Life without a CA
At Libreplanet 2010, I was in a discussion with the MonkeySphere and EFF folks about how to encourage every website to offer ssl by default. The general idea is to stop local traffic snooping and provide more security by default. During the discussion, it came up that I disable all of the Certificate Authorities in my systems and selectively trust the ssl certificates from individual websites. I've been doing this for years. Apparently my admission was a shocking statement to many. The group asked me to document my Firefox setup and what life is like without any trusted CAs. Seth from the EFF has a quick post about possible concerns over the CAs in your browser. I used to rely on the Certificate Patrol Firefox Extension to monitor changing certs.
I generally use FreeBSD and Debian-based linux distributions for my operating systems. After I install firefox, I rename libnssckbi.so to something else (like libnssckbi.so.saved). Restart Firefox (see below for option two). Firefox should no longer validate ssl certs automatically.
Browse to a secure website, like https://torproject.org/. You should get the intentionally scary "This Connection is Untrusted" certificate error page. However, you should expect this error as there are no more CAs to validate against. Click "I Understand the Risks". Click "Add Exception". Firefox should retrieve the certificate. Click "View". This is where it gets interesting.
How do you validate the certificate? It depends on the other end. For sites I worry about, like my bank or favorite shopping stores, I call support and ask for the SSL fingerprint and serial number. Sometimes the support person even knows what I'm talking about. I suspect they just open their browser, click on the lock icon and read me the information. Generally, it takes some work to get the information. Further, I'll compare the cert received through Tor and through non-Tor ssh tunnels on disparate hosts. However, you only have to do this checking once per cert. Once you have it, Firefox stores it as an exception and, if the cert doesn't change between visits, doesn't interrupt you with the cert error page.
Am I too paranoid or dis-trusting of CAs? Probably. I have a few concerns about this process, too. Does the list of certs in my browser open me up to unique fingerprinting in some way? Would I notice if a Packet Forensics device was used? Unless someone screwed up, I doubt it. And a seldom asked question is, have I ever caught ssl certs being faked or changed by a man-in-the-middle? Yes I have.
What would I like to see rather than implicitly trusting centralized CAs? I very much like the model used by gpg and the web of trust. I think it's completely infeasible right now for the vast majority of people using the Internet today. However, using computers was infeasible for the vast majority of people merely a decade ago. Progress happens quickly.
I generally remove all of the CAs as well, even though I think it's just a display issue at this point. To do so, go into Preferences, Advanced, Encryption tab, click View Certificates. Then just manually cycle through the remaining CAs and delete them all. I started writing a script to do this automatically, but it seems to change in each version of Firefox. If someone has a better/more automatic way to do this, I'd like to hear about it. Now you have no CAs.
Getting rid of CAs is a terribly bad idea. CAs are there for a bunch of good reasons.
But let me ask this at first:
How do you think you (non CA user) will detect DNS cache poisoning, BGP hijacking, Domain name hijacking? - You won't. Sometimes depending on how well the SSL certs are secured. Every single one you use.
I think most people are aware that deploying SSL isn't easy. http://blog.torproject.org/blog/life-without-ca - works (no s, see). So it's done wrong here, too.
- Because there's a form - and I'm using it right now. You get a bunch of session hijacking issues therefore. Why do you allow non-https content if you care for SSL security?
Obviously, we're of differing opinions on CAs. CAs do little to zero checking when giving out SSL certs. I've personally bought SSL certs for apple.com, microsoft.com, and other domains where I had zero way to prove I owned the domain. When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided. Maybe we should be throwing out the CAs that are bad at their verification. If I buy an EV cert, I expect to have to prove I am authorized to represent the company, prove the company exists (and no, faxing an authorization on company letterhead doesn't count because it's so easily faked), and then have the CA do some actual work to make sure this is the right request. The other issue is it only takes 1 CA in your browser to be weak, and you lose. It's a race to the bottom for sloppy standards compliance and price. If one CA makes it too difficult to buy certs, just go to the cheapest, crappiest CA that is in most browsers and get your cert.
There's actually a subtle distinction here. SSL is great at encryption between me and the destination site. I don't like using SSL for authentication through a supposed trusted 3rd party CA. This is why I like the more peer-to-peer web of trust model. The people at Princeton and the Freedom to Tinker blog have done a fine job explaining the issues, https://freedom-to-tinker.com/blog/sjs/web-security-trust-models and https://www.freedom-to-tinker.com/blog/felten/web-certification-fail-ba….
I think you missed the point where I check certs through a few different methods from different parts of the world to see if I arrive at the same answer. Yes, a global adversary could alter bankofamerica.com and screw me, however, everyone else is equally screwed in that scenario. Calling up the bank and asking for their fingerprint and serial number is the second verification step.
The reason we as tor allow http and do not automatically redirect to https is that some companies and countries block ssl websites by default. I've seen this in action at a few banks around the world. They feel they need to surveil their employees to meet audit requirements. If we automatically redirected to the ssl site, many people would be sad. Some countries in the Middle East block ssl versions of sites, but not the non-SSL version. Simply forcing SSL everywhere is fraught with complexities. However, enabling SSL for users to choose is a fine option. You'll notice my links were to the ssl version of a site if it existed.
So... bank employees are prevented from doing secure banking? That's horrendously, amusingly ironic.
As a bank information security employee, the reason we have to do this is to record the content of all traffic in and out to help the Loss Prevention departments. If the traffic is non-ssl, we can record everything easily. For some departments, we allow ssl through the firewalls, but have installed our own CA that mitm all their traffic. We also whitelist the internet with a bluecoat systems device so people, say in the wire transfer room, can only access like 50 pre-approved sites relevant to their jobs.