💾 Archived View for ajdiaz.me › doc › 2010 › 03041-criticism-ssl.txt captured on 2023-01-29 at 02:58:48.
⬅️ Previous capture (2022-06-04)
-=-=-=-=-=-=-
Criticism about the SSL CA model http://ajdiaz.me/doc/2010-03041-criticism-ssl.txt Version: 2010-03-04 The connections in the WWW trend to be more secure each year. Probably for the 2020, all connections in WWW becomes across SSL protocol. That's a very good news for security, but although the idea to secure any HTTP connections is great, bring with it another problems that some people avoid to confront. This paper try to abord these problems, putting the focus on posible solutions and a criticism about how CA system works. The Authority Problem Current CA model is based on the criteria of third party to trust or not trust in certain CA. For example, if you use some browser, the developer of the browser choose the CA for you. You of course can remove root certificates from your side, but by default you are trusting is a number of CAs. Furthermore, usually this developer do not select properly the list of valids CAs, just trust in others to do this job. An easy attack to this infrastructure is just buying one of the CA, so if you own the root CA certificates, you can fraud any system signed by the CA. If you suppose that this attacker is an state or a big company which also provides hosting or networking services for third party, then you security is very compromised. For example, let's suppose that you want to connect to your bank account in an specified domain called ``mybank.com``, which uses HTTPs, signed by a well-known CA. Now, the goverment cannot access to the bank, because is in some weird country without jurisdiction, but can access to your ISP. Of course that could be not a problem, because your connection is encrypted from client side, to server side. Or not? The goverment (or any attacker with enough privileges to access to the ISP), can create a man in the middle attack, with a server in the ISP recording the traffic. If this service has a valid certificate for ``mybank.com`` (because you have access to the CA), from the point of view of the client, you are working with your bank, but it's not. The big problem here is the blind trusting in a CA tree. A CA is usually signed by others CA and so on, so if an comprised CA enters in the tree, a number of domains could be compromised. It's easy for a goverment to get the CAs root certificates, or for a big companies to buy the CA itself. Until the comproised CA were discovered, you are exposed to them. How to solve this problem? There are two different options in my opinion. First one is to move CA system to a web of trust model, where each client choose the persons or organizations to trust on. Of course this model requires more education in the user side, to know who is trustable and who is not. The second choice is to use a hybrid model, where CAs are really validated by users, and give them some points from 0 to 100 (arbitrary values). The point of this is that the user can trust in different levels depends on whom he or she relays. For example, the user U can trust in a reputed cryptologist A, and other famous hacktivist B, and both scores the CA C, A gives 10 to C but B gives 0, so, in average, C has 5 points. The user is responsible to accept or deny to trust in a 5 point based CA. The Content Signing Problem Other problem related with SSL is that SSL is connection oriented protocol, that is, SSL was designed to ensure that the endpoint is how appears to be, but does not provide any warranty about the content of the site. Of course this is not a problem per se, just the normal behaviour of SSL and how it was designed. But the misconception here is deeper, because the user has the impression that if he is using HTTPS, then he is connected to the right server and watch the right content. Truly, the user is connected to the right server (SSL ensure of that, except in the CA spoofing case expose above), but you cannot be sure about the content. To solve this problem we proably can sign each HTML block, and the browser can check this signature according with the domain. I should expand this idea in other document.