Life without a CA

At Libreplanet 2010, I was in a discussion with the MonkeySphere and EFF folks about how to encourage every website to offer ssl by default. The general idea is to stop local traffic snooping and provide more security by default. During the discussion, it came up that I disable all of the Certificate Authorities in my systems and selectively trust the ssl certificates from individual websites. I've been doing this for years. Apparently my admission was a shocking statement to many. The group asked me to document my Firefox setup and what life is like without any trusted CAs. Seth from the EFF has a quick post about possible concerns over the CAs in your browser. I used to rely on the Certificate Patrol Firefox Extension to monitor changing certs.

I generally use FreeBSD and Debian-based linux distributions for my operating systems. After I install firefox, I rename libnssckbi.so to something else (like libnssckbi.so.saved). Restart Firefox (see below for option two). Firefox should no longer validate ssl certs automatically.

Browse to a secure website, like https://torproject.org/. You should get the intentionally scary "This Connection is Untrusted" certificate error page. However, you should expect this error as there are no more CAs to validate against. Click "I Understand the Risks". Click "Add Exception". Firefox should retrieve the certificate. Click "View". This is where it gets interesting.

How do you validate the certificate? It depends on the other end. For sites I worry about, like my bank or favorite shopping stores, I call support and ask for the SSL fingerprint and serial number. Sometimes the support person even knows what I'm talking about. I suspect they just open their browser, click on the lock icon and read me the information. Generally, it takes some work to get the information. Further, I'll compare the cert received through Tor and through non-Tor ssh tunnels on disparate hosts. However, you only have to do this checking once per cert. Once you have it, Firefox stores it as an exception and, if the cert doesn't change between visits, doesn't interrupt you with the cert error page.

Am I too paranoid or dis-trusting of CAs? Probably. I have a few concerns about this process, too. Does the list of certs in my browser open me up to unique fingerprinting in some way? Would I notice if a Packet Forensics device was used? Unless someone screwed up, I doubt it. And a seldom asked question is, have I ever caught ssl certs being faked or changed by a man-in-the-middle? Yes I have.

What would I like to see rather than implicitly trusting centralized CAs? I very much like the model used by gpg and the web of trust. I think it's completely infeasible right now for the vast majority of people using the Internet today. However, using computers was infeasible for the vast majority of people merely a decade ago. Progress happens quickly.

(option two)
I generally remove all of the CAs as well, even though I think it's just a display issue at this point. To do so, go into Preferences, Advanced, Encryption tab, click View Certificates. Then just manually cycle through the remaining CAs and delete them all. I started writing a script to do this automatically, but it seems to change in each version of Firefox. If someone has a better/more automatic way to do this, I'd like to hear about it. Now you have no CAs.

Tags
distributed trust
certificate authority
firefox
ssl errors
certificate fingerprints
Anon

Anonymous (not verified) said:

March 27, 2010

Permalink

Getting rid of CAs is a terribly bad idea. CAs are there for a bunch of good reasons.

But let me ask this at first:
How do you think you (non CA user) will detect DNS cache poisoning, BGP hijacking, Domain name hijacking? - You won't. Sometimes depending on how well the SSL certs are secured. Every single one you use.

I think most people are aware that deploying SSL isn't easy. http://blog.torproject.org/blog/life-without-ca - works (no s, see). So it's done wrong here, too.
- Because there's a form - and I'm using it right now. You get a bunch of session hijacking issues therefore. Why do you allow non-https content if you care for SSL security?

Obviously, we're of differing opinions on CAs. CAs do little to zero checking when giving out SSL certs. I've personally bought SSL certs for apple.com, microsoft.com, and other domains where I had zero way to prove I owned the domain. When I tried to buy an EV cert for torproject.org, the entire check consisted of sending an email to an address I provided. Maybe we should be throwing out the CAs that are bad at their verification. If I buy an EV cert, I expect to have to prove I am authorized to represent the company, prove the company exists (and no, faxing an authorization on company letterhead doesn't count because it's so easily faked), and then have the CA do some actual work to make sure this is the right request. The other issue is it only takes 1 CA in your browser to be weak, and you lose. It's a race to the bottom for sloppy standards compliance and price. If one CA makes it too difficult to buy certs, just go to the cheapest, crappiest CA that is in most browsers and get your cert.

There's actually a subtle distinction here. SSL is great at encryption between me and the destination site. I don't like using SSL for authentication through a supposed trusted 3rd party CA. This is why I like the more peer-to-peer web of trust model. The people at Princeton and the Freedom to Tinker blog have done a fine job explaining the issues, https://freedom-to-tinker.com/blog/sjs/web-security-trust-models and https://www.freedom-to-tinker.com/blog/felten/web-certification-fail-ba….

I think you missed the point where I check certs through a few different methods from different parts of the world to see if I arrive at the same answer. Yes, a global adversary could alter bankofamerica.com and screw me, however, everyone else is equally screwed in that scenario. Calling up the bank and asking for their fingerprint and serial number is the second verification step.

The reason we as tor allow http and do not automatically redirect to https is that some companies and countries block ssl websites by default. I've seen this in action at a few banks around the world. They feel they need to surveil their employees to meet audit requirements. If we automatically redirected to the ssl site, many people would be sad. Some countries in the Middle East block ssl versions of sites, but not the non-SSL version. Simply forcing SSL everywhere is fraught with complexities. However, enabling SSL for users to choose is a fine option. You'll notice my links were to the ssl version of a site if it existed.

As a bank information security employee, the reason we have to do this is to record the content of all traffic in and out to help the Loss Prevention departments. If the traffic is non-ssl, we can record everything easily. For some departments, we allow ssl through the firewalls, but have installed our own CA that mitm all their traffic. We also whitelist the internet with a bluecoat systems device so people, say in the wire transfer room, can only access like 50 pre-approved sites relevant to their jobs.

