Let’s Take Back The Certificate Authority

A free browser-driven Certificate Authority playing by our rules. #

TL;DR #

Let’s get Mozilla and Google to team up on an automated Certificate Authority (CA) process and include the root certs in both browsers. Keep the process 100% free and transparent with a public listing of certs generated daily forcing regular renewal and accepting feedback and reports from the community.

In The Beginning there was ignorance. #

Recently there has been a lot of nonsense about removing self-signed certificate (cert) warnings from the world’s popular browsers. Now, this is a horrible idea for many reasons and this ill-thought out solution is completely gliding over the root problem. People tend to jump on bandwagons without exploring the repercussions of such actions. There is a lot to lose and not much to gain from this. This will never fix the failures that CA’s have continued to fall into year after year.

Why does it cost money to generate a verified cert? #

Well, there isn’t really a good answer to this question. The verification process for most cert authorities is trivial and calling it “thorough” is border-line insane. As a result, a lot of people (including the inventor of the intrusion prevention system (IPS)) have publicly stated their support of abolishing the difference between http and https. This would in-turn completely circumvent the whole private-key infrastructure (PKI).

Why is this bad and how could that affect me? #

Although encryption is important, it’s only half the battle. When sending sensitive information to websites on the internet, it’s not just important that the traffic is encrypted, it’s equally important to know who are establishing the encrypted connection with. Take your-bank.com, for example. If they were to use a self-signed cert and all warnings were removed, an attacker could simply recreate the same cert and decrypt your traffic. This is a gross oversimplification of the whole Man-In-The-Middle (MITM) attack, but the attack itself is viable and simple to execute with an abundance of security tools that automate the process. I remember doing this same thing all the time when I was younger using the open source project Ettercap (http://ettercap.github.io/ettercap/). With Ettercap, in just a few button clicks you can inject your own cert for any domain someone on your network my try to visit. Before the introduction of self-signed cert warnings, it was VERY easy for this attack to go unnoticed. Honestly, how many times have you actually inspected the cert for any given website you visit? If you are like me, that answer is going to be close to zero times.

So, what idea do you have to fix this problem? #

I collaborated with a few friends to build http://lolroot.ca, which was a huge troll directed at individuals requesting the immediate removal of self-signed cert and mixed-content warnings. Despite it being a troll, the idea of having free certifications actually started making sense, especially when you see peoples excitement around free verification and thinking of the issues around traditional CAs.

The idea of a community driven CA is really attractive, but verification/trust is a huge concern (i.e., you should NOT trust lolroot.ca). The process of obtaining an SSL cert is traditionally expensive because of the control by the certificate authority cartel, and becoming a root CA included in major browsers or operating systems is not going to happen without a lot of capital to throw at a few companies and people. Luckily for us, a few people have already thought of good solutions to domain verification and have much better reputations and incentive to take this challenge head on. I am talking about Mozilla and Google. Both control a huge amount of the browser market share and have the ability to add new root CAs and support the process completely. The system Google uses for its Google Apps domain registration is perfect: after verifying the identify of the person requesting the signed cert using e-mail verification or SMS, it becomes an automated machine with little capital needed to sustain it. They could easily afford to make the process free for all. I personally wouldn’t have any problems adopting this process in return for a trusted cert to use on my websites or for other applications. But the second half of this is trust, and including the community as part of the certificate verification. The ability to easily report malicious sites or request a revoke is a necessity.

Conclusion #

For too long we have let unknown companies control what is valid and trusted on the internet. We have had to pay for the luxury of being trusted and offering encryption (a process that is not thorough and leverages open source software to operate anyway). Using our power as a community we should push the major open source browsers to make a change. This process should be free and available to all whom request it.

 
30
Kudos
 
30
Kudos

Now read this

Web Security Negligence and the JetButt Vulnerability

A few weeks ago my internet service provider decided to take a vacation for the day; left me up a creek without a paddle (Who? take a wild guess). I had a lot of work to complete and decided to just go buy a 4g hotspot (Verizon Ellipsis... Continue →