Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday November 21, @04:38PM   Printer-friendly
from the one-at-the-time dept.

Last week Bruce Schneier published An Untrustworthy TLS Certificate in Browsers and now Ian Carroll has published Security concerns with the e-Tugra certificate authority.

Ian is best known for the death of the EV (Extended Validation) certificates. He legally registered a colliding entity name and then got an EV certificate for his site stripe.ian.sh. As this site is not online any more, a good write up of this is Extended Validation Certificates are (Really, Really) Dead by Troy Hunt.

Troy Hunt is also known for his website ';--have i been pwned?.

Schneier suggests that it might be time to disable / remove trust for the following Certificate Authorities (CAs):

  • TrustCor
  • E-Tugra

Cory Doctorow gives a very good explanation the the problem in general and its causes here. Basically, we are just too trusting and we believe that others are looking after our interests. It appears that they are not.


Original Submission

This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Interesting) by Anonymous Coward on Monday November 21, @05:29PM (12 children)

    by Anonymous Coward on Monday November 21, @05:29PM (#1280836)
    Just relying on "Trustworthy CAs" isn't good enough if one day it turns out you can't trust them. And how do you really know which CA you can trust?

    What you need is your browser to warn you if something suspicious happens like a cert/CA changes unexpectedly- just like the SSH warning stuff.

    There was a Firefox extension called Certificate Patrol which would warn you if a CA for a certificate changed. But it only kept track of just one cert/CA, so for sites with multiple certs (load balanced etc) it didn't work well.

    You couldn't tell it to accept that a site has multiple certs that you trust and to stop bugging you about that site till an actual new cert appears.
    • (Score: 4, Interesting) by pTamok on Monday November 21, @05:48PM (10 children)

      by pTamok (3042) on Monday November 21, @05:48PM (#1280840)

      There was a wonderful Firefox add-on called 'Perspectives' that checked the CA for each https connection and compared the information with a set of 'notaries' spread around the Internet that would (a) confirm whether they saw the same certificate as you for the site and (b) kept a history of CA changes and warned you if the certificate had changed recently.

      Unfortunately, it died the death. I'm giving a url into the Internet Archive for more info because the domain has been taken over. - http://web.archive.org/web/20130914122435/http://perspectives-project.org/ [archive.org]

      It really could do with being revived.

      • (Score: 0) by Anonymous Coward on Monday November 21, @06:09PM (9 children)

        by Anonymous Coward on Monday November 21, @06:09PM (#1280846)
        What I want is for my browser to warn me similar to the way ssh does. No need to check with others, since I may not trust those others either.

        Bank changed cert before its due? Warn me - and provide info (old certs, CA etc vs new one).
        • (Score: 3, Troll) by janrinok on Monday November 21, @06:22PM (4 children)

          by janrinok (52) Subscriber Badge on Monday November 21, @06:22PM (#1280853) Journal

          Read the Cory Doctorow link provided. How can you trust the plug-in? When the CA themselves are corrupted (as the two that are mentioned are) then the whole system falls down.

          • (Score: 2, Interesting) by Anonymous Coward on Monday November 21, @06:46PM (3 children)

            by Anonymous Coward on Monday November 21, @06:46PM (#1280861)

            How can you trust the plug-in?

            People like you can go build your own computer, write your own compiler, OS, browser from scratch.

            In practice I'll have to trust something/someone at some point, trusting an extension which I can see the source code of is still better than trusting CAs just because Google/Microsoft says they're OK.

            When the CA themselves are corrupted (as the two that are mentioned are) then the whole system falls down.

            Your claim is false. Don't forget ssh works fine even without CAs.

            If my bank's server certificate has not changed, even if the CA that signed the cert has signed new certs that pretend to be that bank, it's not a big problem to me as long as the browser would warn me if the bank's cert has changed and the bank's cert has NOT changed.

            The whole system falls down only because the browser doesn't warn you of potentially important stuff that it can and should warn you about.

            By the way, browsers should accept self signed certificates too and in the way the SSH does - e.g. after you say it's OK it should stop bothering you about it BUT warn you if one day it changes. Then that way self-signed certs could be more secure than the current handling of CA signed certs.

            • (Score: 3, Troll) by janrinok on Monday November 21, @07:02PM (2 children)

              by janrinok (52) Subscriber Badge on Monday November 21, @07:02PM (#1280864) Journal

              Your claim is false

              I thought so - you haven't read it.

              • (Score: 0) by Anonymous Coward on Monday November 21, @07:19PM

                by Anonymous Coward on Monday November 21, @07:19PM (#1280870)

                There's no need to. It's a rehash of old stuff long known (e.g. Reflections on Trusting Trust).

                I'm not aiming for perfect security, just better security. It's all a matter of managing risks and probabilities. Whatever I do I'd have to trust the browser and bank anyway if I want to do online banking.

                BUT if the browser makers do stuff right, while I still have to trust the browser and bank I don't have to trust that ALL the CAs have got their act together whenever I do online banking.

                The current system is it just takes one CA out of very many to do the wrong thing, but the browser won't warn you when that happens.

