Jul 10 2014
You’d think that if there was any SSL certificate out there that’d be carefully monitored, it’d be Google’s. And you’d be right; between the number of users of Chrome and the Google team itself, the certs that correspond to Google properties are under a tremendous amount of scrutiny. So when an impostor cert is issued anywhere in the world, it’s detected relatively quickly in most cases. But the real question is, why are Certificate Authorities (CA’s) able to issue false certs in the first place? Mostly because we have to trust someone in the process of cert issuance and in theory the CA’s are the ones who are the most trustworthy and best protected. Unluckily, there are still a lot of holes in the process and the protection of even the best CA’s.
Last week Google detected an unauthorized digital certificate issued in India by the National Infomatics Center(NIC). This week it was revealed that not only were the certs Google knew about issued, but an indeterminate number of other certs had been issued by the NIC. Their issuance process had been compromised in some way and they’re still in the process of investigating the full scope of the compromise. Users of Chrome were protected due to certificate pinning, but users of IE and other browsers might not be so lucky. What was done with these certificates, no one knows. What could be done with them is primarily acting as a man in the middle against users of any of the compromised certs, meaning the entity that now has these certificates could intercept and decrypt email, files, etc. There are plenty of reasons a government or criminal element would want to have control of a certificate that looks and feels like it’s an authentic Google (or MIcrosoft or…) certificate.
There’s no clear, clean way to improve the CA process. Extended Validation (EV) certs are one way, but it also makes the whole process of getting an SSL cert much more complex. But given the the value of privacy and how certificates play a vital role in maintaining it, this may be the price the Internet has to pay. Pinning certs helps, as will DANE and Sunlight (aka Certificate Transparency). Neither DANE nor Sunlight are fully baked yet, but they should both help make up for the weaknesses of current processes. Then it’ll just take a year or three to get them into all the browsers and even longer for older browsers to be retired. And that’s not even taking into account the fact that we don’t use SSL everywhere.