22

Recently the DigiNotar CA was hacked, and rogue certificates were issued. Since they also issue certificates on behalf of the Dutch government, the government made a statement about it as well, basically claiming: 'don't visit the website if you get a security warning from your browser'. Good advice in itself, and better than DigiNotar itself which claims 'ignoring that warning is 99.9% safe', but it ignores browsers with CA trust stores which have not been updated yet.

Assuming a non-updated browser (trust store), isn't a user vulnerable for Man-In-The-Middle attacks on any website, not just the ones which had a valid DigiNotar certificate? I know you can check the certificate chain on a website, but I never do, and I know for sure my parents never do.

Is SSL-trust really only as strong as the weakest CA, and is there a way to fix that?

Update 2011-09-06: An independent report by Fox-IT on the DigiNotar hack was made public

beetstra
  • 415
  • 4
  • 10
  • 2
    This is closely related to another question: [How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove? - IT Security - Stack Exchange](http://security.stackexchange.com/questions/2268/how-feasible-is-it-for-a-ca-to-be-hacked-which-default-trusted-root-certificate) – nealmcb Sep 04 '11 at 16:18
  • 1
    For other SSL MITM attacks, see: [Can a HTTPS connection be compromised because of a rogue DNS server - IT Security](http://security.stackexchange.com/questions/3857/can-a-https-connection-be-compromised-because-of-a-rogue-dns-server) – nealmcb Sep 04 '11 at 16:45
  • 2
    I believe the problem is in part the operating system and web browser providing default trusted CAs. Users are unknowingly proxying their trust to those software makers who provide the default CA certificates. Force individual users to make their own decisions about trust. – this.josh Sep 05 '11 at 04:36
  • DigiNotar just made a statement that essentially repudiated their insane 99.9% advice. Amazingly enough, the link appears now to be gone from their site. – Steve Dispensa Sep 06 '11 at 02:34

3 Answers3

14

Concrete case of DigiNotar

For the concrete case that depends on how deep the vulnerability was:

If the attackers were only able to access a program (web frontend) that signs any SSL server certificate, then only those sites are affected. Proper logging mechanisms would allow them to produce a complete list of all affected domains.

If they got access to the private key or the program allowed to create certificate with the CA bit set, then the attacker can create certificates for any site.

General case

For the general case: Yes, the CA model in its current form depends on the trust of the weakest CA.

There are a number of CAs in the default list of the common browsers that are known to have issued bogus certificates for their respective governments in the past (most notable the BlackBerry Interception update in the United Arab Emirates) or got their lawful interception advertisement material leaked (most notable in the United States of America).

As far as I know DigiNotar is the only case in which a complete CA was removed from the browser list. In the other cases only the bogus server or software certificates have been revoked.

Jeff Ferland posted an excellent article on the security blog, A Risk-Based Look at Fixing the Certificate Authority Problem.

Other approaches

Convergence tries to mitigate the issue by recording server certificates from many different angles of the Internet. This assumes that the attacker is relatively close to the victim so that other notaries see the real certificate.

Instead of using a CA to sign server certificates, the certificates could be included in DNS, assuming that DNSSEC is widely adapted, which is not the case, yet.

Google hard codes the valid hashes into the source code of their Chrome browser calling it public key pinning. This approach obviously does not scale, they can only put a limited number high traffic sites in there.

Peter Mortensen
  • 877
  • 5
  • 10
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • 2
    For the Concrete case of Diginotar: They seem to have had non-updated servers, weak passwords, interconnected certificate servers and a relaxed physical access policy. Reading the report I get the feeling quite some non-security related businesses have better security then this company had. – Jacco Sep 06 '11 at 07:54
  • See this RFC regarding storing certificates in DNS: [DANE for TLS](http://tools.ietf.org/html/draft-ietf-dane-protocol-17) – makerofthings7 Mar 06 '12 at 22:24
12

Yes, SSL web browsing is exactly as strong as the weakest CA. DigiNotar could sign any certificate in the world, so in theory, any SSL conversation could be MITM'd.

Furthermore, there are around 1500 certificates that can sign for any site in the world, so there are a lot of places that things could break down.

Validating the chain of trust manually doesn't help, either - two months ago, you'd have seen DigiNotar at the top of the certificate for a website and had no reason to doubt its legitimacy. Besides, the browser will already show a big bad scary page if anything about the certificate doesn't validate. There is, alas, nothing more you can do to check a chain of trust yourself.

Just to be clear, DigiNotar's "99.9%" advice is terrible for end users, and I hope there continue to be severe repercussions for them for having made such a terrible recommendation to an unsuspecting public.

Steve Dispensa
  • 3,441
  • 16
  • 20
4

The risk for the average user relates to MITM attacks and falls into two (social) categories: Somebody gets into your session and hijacks your email, bank details, etc. using that to steal your identity, embarrass you, or write newspaper articles. The other social category is when a government does it. Same technical effect, but with more power and the ability to arrest you.

  • SSL trust really is only as strong as the weakest notary.

  • Convergence.io aims to fix that by basing trust on a variety of factors as seen from several different sites

    • Notaries can record certificate history
    • Notaries will show if somebody performs a MITM attack that is in front but not in front of the server ("fragmented universe").
    • The system is very modular, so it can be setup to thwart just about everything in the end.
    • The degree of increased user knowledge to operate this may make it unhelpful for the average user. Users would need to be trained to actually understand the trust system.

  • DNSSEC aims to fix this by providing only one possible chain for any given domain.

    • This limits the exposure to any notary listing a cert as seen in the current CA system.
    • This means that you have to trust your DNS chain to not lie about your key. We already trust them not to lie about the IP, though.
      • That could be an issue for domains controlled by authoritarian systems. China, much of the Middle East, etc.

For a lot wordier look at the the issue, see A Risk-Based Look at Fixing the Certificate Authority Problem.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171