Comments

TatütataDecember 29, 2016 9:42 AM

Incidentally, as long as we are on the subject:

The German Computer Chaos Club (CCC) is currently holding its 33rd annual congress (33C3) in Cologne. (The traditional venue in Hamburg could no longer host the increasing number of visitors).

There is a one-hour long talk by an Austrian CCC member in English titled "Everything you always wanted to know about Certificate Transparency".

There is so much stuff I want to see, and I haven't gotten through this one yet, but I thought it is relevant, as Diginotar is mentioned in the first minutes.

TatütataDecember 29, 2016 11:58 AM

Oops... 33C3 is apparently held in Hamburg like in the three previous years. I don't know how my confusion came about.

Ulrich BocheDecember 29, 2016 2:47 PM

Very interesting article. It references Symantec which reminds me of the fact that Symantec and VeriSign are both owned by RSA Security. Unfortunately, with all respect, it is not an exaggeration to state that RSA Security is something like an affiliate of the NSA, they have proven that many times. So, it is very likely that the NSA can get a copy appropriate to their purposes for any certificate issued by a company that is owned by RSA Security.

Clive RobinsonDecember 29, 2016 10:30 PM

Sadly the article does not indicate that the whole notion of a hierarchy of trust is actually unrealistic. Thus the CA model is always going to be subject to the "bad apple" issue and always be vulnerable, thus broken from a real security viewpoint.

I suspect because after thirty odd years nobody has come up with a viable trust model that ticks sufficient boxes to be accepted by those that make their salary by the existing cartel.

It's a "human dynamic" that could keep sociologists busy for years.

@ Bruce,

Many years ago you pointed out that whilst basic crypto algorithms had been in effect resolved as an issue "Key Managment" (KeyMan) had not. Nor had their been much in the way of research in finding alternatives since the "Web of Trust" model --which more accurately models human behaviour-- that PGP offered as another way.

Which suggests that KeyMan is going to be a major stumbling block for years to come.

zDecember 29, 2016 11:53 PM

The CA system really is the worst of the worst when it comes to failure. It's far worse than a single point of failure; it's many single points of failure. A compromise of any CA your browser trusts is equally and totally devastating. Maybe this wouldn't be bad if it was easy to just un-trust a CA, but you can't. Not without breaking every site that uses that CA.

Imagine building a machine that could fail completely if any one of its thousands of parts fails--from the most complex assembly to the most humble bolt. Worse, you can't actually replace a defective part because they are so baked in that you just have to accept that it's broken and hope for the best, or rip it out and deal with potentially large portions of the machine's functionality no longer working.

A design such as this would be laughed out of any competent engineering design board, but we use something similar to secure the entire internet, including asking people in certain parts of the world to trust their lives to it. It's absurd.

oliverDecember 30, 2016 2:24 AM

As long as there are still entities that claim to uphold security as the #1 priority and haven't used certificate pinning yet, then nothing good can come from that.
BTW, remind me again why just recently that WoSign fiasko came about? Have we really learned everything from that 2011 DigiNotar disaster?

Other NewsDecember 30, 2016 10:15 AM

@Ulrich Boche

"So, it is very likely that the NSA can get a copy appropriate to their purposes for any certificate issued by a company that is owned by RSA Security."

As opposed to, say, one of the agencies on the A-list?

TatütataDecember 30, 2016 10:52 AM

@Other news:

As opposed to, say, one of the agencies on the A-list?

It's not "opposed", as these work for the US TLAs anyway. There is a public enquiry in the Bundestag where the local spooks keep on spewing non-answers to the parliamentarians, when they're not taking the local equivalent of the 5th amendment...

