Jon Callas

SSL domain authentication needs improvement

Friday, January 27th, 2012 | Jon Callas

Should we really be taking the domain owner’s word for it?

Blogmaster Note: This was originally posted on January 27,  2012 to ComputerWorld UK’s Security Spotlight Blog.

In her Dark Reading article, “Is SSL Cert Holder ID Verification a Joke?“, Ericka Chickowski discusses if certificate authorities do enough identity checking for Domain Validated (DV) certificates. I am myself perhaps notorious for writing that it’s not a joke, it’s a farce.

Domain Validated certificates are issued typically with the same vetting that you’d use to subscribe to an email list — a simple response to an email is good enough. Sometimes an email response is just fine; for example, a certificate for S/MIME email would hardly need more than proving you own the email address. But for an SSL certificate, this is barely better than just taking the applicant’s word for it.

I think Chet Wisniewski of Sophos has it pretty much correct when he says, “…the fact that they say they validate who [the certificate holders] say they are, it’s just horse manure”. If it were up to me, I’d solve the issue by not having the browser light the lock for a DV certificate.

Entrust doesn’t issue Domain Validated certificates at all. We issue only the more rigorous Organization Validated certificates and Extended Validation certificates (a.k.a. Green Bar certificates). Entrust vets the identity and ownership of the domain against a variety of databases before issuing a certificate for a domain. I got Entrust certificates for my personal domains, and there was an impressive check I had to go through.

There is even more checking done for EV certs. Not only is there a more rigorous check, but the CA has to have better operations. For example, if revocation checks don’t come back with an affirmative in just a couple seconds, the browser does not light the green bar (or at least is not supposed to, I’m not going to claim that every browser is bug-free).

The domain itself also needs to make sure that it protects all content, or again, the browser downgrades the connection. This is the only place I’d disagree with the article. If there are these sorts of setup problems on an EV-protected site, the browser drops the EV signals. There’s a lot of variation in how different browsers handle the different edge conditions — I’ve been testing them myself, and those variations will make a great blog post.

Nonetheless, the basic thrust of the article is spot on. DV certs are barely worth the bits they’re written with, and we would all be better off if they didn’t give an indication of trust in the browser (the lock) when there’s no real vetting done.

Posted in Uncategorized | Add Comment | No Comments »

Bruce Morton

SSL Certificate Baseline Requirements 1.0

Wednesday, December 14th, 2011 | Bruce Morton

The CA/Browser Forum has completed release 1.0 of the Baseline Requirements for the Issuance and Management of Publicly Trusted (SSL) Certificates. This document, fondly referred to as the BRs, is a major step forward for the SSL certificate industry. The leading browser vendors and the SSL CAs have come together to set a minimum standard for the issuance of SSL certificates. It will act as the benchmark for all SSL certificate issuance moving forward, once it becomes effective on July 1, 2012.

Prior to the BRs, there was no common standard for the issuance of SSL certificates. Microsoft and Mozilla have their stated requirements and policies that must be considered. The AICPA/CICA has WebTrust for CA and, of course, there are “industry best practices.” Industry best practices? Try to find those; well, now you can. The BRs have considered the browser policy requirements and have been reviewed by the WebTrust auditor community.

Over the years, security researchers and hackers have found cracks in SSL certificate issuance practices. Mike Zusman defeated the common practice of using email addresses to confirm domain control in the issuance of Domain Validated (DV) certificates. The ComodoHacker issued fraudulent certificates by attacking third-party registration authorities. Most recently, due to a spear-phishing attack, some SSL CAs were found to be issuing certificates with weak 512-bit keys. All of these short-comings have either been addressed directly or mitigated in the BRs.

The CAB/Forum acknowledges that the BRs are not a panacea for all SSL certificate issues. Nonetheless, the BRs establish a baseline from which more improvements can be made.

Tags: ,
Posted in Secure Browsing, Technical | Add Comment | No Comments »

Bruce Morton

512-bit Certificates Abused in the Wild

Monday, November 28th, 2011 | Bruce Morton

Late last month, we were advised that some malware used in a spear-phishing attack was signed using 512-bit RSA Web server certificates. In a recent blog post from FOX-IT, it was confirmed that the abused certificates were issued by more than one CA to more than one subscriber and it was concluded that the certificate keys had not been stolen, but had been derived from the public keys. That is, the public key was so small that a hacker could, via brute-force attack, guess the private key.

This is not how public key cryptography is supposed to work. The keys should be sufficiently large that the amount of resources and time required to derive the private key would be too large and too long to make the effort worth it. What happened?

