Controlling a mine fire: The CA industry in 2016 and beyond

Controlling a mine fire: The CA industry in 2016 and beyond

2016 was a significant year for the mine fire that is the CA
industry. In one sense, nothing much changed: CAs continued to
charge big money for random-looking bit strings whilst sometimes
doing Bad Things or having their infrastructure hijacked. But
things are changing!

In this talk I will recap the events of 2016 and discuss several
ongoing efforts to control the fire, including:

- The WoSign / StartCom backdated certificate shenanigans, and
browser vendors waking up and finding that they are strong

- The impact of Let's Encrypt (a free, automated, publicly trusted
CA) including (hilarious) reactions of incumbent CAs

- Certificate misissuance (Symantec et al.) and how Certificate
Transparency logs are being used to detect misissuance

- Altogether avoiding the CA cartel with DNSSEC-based certificate
trust (DANE)

7c0f9b056604fe541691e18aeb679cf7?s=128

Fraser Tweedale

February 25, 2017
Tweet

Transcript

  1. Controlling the mine fire The CA industry in 2016 and

    beyond Fraser Tweedale @hackuador February 25 2017
  2. None
  3. This talk Overview of CA industry Explain some mishaps of

    last couple years Overview of some efforts to make things less bad Recommendations; what you can do right now
  4. Certificate Authorities and TLS CAs issue certificates that bind public

    keys to domains Usually for $$$ A server presents its certificate during TLS handshake Client (browser) validates certificate against trusted CAs
  5. None
  6. What’s wrong with the CA industry? Literally hundreds of trusted

    CAs We can’t possibly audit them all properly Business model does not encourage disclosure of problems Basically it’s a shakedown
  7. None
  8. 2016: WoSign / StartCom Background: SHA-1 certs prohibited from 1

    Jan 20161 WoSign got caught "backdating" certs to get around this2 Several other issues failed to disclose purchase of StartCom unverified info in subject name 1https://cabforum.org/2014/10/16/ballot-118-sha-1-sunset/ 2https://wiki.mozilla.org/CA:WoSign_Issues
  9. 2015: Symantec Sept 14: Symantec Thawte CA issued certs for

    google.com3 Further investigation turned up 1000s of misissued certs4 3https://security.googleblog.com/2015/09/improved-digital-certificate-security.html 4https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html
  10. 2017: Symantec January 19: 108 more misissued certs discovered5 After

    2015 incidents, Symantic claimed to have implemented controls to prevent future misissuance...6 5https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg05455.html 6https://www.symantec.com/page.jsp?id=test-certs-update
  11. None
  12. Let’s Encrypt - overview free, automated, publicly trusted CA domain

    validation only (this is fine) ACME protocol went live in November 2015
  13. Let’s Encrypt - impact https://letsencrypt.org/stats/

  14. Let’s Encrypt - impact 3rd biggest CA by certs issued7

    93% of domains never previously had a cert 47% LE certs issued to 3 hosting providers WordPress, Shopify, OVH 7https://arxiv.org/pdf/1612.03005.pdf
  15. Let’s Encrypt - impact https://letsencrypt.org/stats/

  16. None
  17. Comodo vs Let’s Encrypt Comodo filed 3 trademark applications, Oct

    2015 ISRG had been using Let’s Encrypt since Nov 2014 Engaged Comodo privately from March 2016 ISRG went public June 23...8 8https://letsencrypt.org/2016/06/23/defending-our-brand.html
  18. Comodo vs Let’s Encrypt Comodo filed 3 trademark applications, Oct

    2015 ISRG had been using Let’s Encrypt since Nov 2014 Engaged Comodo privately from March 2016 ISRG went public June 23...8 June 24: Comodo abandons applications 8https://letsencrypt.org/2016/06/23/defending-our-brand.html
  19. Comodo vs Let’s Encrypt Trying to piggy back on our

    business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that’s why they created exactly same 90 day free ssl offering. —Melih Abdulhayoglu, Comodo CEO https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/shame-on-you-comodo-t115958.0.html
  20. StartCom/WoSign vs Let’s Encrypt StartEncrypt announced 6 June 2016 full

    of security holes9 attacker-controlled path for DV check duplicate signature key selection attack private key mode 0666 abandoned 4 July; moving to ACME 9https://www.computest.nl/blog/startencrypt-considered-harmful-today/
  21. CC BY-SA 3.0 https://commons.wikimedia.org/wiki/File:FF_Loeschuebung_mit_Mittelschaum.jpg

  22. Certificate Transparency Append-only, immutable log of observed certificates Can be

    monitored by CAs themselves, domain owners, etc. Enables early detection of misissued certs, infra hijack
  23. CC BY-SA 3.0 https://commons.wikimedia.org/wiki/File:Canary.jpg

  24. CC BY-SA 3.0 https://commons.wikimedia.org/wiki/File:Canary.jpg

  25. DANE DNS-Based Authentication of Named Entities (RFC 6698) end-run around

    the CA industry certs, CA certs or fingerprints in DNS(SEC) key endorsement rests with domain owner tradeoff: absolute trust in a DNSSEC root key
  26. Browser/OS vendors flex their muscle WoSign/StartCom distrusted10 Chrome to require

    CT for certs issued after Oct 201711 Pushing to limit cert lifetimes to 13 months12 10https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ 11https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ 12https://cabforum.org/pipermail/public/2017-February/009530.html
  27. What can you do about it? use, implement, support Let’s

    Encrypt use Strict Transport Security (HSTS); consider preload use key pinning (HPKP, minimal trust stores, etc) monitor CT logs for your domains deploy DNSSEC; prepare for DANE
  28. Fin © 2017 Fraser Tweedale Except where otherwise noted this

    work is licensed under http://creativecommons.org/licenses/by/4.0/ @hackuador