              • (Score: 1, Touché) by Anonymous Coward on Tuesday November 22, @03:52AM

                by Anonymous Coward on Tuesday November 22, @03:52AM (#1280958)
                The SSH system hasn't fallen down despite very few people using CAs for that. So there's no need to read the link at all to know that your claim is false.
        • (Score: -1, Troll) by Anonymous Coward on Monday November 21, @06:33PM (3 children)

          by Anonymous Coward on Monday November 21, @06:33PM (#1280856)

          What I want is for my browser to warn me similar to the way ssh does. No need to check with others, since I may not trust those others either.

          Bank changed cert before its due? Warn me - and provide info (old certs, CA etc vs new one).

          The problem I see with this approach is that there is no obvious useful action that a web user can take in response to such a warning.

          Pretty much the only options a user has if they see this with a web site are

              (a) ignore the warning and continue anyway, or
              (b) try again another day, hoping the problem goes away on its own, or
              (c) stop using the web site indefinitely.

          SSH users can typically be expected to have another communication channel to find out the actual current host keys of the remote system (although in my experience nobody checks host keys anyway). This is simply not the case with web sites.

          • (Score: 1, Insightful) by Anonymous Coward on Monday November 21, @07:03PM (2 children)

            by Anonymous Coward on Monday November 21, @07:03PM (#1280866)

            The problem I see with this approach is that there is no obvious useful action that a web user can take in response to such a warning.

            Huh, what are you smoking? If the site is your bank, the useful action is to NOT log in and do your banking.

            If you're not sure if you can trust the cert you should NOT be using the site till you can confirm you can trust the cert. You can get your bank to confirm it for you.

            This applies whether or not you have this warning feature or not. The warning feature just makes it easier for you to notice potential dangers that you might not have noticed before. Without the feature the dangers don't vanish by themselves, they are still there.

            Your objections are as inane/stupid as objecting to a "bridge has changed unexpectedly" warning feature because there's no obvious useful action that a bridge user can take and the only options are:

              (a) ignore the warning and continue anyway, or
              (b) try again another day, hoping the problem goes away on its own, or
              (c) stop using the bridge indefinitely.

            • (Score: -1, Troll) by Anonymous Coward on Monday November 21, @08:57PM (1 child)

              by Anonymous Coward on Monday November 21, @08:57PM (#1280891)

              If you're not sure if you can trust the cert you should NOT be using the site till you can confirm you can trust the cert. You can get your bank to confirm it for you.

              Can you?

              You phone up your bank and ask them for the fingerprints of their current web certificates, and they give you usable information in a timely manner? Have you actually tried doing this? What about other websites? Do you just email the administrative contact in WHOIS? Does this give you useful responses often?

              This applies whether or not you have this warning feature or not. The warning feature just makes it easier for you to notice potential dangers that you might not have noticed before.

              The problem is that a warning like this, virtually every single time, will be a false positive. Clicking through the warning is therefore a sensible action. Users will simply be conditioned to ignore the warnings as there will be no way of distinguishing a real attack from yet another pointless warning.

              Your objections are as inane/stupid as objecting to a "bridge has changed unexpectedly" warning feature because there's no obvious useful action that a bridge user can take and the only options are:

              This is a straw man. There are many effective actions you can take when a bridge is out, such as taking a different bridge, or using a different method to cross. Nothing like this is possible with websites that have certificate errors.

              • (Score: 0) by Anonymous Coward on Tuesday November 22, @03:47AM

                by Anonymous Coward on Tuesday November 22, @03:47AM (#1280957)

                Can you?

                Yes. Timely for you maybe different for me.

                Clicking through the warning is therefore a sensible action. Users will simply be conditioned to ignore the warnings as there will be no way of distinguishing a real attack from yet another pointless warning.

                You can't wait so you'd rather click through instead or even not have such warnings in the first place.

                People like you don't care or know about security so you have no need for such features.

                I would agree that such features should be off by default, but they should still be available for those who actually care about security.

                I often don't have to run faster than the bear, I just have to run faster than people like you.

                This is a straw man. There are many effective actions you can take when a bridge is out, such as taking a different bridge, or using a different method to cross. Nothing like this is possible with websites that have certificate errors.

                False. I can use my bank's ATM or branch for transactions till I can confirm that it's OK to use their online site. It may be inconvenient but often so is taking a different bridge.

                Just because you can't accept or think of such options doesn't mean those options don't exist.

    • (Score: 4, Interesting) by fab23 on Monday November 21, @06:31PM

      by fab23 (6605) Subscriber Badge on Monday November 21, @06:31PM (#1280855) Homepage

      Yes Certificate Patrol was kind of useful but sometimes also annoying (I had on purpose to many alerts active). I think later version also supported to accept different certificates for the same site as long as they were from the same (sub) CA.
      The old site http://patrol.psyced.org/ [psyced.org] is still available, but the add-on on the Mozilla site is gone. It did not survive the change to WebExtensions.

      I never found a replacement for it and have not searched any more.

(1)