Anon

Anonymous (not verified) said:

March 27, 2010

Permalink

Yay, I am not alone. Doing the same since about half a year :)
Still can not use online banking cause nobody at my bank can tell me their fingerprint :P

Anon

Anonymous (not verified) said:

March 27, 2010

Permalink

For a moment I wondered when I wrote this, I've been doing the same for quite some time. And I must admit: these bank service desks, I wonder who decides to hire them or if they get any education ...

phobos

phobos said:

March 27, 2010

Permalink

I guess I should also state that my practices essentially turn me into a CA, where I have to do the verification. I know this and am fine with doing the extra work when needed. Your desires may vary.

If I just want encryption, then I don't do too much verification. If I'm shopping at some sketchy ecommerce site, then I'll rely upon my credit card liability limits or the anonymously pre-paid credit card to protect me. I can afford $50 if it turns out the sketchy site loses all my info. This risk is true for sites I trust as well. I have zero control over my info at this point. The info I provide for the purchase is frequently bought, sold, lost, or stolen by the destination. An ssl cert, no matter how good it is, isn't going to stop that.

Well, yeeah!!!!! For example, i pushed Certificate Patrol into FactorBee ( http://honeybeenet.altervista.org/factorbee/ ) long time ago!!!!!!! Looking at the fingerprints of SSL certs is very important to avoid "fake"/replaced certificates!!!!!!!!!!!! It wasn't a news to me, i read one article about that almost one/two years ago!!!!!!!!!!! It sounds strange to me that the EFF has discovered this only recently(three days ago!!!!!!!!!!!!lol!!!!!!!!!!)!!!!! It is also the reason why i think that FactorBee is superior to the official Tor Browser Bundle for GNU/Linux!!!!!!! I made it in a very accurate way!!!!!!! ~bee!!!!!!!

I've often wondered why people buy certificates from CAs -- do they pay because they trust the CA, or do they trust the CA because they've paid?

As you mention in a previous comment, SSL is great for encrypting a connection, but the existing hierarchical method for verifying authenticity is next to useless. Might as well authenticate the certificates myself.

So by authenticating the certificates myself I might be securely connecting to an impostor, but at least I can be sure I'm connecting to the same impostor every time!

--Bob.

I think the main reason to purchase certificates from a CA today is to provide convenience for the users of their site. Most people would have no idea what to do when they see a warning that the website's certificate is not trusted, and would result in significant loss of traffic for the site. It seems that the CA's generally don't care to verify the purchaser of the cert is who they claim to be, so trust seems to be a secondary concern to usability and the appearance of security in many cases.

Phobos seems to confuse trust with authentication at times, a common mistake. I can authenticate the Russian Mafia is running a website, but not trust them. I can authenticate a police officer is in fact, a valid police officer; but I don't have to trust her. I can encrypt a connection to foo.bar, trust that it is foo.bar (because I run the service) but not actually trust the service (perhaps because it is non-free software and I cannot see the source code to know what it really does).

What's your point? As I understand the post, it is about the possibility of a corrupt CA taking bribes to authenticate the Russian Mafia site by presenting it to you disguised as a site you trust. If you claim that cannot happen, or that it can happen, but is not a problem, give your reasoning.

How can I delete Firefox CA in Windows? Delete option doesn't work, they are still there, and if I delete cert8.db Firefox recreates the file.

In C:\Program Files\Mozilla Firefox, or wherever you have it installed, rename nssckbi.dll to something else; say nssckbi.dll.saved.

Restart firefox and you are done.

I still see the cert auth. after the restart.

"Would I notice if a Packet Forensics device was used? Unless someone screwed up, I doubt it"

Your not using any CA's so... you would notice it, or am I missing something?

The packet forensics device fakes a valid ssl cert, not a CA.

I believe the fingerprint would change if a Packet Forensics device begins modifying the traffic.

You might be interested in Perspectives: http://www.cs.cmu.edu/~perspectives/
Its not distributed enough for me to trust it very much yet, but it has potential.

Financial Crypto is doing a series of posts on this very topic, https://financialcryptography.com/mt/archives/001232.html and https://financialcryptography.com/mt/archives/001233.html

If you found a fake SSL that would validate with a browser's stock CAs, why don't you publish it? SSL certificates are non-reputable, so this would be significant news and would give credibility to your cause.

Of course if you've only found non-validating SSL certificates while utilizing Tor exit nodes, that's not particularly surprising.

>>Cookies should be enabled in your browser for CAPTCHA validation.
bah! How can someone who seems as paranoid as I am require cookies?

I recently wrote about storing a hash of your certificate in your DNSSEC protected DNS zone file as an alternative to using CA's:

https://secure.grepular.com/DNSSEC_Will_Kill_Commercial_CAs

Just wondering what your opinion of doing it this way would be?

Could you give us a story about the times you've seen SSL MITMs attempted? Would be enlightening to know what the dangers out there are.

I have to say that this is being terribly overly paranoid on this subject, to be blunt about it.

CA's are there for good reasons, and it is stupid to delete them unless they are known to have been compromised in some manner.

Perhaps. You be the judge. A well-done compromise will not alert the users, http://www.wired.com/threatlevel/2010/03/packet-forensics/

http://lair.fifthhorseman.net/~dkg/tls-centralization/

http://www.internetnews.com/ec-news/article.php/2232421

http://www.zdnetasia.com/easy-to-get-web-certs-undermine-online-trust-6…

http://codefromthe70s.org/sslblacklist.aspx

thanks!removing all of the CAs from bruisers, now BOOKing airasia/cebu pacific online tickets gets very smoothly,no fail anymore