I'd also note that, in the wake of recent fiascos like Startcom/Wosign, Symantec, and Trustico, browser manufacturers are going to be extremely wary of new CAs -- and especially of ones operated by companies with no history in security.
Immediate distrust of all StartCom certificates might be the worst case for WoSign/StartCom, but it's not the worst case for the incumbent CAs as a whole, and it's only marginally worse than what's being done already for WoSign/StartCom.
The fact that they have a way to punish the CA business itself without punishing its customers is a good thing. It sends a clear message that the browsers can't be blackmailed out of punishing abuse by a CA's huge customer base. The browsers have demonstrated that they can put a CA basically out of business without impacting its customers.
If I ran a CA, I'd be much more nervous about this than I would be about them zapping the CA and all its customers.
It is difficult to find a group of companies less trusted to do the right thing than the major browsers (Apple, Google, Microsoft). However, the CAs qualifies, ironically perhaps, as less trusted.
I don't think it's unexpected. Browsers are _the_ lifeblood of CAs.
Unless CAs insert themselves more into the process of code signing, S/MIME, GPG or something like that. They will remain under the heavy influence of browsers.
Yeah, I guess I think it makes more sense for the browser manufacturers to be the people to whom I delegate that responsibility. I already trust them not to run malware on my computer and to accurately display the SSL state of a connection.
I just think it's odd that any CA can turn around and make any other random CA fully blessed. It seems like it completely circumvents the browser manufacturers including root CAs at all.
Totally agreed re: maintaining your own list of CAs. I mostly do go through the system CA list and disabling any from foreign governments I don't ever plan on trusting, but that's mostly feel-good and not actual security.
We seem better off having the browser vendors bring the hammer down on CAs that are issuing bad certificates. Regular people don't know enough to make valid decisions about which CAs to trust, and I don't think they should have to know either.
Another aspect of TLS I'm personally worried about is the ability of regulators to influence CAs.
It gets increasingly more difficult to use websites that don't implement HTTPS. Some browsers will warn you if you try to enter a password on such websites, for example. Most users will not know what to do with such warnings, and will probably close the website upon seeing one. It's not impossible to imagine that, in ten or so years, some browsers might disallow plain HTTP entirely.
It's trivial for major governments (the US and the EU in particular) to impose know-your-customer requirements on CAs, or to force them to revoke the certificates of some unsavory websites.
Replacing your default browser with one that doesn't care about TLS support might not be trivial at that point, see Apple's restrictions on third-party browsers and Microsoft's recent tricks.
This market failure is neither bizarre nor unexpected. The CAs are like ratings agencies in the financial crisis: they are in the business of selling to one party (the website) a credential that they offer to a third party (the browser). Their incentives are aligned to make them sell certificates as cheaply as possible, and they are of course willing to trade off as much security as possible for convenience/cost, as long as they don't go over the lines defined by internet governing bodies and browser vendors. And when they're pushing those boundaries, every once in a while they're going to make a mistake.
The privately run industry is maybe a tiny bit better, but that's not the point.
The point is that the only way browsers have to influence a CA or the industry is the threat to eventually distrust. If they can't threaten that to government-stamped CAs, then those CAs no longer even have an incentive to operate responsibly, and, as we know from the many, many incidents, they almost certainly won't.
It’s worth mentioning that, if you listen to the podcast mentioned in this thread, DarkMatter, the hacking company, at some point ran a certificate authority that was recognized by browsers including Chrome and Firefox, until lately that news about them came out.
To me, this seems like a solid tradeoff of authority.
In practice, complexity and customizability breeds ossification, because "safe" becomes the tiny sunset of common configuration.
I could definitely see network appliance vendors, IT network security admins, endpoint security vendors, etc. rapidly fucking up everything.
At least with delegation to browser vendors + certificate transparency logs, we have a semi standard path for a detrust like this to be forced without exploding the ecosystem.
Additionally, if there were more wiggle room, you'd alter the balance of power between browsers and CAs, which seems decently calibrated now.
All browser vendors IMHO should do exactly this. The CAs want them to entrust them with their customers secrets, they should make sure the CAs they accept work properly.
Unfortunately we the public have little visibility into how browser makers choose which CAs will live and which will die. This seems to be a governmental like function, one which companies are now operating, with no record of the court to speak of.
DigiNotar died, but Comodo[0] was too big to fail.
I wish browser vendors would let me choose a trusted entity and make it simple for me to trust only CAs that my trusted entity supports, or the intersection of what multiple trusted entities endorse.
The incentive for a mass-market browser is to trust pretty much everything, but I'd prefer to use a browser that is a bit more paranoid.
If a website can't load properly because I don't trust one or more of the CAs, I might want to temporarily "live dangerously" but would be a bit more cautious about typing data into a form, etc.
Browser vendors should not try to create a one-size-fits-all list of trusted CAs, since there is obviously a very different level of trust deserved by various CAs based on the track record of each one.
If I were a state actor intelligence agency, compromising CAs would be toward the top of my list because of the amazing opportunity for man-in-the-middle attacks.
Distrusting Symantec certificates is a great step in the right direction.
CAs must be audited and have a certification to be accepted in the major browsers (something like WebTrust). If anyone did this, they would lose that certification immediately and then they'd be out of business because their root CA would be revoked from Windows/Firefox/Mac OS.
The question is how WebTrust would treat this type of theoretical issue.
Does anyone know how browsers go about deciding which CAs to trust? It seems like browsers should be auditing CAs if they are going to be making this decision on our behalf. An audit should have caught this design flaw.
Not only that, but the ability by browsers to validate end-to-end depends wholly on browsers trusting CAs. I'd say that is a lot worse of a trust-level.
reply