65535December 30, 2016 9:23 PM

From slate:

“All told, by the end of the summer, he would go on to issue 531 rogue certificates for domains ranging from aol.com and microsoft.com to mossad.gov.il and cia.gov. (Once you’ve got access to a CA server, issuing rogue certificates for high-value targets like the CIA is no harder than issuing them for sites like AOL.)… the investigators’ best guess was that the keycards for a few computers were left permanently in place. If true, it would have largely defeated the purpose of requiring the keycard insertion—not to mention all those sluiced doors and biometrics and PIN codes—in the first place…some of the certificates it had ostensibly signed were not listed in the company’s logs—indeed, DigiNotar had no records of ever issuing these certificates…No one has ever been caught or charged with the compromise… Within a month, DigiNotar had been taken over by the Dutch government. Not long after that, it declared bankruptcy and dissolved.”- Slate

http://www.slate.com/articles/technology/future_tense/2016/12/how_the_2011_hack_of_diginotar_changed_the_internet_s_infrastructure.html

It makes you wonder if the “insider or hacker” was well known and could not be publicly ID’d without huge ramifications so the company was dismantled and bankrupted.

[Next to certificate notaries]

What happened to certificate notaries like Perspectives? I have clients using the FF plug in and the Perspectives plug shows bad certificates almost all of the time [False positives?]. Why is this project struggling?

See:
https://perspectives-project.org/

WaelDecember 31, 2016 5:06 AM

Yes, nice article. Was hoping to see more on the attribution part. Not sure if everything of that aspect was published.

Since browsers have the ultimate say, wouldn't you think they are the next attractive target through various forms of attacks?

@william,

F-Secure has a good article on it.

It's an article that lacks any technical details, short of listing fake certificates for domain names. Seems they pinned it (pun intended) on Iran. Likely the case but not proven.

Clive RobinsonDecember 31, 2016 6:24 AM

@ Wael,

Since browsers have the ultimate say, wouldn't you think they are the next attractive target through various forms of attacks?

It should be the end user having the ultimate say, but that is not the way browser developers see it. They regard themselves as "The keepers of the Kingdom" and have generally made a fairly bad fist of it so far, which has enabled many attacks to happen.

Unfortunatly the developers attitude appears to be based around a power relationship. That is they decide which root certificates get included and this gives them a degree of authority they neither deserve or should wield. Worse they appear to have made things quite difficult for end users to control and maintain for reasons the developers chose not to voice, so it is difficult to see them in a good light...

It gets worse when you have browsers on "walled garden" systems such as pads and smart phones, these appear to have quite deliberate features that make every thing you do go back to a server controled by an entity over which you have no control...

Thus at best users are treated with disdain by browser developers and as product by others just because they can. And few legislators and the attendent judiciary appear to find this either problematic or dubious...

WilliamDecember 31, 2016 6:24 AM

The DigiNotar site was based on DotNetNuke CMS with a lot of unpatched vulnerabilities. The IP adres 62.58.36.118 of this site can be found in the detailed report.

The cracked password: Pr0d@dm1n was pasted on PasteBin
http://pastebin.com/1AxH30em

See further technical details in the PDF report on link:
https://www.rijksoverheid.nl/ministeries/ministerie-van-binnenlandse-zaken-en-koninkrijksrelaties/documenten/rapporten/2011/09/05/diginotar-public-report-version-1
and
https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf

AndyJanuary 1, 2017 2:07 PM

@Ulrich Boche

You probably should get your facts a little straighter. VeriSign was spun off from RSA Security and went public almost 20 years ago. Symantec was never owned by RSA Secuirty, but it bought the VeriSign CA business (including the brand name) a few years back. RSA has been accused of taking the NSA's money to weaken its PRNG, but that doesn't really have anything to do with these unrelated companies.

Clive RobinsonJanuary 2, 2017 3:33 AM

@ Vatos,

So what should browsers do?

The glib answer is "respond to users needs"...

But to do that you first need to know what the users need at all levels. At the lowest level what the user needs fundementaly is covered by the "CIA triad" of Confidentiality, Integrity, and Availability. However what the user wants at their level is a "no bother turn key solution" with "ease of use" being the over riding criteria.

The reality is they can't have any of it in practice just a "cross your fingers and prey solution". Because when you chase it down far enough you find that what the user realy needs is not possible.

To see why you have to understand the issue of trust establishment in the formal sense.

