An Information Security Community
I am getting the impression that the end user is not supposed to ever mistrust any of those CAs that all browser and OS vendors are shipping with their products for our convenience.
The Comodo hack was only one incident in a row of incidents that show us that the trust model of PKI for SSL certificates is broken in many ways.
First off there are far too many CAs that your browser or operating system trusts per default.
Your browser or operating system trusts them so the user trusts them.
Most users don't understand PKI - crap I have met a whole bunch of folks during my career in information security that worked for an information security consulting firm or vendor who did not even understand PKI!
I really never assumed to be an expert but I had my share of PKI technology in my job and it pisses me off when folks go around talking horse shit while giving customers the impression they know what they are talking about.
PKI is a fine technology that has the potential to solve a lot of problems if implemented and used correctly.
But it ist not implemented and used correctly.
And most people don't understand what the magic sauce is that makes that you can trust a certificate that has been signed by a CA. And so they do not understand either when they should not trust a CA or a signed certificate. And it's not only the users - it's also the vendors and the industry.
Let me set that straight: You can trust a certificate only when
1.) the certificate has been signed by a trustworthy certification authority
2.) the certification authority guarantees that the owner of the cert has proven his or her identity beyond any doubt
3.) the integrity of the registration process is guaranteed
It all comes back to real security oftentimes being inconvenient and expensive. This is the reason why there are also certificates where the signee (the CA) does not require the requester to identify by secure means. Oftentimes a fax or email is enough. Both can be spoofed.
In the Comodo hack as I understand it the integrity of the registration process was breached because it was some system that was reachable over the internet and this was all that was needed to send a valid certificate signing request (csr).
How the hell is that possible? Well a good practice scenario requires a registration authority workstation with a person sitting in front of it, processing registration requests. The person identifies the requester - e.g. by checking some personal id.
Then the requester puts his own registration authority smartcard (which has been issued to him by the CA using the same identification procedure) into a smart card reader. He then types the registration data into his terminal and clicks on "send certificate signing request". He then has to type his pin into the pinpad of his class 2 or class 3 card reader which completes the transaction.
But this is laborious and expensive. But it's using PKI and is - if done correctly - perfectly secure enough.
So we live in a world where everybody wants to use SSL for his or her website and it has to be cheap and easy.
The padlock shall be green all the time. The user shall feel good and safe.
But trust in a PKI can only work if everybody understands where this trust comes from. This is just not the case if you have x levels of identification and almost hundreds of certification authorities worldwide. This doesn't work in a world where nation states control the local CA and buy themselves certificates for Google, Skype and Mozilla in order to "lawfully" intercept encrypted communication.
So the user can still decide to mistrust all those certification authorities that he doesn't know, right?
Well in theory.... But browser vendors do not make it easy for end users. In fact the opposite is the case. They make it nearly impossible for users to take informed decisions on who to trust and they make it unnecessarily difficult to withdraw trust for certain entities.
For some time now I have deleted a few certification authorities from the certificate store (keychain) on my Mac.
The Comodo CA is now one of those I deleted. Yesterday FX of Penoelit tweeted this: "https://www.ausweisapp.bund.de/ uses a #Comodo certificate." So I went and checked the site and despite the fact that I already previously had deleted all Comodo root certificates, my padlock in Chrome still was green, indicating that all is fine.
Okay so I checked the certificate. The certificate was not even signed by the Comodo root CA. I thought I had told my browser and keychain to no longer trust this organisation but I was wrong. Some other organisation that I still trusted decided that I also ought to trust Comodo - an organisation called "Add Trust". Well the irony!
Add Trust had provided Comodo with a Issuing certificate and Comodo had signed the website's certificate.
So I also deleted their root certificate from my keychain. Guess what happend!
The padlock in Chrome was still shining nice and green as if everything was perfectly okay with that cert. Only when you click on the padlock it shows that the certificate was issues by a (now) unknown and/or untrusted root.
Then I also checked what happens if I delete root certificates in Firefox 4. Firefox brings its own certificate store with it, whereas Chrome on OS X uses the system keychain.
I deleted all Comodo certificates in the Firefox 4 root certificate store and restarted Firefox.
After that the Comodo root certs were automagically restored as if I never had deleted them. Jayson verified this on his Win7 system and confirmed the behaviour. Leon also found that those roots seem to be "hardcoded" into Firefox. There might be another way to delete them - but not on the way that the user must assume is the supported way.
Lesson learned: thou shalt not mistrust the PKI. The user cannot understand the trust model and is not supposed to play an active role in the process of trusting or mistrusting CAs or organisations.
Maybe the behavior of Chrome and Firefox are bugs but that shows us even more how wrong it is to trust browsers for secure transactions.
If you find any errors in my findings or conclusions or disagree with my opinion or if you think that I have misunderstood the PKI concepts described above please comment or contact me to explain and discuss. You are more than welcome.
interesting blog-post on browsing with most CAs deleted: