Not only that, but the ability by browsers to validate end-to-end depends wholly on browsers trusting CAs. I'd say that is a lot worse of a trust-level.
It's not entirely arbitrary. Some CAs may actually be worthy of trust. I imagine it would be possible to modify the browser's UI to reflect the trustworthiness of the server certificate to encourage better diligence on their part.
Does anyone know how browsers go about deciding which CAs to trust? It seems like browsers should be auditing CAs if they are going to be making this decision on our behalf. An audit should have caught this design flaw.
It is difficult to find a group of companies less trusted to do the right thing than the major browsers (Apple, Google, Microsoft). However, the CAs qualifies, ironically perhaps, as less trusted.
Of all the CAs my browser trusts, any single one of them can compromise the entire web by fucking up and issuing bad certificates.
I have no say in which CAs I "trust", since my list has to match the list that site owners pick from. Site owners have no benefit from picking better CAs on the list over worse CAs also on the list, because my browser trusts them the same.
How could anyone think this is a good system!?
[Edit: and yeah, things like cert pinning can mitigate the damage a bit. That's not enough to make a bad idea suddenly a good idea, and it only took approximately forever to start being implemented.]
I think I can boil down an example about why I prefer not to talk about trust by itself as it relates to CAs. Imagine a hypothetical version of Let's Encrypt that has all of its operational excellence and security, but that uses root certificates that are not cross-signed and not included in any browsers. I would argue that this CA is exactly as trust-able as LE is (by hypothesis its procedures and technologies are the same, and we trust LE's), but clearly it is not as useful as a CA as LE is because it is not included in the root set of any browser (which we call 'trusted' and which generally implies that the people behind the browser believe that the CA will not issue certificates improperly).
If we say that this CA is not 'trustworthy' here, what we really mean is 'this CA is not in browser root sets and so the TLS certificates it issues provoke browser warnings'. This is useful in one sense (it is what most people care about), but I prefer to be explicit about what we mean (partly because 'trust' is a loaded term with tangled implications).
Rather than browsers arbitrarily only trusting certain lengths of certs, of much greater concern to me is the number of root CAs trusted by every major browser, some of which are companies under the control of authoritarian states (Turkey, China).
Go take a look at how many CAs your browser trusts, and tell me with a straight face that you absolutely trust every one of those CAs to always do the right thing.
Certificate issuance transparency helps, but doesn't get rid of the fundamental issue.
We seem better off having the browser vendors bring the hammer down on CAs that are issuing bad certificates. Regular people don't know enough to make valid decisions about which CAs to trust, and I don't think they should have to know either.
The central thesis of the article seems to reject all market forces that aren’t directly controlled by the CA. For starters, CAs have to compete to maintain the trust of the browsers. The author glosses over this as if it’s barley relevant, but the browsers essentially decide whether CAs are allowed to conduct business at all. CAs also have to compete for the trust of their customers. The author seems to think that CAs publishing a bit of fud somehow entirely negates the customers ability to assess their trustworthiness. I’d say that any actor who makes decisions about trust based only on marketing content probably doesn’t care very much about the integrity of the CA system. The existence of commercial insentive doesn’t intrinsically make a system corrupt. The CAs product is essentially trust, if their product isn’t good enough, then they won’t be able to sell it. Especially since there’s a number of different supervising bodies to ensure they’re doing a sufficient job.
CAs must be audited and have a certification to be accepted in the major browsers (something like WebTrust). If anyone did this, they would lose that certification immediately and then they'd be out of business because their root CA would be revoked from Windows/Firefox/Mac OS.
The question is how WebTrust would treat this type of theoretical issue.
I've often wondered: why is trust in CAs an all-or-nothing proposition (aside from EV certs), and why should my particular browser vendor have all the authority over who I should trust?
For the vast majority of users that's probably just fine, but I would have thought that there'd be a browser or extension or something that allows security-conscious power users more fine-grained control over this by now.
For example, I could subscribe to changes in CA trust levels from every major browser vendor, and if they don't agree my browser could show me a warning with an explanation.
Or I could subscribe to feeds from other entities I trust, like the EFF. Or my security-conscious friends.
Or if I decide I have lower trust in certificates issued by governmental CAs, or CAs in certain regions, I could mark them as lower trust.
I wish browser vendors would let me choose a trusted entity and make it simple for me to trust only CAs that my trusted entity supports, or the intersection of what multiple trusted entities endorse.
The incentive for a mass-market browser is to trust pretty much everything, but I'd prefer to use a browser that is a bit more paranoid.
If a website can't load properly because I don't trust one or more of the CAs, I might want to temporarily "live dangerously" but would be a bit more cautious about typing data into a form, etc.
Browser vendors should not try to create a one-size-fits-all list of trusted CAs, since there is obviously a very different level of trust deserved by various CAs based on the track record of each one.
If I were a state actor intelligence agency, compromising CAs would be toward the top of my list because of the amazing opportunity for man-in-the-middle attacks.
Distrusting Symantec certificates is a great step in the right direction.
Totally agreed CAs dropped the ball on research too. It's not an either/or thing: browsers makers need to ensure their security UX helps people understand what they're connecting to and CAs need to do the same and additionally ensure their verification processes are robust.
What if there were a middle ground between browsers trusting and rejecting a CA? What if there were a yellow "proceed with caution" warning on sites using certificates issued by CAs that have very occasionally behaved improperly?
It's not about extra verification, it's about reducing the attack surface.
If your browser trusts 100 different CAs, I can MITM you after compromising any one of those 100. If you only actually use 10 of them, then you can remove the other 90 from your trusted list and make my (the attackers') job 10x harder. More-or-less regardless of which individual CAs take security a bit more seriously than the others, since they're all held to a reasonable minimum standard.
This market failure is neither bizarre nor unexpected. The CAs are like ratings agencies in the financial crisis: they are in the business of selling to one party (the website) a credential that they offer to a third party (the browser). Their incentives are aligned to make them sell certificates as cheaply as possible, and they are of course willing to trade off as much security as possible for convenience/cost, as long as they don't go over the lines defined by internet governing bodies and browser vendors. And when they're pushing those boundaries, every once in a while they're going to make a mistake.
reply