You and I have --I asume-- never met, all I know of you is the label "Vatos" you chose to use as a temporary identifier. As such it is not unique, nore is it tied to you the physical being in any way. Therefore it has no formal trust value what so ever. Now a Public Key Certificate (PKcert) has two parts a Public Key (PubKey) and a Private Key (PrivKey) and their relationship gives the PKcert certain properties the first of which is it is assumed to be unique (the reality however is different[1]). From this various properties can be built up allowing the verification of use of the PKcert. Unfortunately it's a house of cards, because no matter what properties a PKcert has it can not be implicitly tied to an individual. Because the PKcert is "intangible information" and has no tangible physical actuality, it can not be "owned" like a unique physical item. It has no locality and is effectively infinitely copyable. Thus it's trust value is based on the level of security the holder places on the PKcerts PrivKey. But even if the PrivKey security is perfect, the PKcert still can not be tied to you as an individual...

Thus you have to try to do what is in effect impossible, which is tie the PKcert to an entity that in EU treary parlance is "Any person legal or natural".

Back in the early days of Pretty Good Privacy people organised "Key Ring Parties" / "Key Signing Parties" where people would turn up with their paper "Identity Documents" and their PKcert and cross sign each others PubKeys to establish a "web of trust". This did not solve the problem for two reasons, firstly few people can properly check identity documents, secondly the identity documents are again not directly tied to an entity. At best all they say is the photo on this id document might be the individual, if the document is genuine (which often it might not be)...

The Certificate Authority model is actually worse than the web of trust model when it comes to authentication. When you follow it down it often comes out as "the credit card payment was not declined"... And if you read a CAs TOS you will find they accept no legal liability...

Thus it's safe to say that there is no useful level of trust in commercial CA signed PKcerts...

The problem with the current browser model is it assumes the opposit...

Worse the browsers make it extrodinarly difficult for users to effectivly set their oen levels of trust based on either experience or how they have verified the PKcert themselves.

For instance you and I could arange to meet with our ID documents etc and perform a check about the equivalent of that many banks do when you open a basic bank account. But the number of fraudulant bank accounts in existance indicates the level of trust you should apply to that. However speaking of banks, if you went to your local branch and a manager you knew gave you a copy of the banks PKcert you would probably trust that a lot more. Likewise your employers etc.

Browsers need to alow users to set the level of trust they have in a PKcert, not just on the signing chain but on the users perspective etc.

It won't be infallible, but it would be nearer the way humans establish trust in real life.

But there is a secondary issue, whilst humans are individuals biologically, they are not individuals in society. You have rolls in life, such as son/daughter, brother/sister, husband/wife, father/mother, employee/employer, bank / credit / debit card holder, customer, mrmber of a club or association etc etc. These rolls effect the level of trust you give the other people in each roll relationship. Thus you should have PKcerts for all the rolls and relationships you have in life as well.

Browser developers and many others appear incapable of understanding this let alone provisioning for it...

And yes there are quite a few other issues as well.

[1] There is no way currently to guaranty that a PKcert is unique. The best we can say is it's improbable that two people will pick the same two primes, based on certain assumptions. One of those assumptions is based on "random selection" of the primes, unfortunately random is something determanistic computers are in general not designed to do. As has been seen the poor design of systems with Random Number Generators has lead to PKcerts with common primes...

The problem is they are to a degree interdependent .

That is to

TJJanuary 2, 2017 9:26 PM

I don't follow CA incidents but I know someone who does and is really good with TLS and deep engineering subjects around security: Hector Martin Cantero

I typically see stuff from him criticizing how browser updates and ISPs don't block bad CAs and nobody really cares.. Seems to be just a laziness problem..

I basically use ECDHE_ECDSA exchange and AES_128_GCM or CHACHA20_POLY1305 and Let's Encrypt on my hosts that need MITM protection. Then I basically do next-best on all the fallbacks.

JurgenJanuary 4, 2017 5:02 AM

One important thing: The break-in wasn't at Diginotar itself, but at some third party. Which, by the way, also was audited front to back and in depth (claim) by PwC and also got all-green signals. 'So everything was and secure as it could be' now where's that old copy of the How to Fool the Auditor slide deck ..?

TJJanuary 4, 2017 3:30 PM

"audited" means little when there is a zero-day lurking. If you're lucky you have infrastructure that isolates with subnets and firewalls(like banks and other big-infrastructure do).

I've actually seen how security audits go for some big investment banking firms in the US(they probably have better than this company) and it's all broken by skilled adversaries with zero-days.. Nobody is fixing the memory corruption problem..

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.