Two things. First, some Web server administrators are still generating weak key pairs. Unfortunately, these admins are not aware of best practices with regards to key sizes for SSL certificates. In 2011, 1024-bit RSA is still allowed, but 2048-bit RSA is recommended; 512-bit RSA is definitely a no-no. The second issue is that some CAs were not checking and enforcing minimum key size requirements.

So how can a Web server certificate be used to sign malware? Don’t you need a code signing certificate to sign code? This is another problem. The way the certificate purpose is assigned is through an extension in the certificate called Extended Key Usage (EKU). There are EKUs for SSL, code signing, and S/MIME, amongst others. The certificates used in the spear-phishing attack had no EKU extension. No EKU doesn’t mean “no purpose.” It means “ALL PURPOSES.” So these so-called Web server certificates could be used to sign code. This is not caused due to a Web server admin’s error; this is caused by the CAs not restricting the usage of their certificates with an EKU.

Entrust got involved because we cross-signed a CA in Malaysia that was issuing SSL certificates with 512-it keys and no EKUs. The result was that Entrust revoked the cross-certificate and the cross-certificate was blacklisted by the browsers [1][2][3].

So, if there were other CAs that issued SSL certificates with weak 512-bit keys and no EKUs, why was the Malaysian CA singled out and blacklisted by the browsers? The fact is, Digicert Malaysia committed a trifecta of certificate issuance faux pas — weak keys, no EKU, and no revocation information. All of the other CAs were able to revoke their certificates, so the certificates would no longer be trusted.

Digicert Malaysia failed to put information in their certificates that would allow the end-user to determine whether or not their certificates were still trustworthy. This left revocation and blacklisting of their CA certificate as the only reasonable recourse.

So what can we take away from this situation?

  • The SSL industry needs a common standard for all CAs to follow when issuing certificates. This standard needs to include recommendations for key size and certificate profiles. More to follow on a future post.
  • Web server administrators need make sure that they are creating keys that are at least 1024-bit RSA and preferably 2048-bit RSA.
  • Public CAs will correct their issuing practices, but enterprise CA operators should ensure that their CAs are configured properly as well.
  • Browsers should consider building in safeguards, so that non-complaint certificates are not given the same user interface treatment as compliant certificates.

A final thought. Mistakes happen, which are expected when issuing SSL certificates. That is why the system is designed to be resilient and mitigate various security incidents. In this case, the browsers and the effected CAs worked together to resolve the issue and restore a secure state in a swift manner.

Tags: , , ,
Posted in Secure Browsing | Add Comment | No Comments »

Jon Callas

Kudos to KPN

Wednesday, November 9th, 2011 | Jon Callas

Blogmaster Note: This was originally posted on November 8, 2011 to the ComputerWork UK Security Spotlight blog.

Disclosure is a sign of healthy regard for security threats

This weekend, the certificate authority (CA) associated with the Dutch telecommunications company KPN stopped issuing SSL certificates because they detected a break-in on one of their public-facing web servers. Jeremy Kirk’s IDG story, “Dutch SSL authority KPN stops issuing certificates after hack” gives a number of details.

KPN has alerted the Dutch government, for whom they issue certificates, and with whom they are analysing the attack. The Dutch government issued a statement (which can be found here, in Dutch), but the news story provides more background.

Read the rest of this entry »

Posted in General, SSL Deployment | Add Comment | No Comments »

Entrust

Entrust Bulletin on Certificates Issued with Weak 512-bit RSA Keys by Digicert Malaysia

Thursday, November 3rd, 2011 | Entrust

It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards. Read more at:

http://www.entrust.net/advisories/malaysia.htm

Tags: , ,
Posted in General | Add Comment | No Comments »

Bruce Morton

Amazon Silk

Thursday, October 27th, 2011 | Bruce Morton

Amazon announced last month that it is entering the tablet market with the Kindle Fire. The Fire will be based on the Android operating system and will use the new Amazon Silk browser. Silk will use an innovative architecture called dynamic split browsing. In order to improve performance, content will be made available through the Amazon EC2 cloud.

Read the rest of this entry »

Tags: , , ,
Posted in Secure Browsing | Add Comment | No Comments »

Jon Callas

Don’t fear the BEAST

Tuesday, October 25th, 2011 | Jon Callas

A few weeks ago, Juliano Rizzo and Thai Duong published a paper on an SSL attack that they call BEAST, which decrypts parts of an SSL connection.

