Monday, December 29, 2008

Pruning the Browser's Web of Trust

Whether you like it or not, your browser has established a fairly robust web of trust in order to implement SSL. Root certificates are installed in your browser and are used to determine if a certificate has been issued by a trusted third party. Ever received the following error message? The error is generated because the certificate was issued by someone that is not in your root certificate list.

www.cacert.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)
So who does your browser trust? Well for starters, it depends on the browser. Internet Explorer and Mozilla have very different root certificates.

To view Internet Explore Root Certs:
Go to Tools -> Options -> Content , now press the "certificates" button and navigate to the "Trusted Root Certificate" tab




For Mozilla:
Go to Tools -> Options -> Encryption, now press the "view certificates" button and navigate to the "Authorities" tab



First you should notice that Internet Explorer has significantly less root certificates than Mozilla. In fact, Mozilla has some certificates that just scare me. AOL Time Warner? I don't want them to validate certificates for me!

But let's step back, what does the root certificate actually do for us as the casual web browser? Well, when you browse to an SSL site, the browser will validate the certificate by performing checks such as ensuring the domain name matches the domain name listed in the certificate and that the computer's date is within validity period listed in the certificate. In addition, the browser will check if the certificate was issued by a trusted third party. Since anyone can create a certificate, this is especially important. Using OpenSSL, I can create a certificate for microsoft.com or any other website. However, the browser will detect that I, Michael Coates, am not listed within the trusted root certificates of the browser.

Now you should be thinking, what happens if Michael Coates was a trusted root certicate? Then he could issue certificates for any website to anyone and your browser would happily trust the site. Goodbye trusted SSL!

Luckily, I am not in your root certificate list. However, you should be questioning the root certificates that are listed. Since the holder of those certificates (ie verisign, thawte, comodo, etc) can create and issue new certificates to anyone for any site. You are trusting that the holders have sufficient policies and procedures to validate the identity of the requestor. Wouldn't you be concerned if a random individual could easily get a valid SSL certificate for a major website?

Now it's time to make some decisions - who do we really need to trust? Should we trust AOL? Should we continue to trust Comodo? Each root certificate means you are trusting whoever owns that certificate to properly validate the identity of anyone they issue a certificate to.

Personally, I think some pruning is needed. The security of my transactions with my banks is far more important than being able to establish secure sessions with sites using certificates from TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.

-Michael Coates

5 comments:

  1. Very informative and reads easily. I need to dig up my "roots" and see if something is rotten in Denmark. Nice work.

    ReplyDelete
  2. I have a question regarding certificate verification by the browser. When browser receives new certificate from a new site, does it goes one-by-one through all the root CA certificates or there is a mechanism by which it can identify which is the corresponding root CA certificate?

    ReplyDelete
  3. The certificate contains the issuing CA in plaint text. Therefore the browser just searches through the trusted root for that CA name. Now, I'm not sure the search algorithm which is used, but we can hope its not a linear search. Either way, the typical trusted root repository contains a small number of entries. So even a linear search would be quite fast.

    ReplyDelete
  4. Don't get tricked by what you see above listed from IE. The list is bigger.
    Get it from here:
    http://support.microsoft.com/kb/931125

    And yes, IE trusts CNNIC too. :)
    Oh, and what's the difference between America Online Root Certification Authority(1 and 2) and AOL Time Warner Root Certification Authority (1 and 2) ? :)

    Cheers!
    Adrian

    ReplyDelete
  5. When you combine the massive list of possible places to get a completely valid certificate with the horrible application designs around SSL its really a wonder that we have any trust that the communication is transmitted securely.

    In fact, I would argue that the only thing saving us from a massive attack on this front is that it can't really be exploited remotely. You have to get into the path of communication via MitM.

    But, I really have no doubt that the average user would always be compromised by any knowledgeable attacker executing MitM against SSL. There are just too many ways to trick the user.

    Kind of sad isn't it. The main purpose of SSL is to provide that guarantee and yet I don't believe we have that at all.

    ReplyDelete

Note: Only a member of this blog may post a comment.