Monday, December 29, 2008

Pruning the Browser's Web of Trust

Whether you like it or not, your browser has established a fairly robust web of trust in order to implement SSL. Root certificates are installed in your browser and are used to determine if a certificate has been issued by a trusted third party. Ever received the following error message? The error is generated because the certificate was issued by someone that is not in your root certificate list.

www.cacert.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)
So who does your browser trust? Well for starters, it depends on the browser. Internet Explorer and Mozilla have very different root certificates.

To view Internet Explore Root Certs:
Go to Tools -> Options -> Content , now press the "certificates" button and navigate to the "Trusted Root Certificate" tab




For Mozilla:
Go to Tools -> Options -> Encryption, now press the "view certificates" button and navigate to the "Authorities" tab



First you should notice that Internet Explorer has significantly less root certificates than Mozilla. In fact, Mozilla has some certificates that just scare me. AOL Time Warner? I don't want them to validate certificates for me!

But let's step back, what does the root certificate actually do for us as the casual web browser? Well, when you browse to an SSL site, the browser will validate the certificate by performing checks such as ensuring the domain name matches the domain name listed in the certificate and that the computer's date is within validity period listed in the certificate. In addition, the browser will check if the certificate was issued by a trusted third party. Since anyone can create a certificate, this is especially important. Using OpenSSL, I can create a certificate for microsoft.com or any other website. However, the browser will detect that I, Michael Coates, am not listed within the trusted root certificates of the browser.

Now you should be thinking, what happens if Michael Coates was a trusted root certicate? Then he could issue certificates for any website to anyone and your browser would happily trust the site. Goodbye trusted SSL!

Luckily, I am not in your root certificate list. However, you should be questioning the root certificates that are listed. Since the holder of those certificates (ie verisign, thawte, comodo, etc) can create and issue new certificates to anyone for any site. You are trusting that the holders have sufficient policies and procedures to validate the identity of the requestor. Wouldn't you be concerned if a random individual could easily get a valid SSL certificate for a major website?

Now it's time to make some decisions - who do we really need to trust? Should we trust AOL? Should we continue to trust Comodo? Each root certificate means you are trusting whoever owns that certificate to properly validate the identity of anyone they issue a certificate to.

Personally, I think some pruning is needed. The security of my transactions with my banks is far more important than being able to establish secure sessions with sites using certificates from TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.

-Michael Coates