Before I discuss it at length, let me cut to the chase on it.

Q: Is this something that you need to worry about?
A: No.

Here’s a slightly more detailed explanation. The BEAST attack requires that hostile Javascript run in your browser that does the cryptanalysis. But any attack that requires hostile programs in your browser is less of a worry than one that doesn’t. If you have hostile code in your browser, there are a lot of other things it can do, like send your usernames and passwords off to some other server. Why bother doing cryptanalysis when you can just read what’s in the browser.

Read the rest of this entry »

Tags: , , , , , ,
Posted in Secure Browsing | Add Comment | No Comments »

Bruce Morton

Happy Birthday, Firesheep!

Monday, October 24th, 2011 | Bruce Morton

It’s been a whole year since Firesheep was released. One year old and more than 1.9 million downloads of the Firefox plugin that allows an attacker to take over improperly secured accounts when accessed from a Wi-Fi hotspot.

The solution to the problem is website operators need to secure everything in the session starting from the login. Some big websites have done so — such as bitly, Dropbox, GitHub, Gmail and Windows Live — where SSL is on by default.

Facebook has made incremental improvements by giving the users a choice to enable SSL for their account and by transitioning apps to SSL. Google will soon be securing searches, since the Google web history has been shown to be vulnerable to Firesheep.

Other sites are slowly making improvements, but not at the pace expected given the 1.9 million Firesheep downloads.

Tags: ,
Posted in SSL Deployment, Secure Browsing | Add Comment | No Comments »

Bruce Morton

Taming the BEAST

Tuesday, October 18th, 2011 | Bruce Morton

The BEAST’s reign of terror may soon be over. The more this topic is discussed, the less vulnerable we appear to be. Adrian Dimcev states in his blog, “Although the attack itself is pretty neat and the demo looks scary, its practicality is very low; the average user would probably not need to worry about.” Taher Elgamal, a creator of SSL, states that the BEAST attack is “technically clever,” but “very over-sold.”

Other industry experts, such as Ivan Ristić of SSL Labs and Steve Dispensa of PhoneFactor, offer their BEAST risk-mitigating strategies in their blogs, which mainly involves the prioritization of RC4 cipher suites. PhoneFactor provides a whitepaper detailing the approach and Microsoft has similar advice regarding RC4 on their post about Security Advisory 2588513.

The lesson of the BEAST is that implementers of SSL/TLS need to keep moving ahead and support the latest versions of the protocol to help mitigate the next BEAST. TLS 1.1 is more than five years old, not vulnerable to the BEAST attack, and yet is not ubiquitously supported by Web servers and browsers. If, as a result, TLS 1.1 and 1.2 achieve support in our SSL/TLS deployments, then the BEAST has served us well.

Tags: , , ,
Posted in SSL Deployment | Add Comment | No Comments »

Bruce Morton

Why Your Browser Matters

Thursday, October 13th, 2011 | Bruce Morton

Over the past couple of weeks, the Online Trust Alliance (OTA) and Microsoft have launched campaigns promoting the use of modern browsers. OTA’s campaign, “Why Your Browser Matters,” provides tools and resources to help website operators provide user education on the value of keeping browsers current.

What appears to be complementary to the OTA campaign is the Microsoft announcement of a new website, YourBrowserMatters.org. The site evaluates the browser being used and gives you a score from 0 to 4. IE8 scores 3, Chrome 14 scores 2.5, Firefox 7 scores 2, and IE9 scores a perfect 4. Opera and Safari are not supported by the site.

Some may suspect that the scoring system is largely tilted in Microsoft’s favor. On the other hand, the campaign complements another effort by Microsoft, The IE6 Countdown, which is dedicated to dropping the usage of Microsoft’s IE6. I like the line, “Friends don’t let friends use Internet Explorer 6. And neither should acquaintances.” I suppose Microsoft is taking advantage of promoting the tight integration between Windows 7 and IE9, to provide arguably the safest Windows browsing experience

The long and short of it is that your browser does matter. The latest version is undoubtedly more secure than an older version. And yes, some browsers are better than others, but this seems to shift from time to time as browser vendors play catch up.

Personally, I have always been an IE user, but switched to Chrome when IE9 was launched. Why? I also use Windows XP which does not support IE9. My thinking was that if I wanted to stay on the latest browser version, then I would have to switch to something that continues to support XP. I wonder how Microsoft missed that subtlety.

Tags: , , , , ,
Posted in Secure Browsing | Add Comment | No Comments »

« Older Entries