💾 Archived View for ajdiaz.me › doc › 2010 › 03041-criticism-ssl.txt captured on 2024-08-18 at 17:31:34.

View Raw

More Information

⬅️ Previous capture (2022-06-04)

-=-=-=-=-=-=-

Criticism about the SSL CA model
http://ajdiaz.me/doc/2010-03041-criticism-ssl.txt
Version: 2010-03-04


The connections in the WWW trend to be more secure each year. Probably for
the 2020, all connections in WWW becomes across SSL protocol. That's a very
good news for security, but although the idea to secure any HTTP connections
is great, bring with it another problems that some people avoid to confront.

This paper try to abord these problems, putting the focus on posible
solutions and a criticism about how CA system works.


The Authority Problem

Current CA model is based on the criteria of third party to trust or not
trust in certain CA. For example, if you use some browser, the developer of
the browser choose the CA for you. You of course can remove root
certificates from your side, but by default you are trusting is a number of
CAs. Furthermore, usually this developer do not select properly the list of
valids CAs, just trust in others to do this job. An easy attack to this
infrastructure is just buying one of the CA, so if you own the root CA
certificates, you can fraud any system signed by the CA. If you suppose that
this attacker is an state or a big company which also provides hosting or
networking services for third party, then you security is very compromised.

For example, let's suppose that you want to connect to your bank account in
an specified domain called ``mybank.com``, which uses HTTPs, signed by
a well-known CA. Now, the goverment cannot access to the bank, because is in
some weird country without jurisdiction, but can access to your ISP. Of
course that could be not a problem, because your connection is encrypted
from client side, to server side. Or not?

The goverment (or any attacker with enough privileges to access to the ISP),
can create a man in the middle attack, with a server in the ISP recording
the traffic. If this service has a valid certificate for ``mybank.com``
(because you have access to the CA), from the point of view of the client,
you are working with your bank, but it's not.

The big problem here is the blind trusting in a CA tree. A CA is usually
signed by others CA and so on, so if an comprised CA enters in the tree,
a number of domains could be compromised. It's easy for a goverment to get
the CAs root certificates, or for a big companies to buy the CA itself.

Until the comproised CA were discovered, you are exposed to them.

How to solve this problem? There are two different options in my opinion.
First one is to move CA system to a web of trust model, where each client
choose the persons or organizations to trust on. Of course this model
requires more education in the user side, to know who is trustable and who
is not.

The second choice is to use a hybrid model, where CAs are really validated
by users, and give them some points from 0 to 100 (arbitrary values). The
point of this is that the user can trust in different levels depends on whom
he or she relays. For example, the user U can trust in a reputed
cryptologist A, and other famous hacktivist B, and both scores the CA C,
A gives 10 to C but B gives 0, so, in average, C has 5 points. The user is
responsible to accept or deny to trust in a 5 point based CA.


The Content Signing Problem

Other problem related with SSL is that SSL is connection oriented protocol,
that is, SSL was designed to ensure that the endpoint is how appears to be,
but does not provide any warranty about the content of the site. Of course
this is not a problem per se, just the normal behaviour of SSL and how it
was designed.

But the misconception here is deeper, because the user has the impression
that if he is using HTTPS, then he is connected to the right server and
watch the right content. Truly, the user is connected to the right server
(SSL ensure of that, except in the CA spoofing case expose above), but you
cannot be sure about the content.

To solve this problem we proably can sign each HTML block, and the browser
can check this signature according with the domain. I should expand this
idea in other document.