in the blog's example VeriSign) had a special process (CALEA compliance) in place so that if they were so compelled by a government agency, they could quietly release false SSL certificates to facilitate seamless interception of targeted indivuals' web-based communications. All very big brother, and whilst Soghoian admits that there was no direct evidence of this activity, there was widespread belief within the information security community if it wasn't happening yet, would likely be so in the future due to the ease with which it may happen.

Marlinspike goes on to suggest a possible solution to this problem in his blog post (also linked above). It's pretty interesting, and I encourage giving it a read.

So your question, "How do we know that the Certificate Authorities can be trusted?" - an answer could be: "We don't. We just do because we have no real choice, as if we decided to (personally) stop trusting these CAs none of the sites we want to visit would work."

  • 1
    Regarding the last paragraph: The websites would work, if you would manually trust the leaf certificates. The problem is that you then have no idea if those leaf certificates are legitimate or not. –  Jun 03 '19 at 09:28