Thursday, March 4, 2010

SSL certificates - a case of daylight racketeering.

The dirty little 'secret' of the Internet is that in most networks all the computers on same LAN with you receive same data as you do, ignoring 'your' data by gentleman's agreement. [Unless computer is running 'packet sniffing' software that does not abide by this agreement] It is very easy for third party to listen to your Internet communications; far easier than to hack a computer between you and (for instance) your email server to launch a 'man in the middle' attack, standing between you and web service. Every login form and every webmail interface can cheaply and easily be encrypted using SSL, closing at least this gaping security hole.

Unfortunately what happened in practice is that some large businesses - certificate authorities - managed to subvert just about every browser (including Firefox) as to display extremely scary warnings on sites which want to just use the encryption without paying hefty yearly sums of money for supposed verification and authentication - while displaying no scary warnings on far less safe sites which use no encryption what so ever.
This bizarre browser behaviour of warning more scarily about safer sites has been done under guise of pushing better security practices. While in theory better security would be a laudable goal, in practice, what is being done is more of a negative campaign against acceptable security, preventing use of any encryption on many sites you and me visit every day.

There is a zillion uses where we do not need certificate authority but do need encryption. Router, internet camera, internet printer, and other internet appilance's web interfaces, on the devices which you freaking bought yourself, you need ain't no certificate authority here, the key can be printed on the box.
All those small web services like free webmail, blogs, etc. which are presently unencrypted would still benefit from encryption. All sorts of small sites. A lot of login forms. Literally any site if you don't feel good about government taps into the network (especially those done by foreign government, see echelon).

Even something as critical as my bank would also do better without certificate authority, and indeed, with a different, simpler protocol. Many banks (my bank, for instance) give users password generator devices or cards, as well as initial constant password (in the envelope). In person.
In a more sane universe, that device's passwords would have been used for crypto, at login ensuring both that you are yourself and that bank's page is genuine. The password IS a shared secret after all. There's SRP protocol which is good for just that kind of thing. With SRP both ends of connection must know the password; and when you login using SRP you are not revealing the password in any way (login could only work if both sides know password).

In reality, however... SSL and your browser does not require server to know your password, but instead requires servers owner to do various paperwork and to pay money to "Certificate Authority" whose key is "trusted" by browser (i.e. included in the browser install). Asymmetrical cryptography indeed. Bank pays to Certificate Authority who pays to browser developers whom don't and won't implement SRP protocol.

The way how SSL does logins goes contrary to basic expectations of users. Users expect that the password they enter would be used somehow to encrypt the communication, making communications secure against any third party who does not know the password. After all that's how ciphers work. It is very difficult to explain to users how SSL works, and not so much because users are stupid but because SSL is stupid. It makes no sense to use some devilishly clever math of assymetric-crypto and PKI stuff for password protected login, where even ciphering using secret password as key would've provided better authentication both ways [but would require long passwords because attacker can try a lot of passwords offline on the intercepted data. SRP protocol solves that problem, preventing offline guessing].

The 'protection' certificate authorities can offer to the end user is clearly inadequate - man in the middle can simply use plain http without SSL for connection to the user; according to various studies (like this) about 90% of users do not pay attention to minor aberrations such as http instead of https and absence of the tiny yellow padlock icon, even if told in advance that some samples will be fake. The real percentage for unsuspecting users would be even higher. (On top of that, the indicator totally sucks and its immediately obvious that whoever came up with the indicator has no clue what so ever. Up to 9% males are colorblind with inability to tell apart green, yellow, and red, and this alone is enough for phishing to be commercially viable. Imagine you're colorblind, you learn that white is non-secure and redyellowgreen is good, then you run into suspected bad site. And it's looking more similar to good than to non-secure). Worse yet, phisher can easily obtain digital certificate under false credentials; the most dramatic examples include random dude obtaining VeriSign code signing certificate in Microsoft's name - not a same thing but funny nonetheless. While absence of yellow padlock implies absence of security, presence of padlock means nothing; training users to think "padlock = secure" would only make phishing more effective. Hackers do obtain digital certificates just fine.

For better arguments from a real security expert, read this excellent paper by Bruce Schneier.

To summarize: More secure login technology, SRP protocol*, does exist, and is already implemented as library. Instead of supporting it, browser developers* play a silly game of making biggish corporations pay hefty sums yearly to display their address bar in green, making everyone else pay smaller sum yearly for blue, and making those whom are really cheap do a funny dance every 30 days to re-validate their 'free' certificate. Heck even CA's marketing slogans ("No More Abandoned Carts" for example) focus on the notion that if you don't pay money to get yourself green address bar, you're losing customers.
[* browser developers are ultimately in control of certificate business, deciding which certificate authorities are kosher]

(* for grammar nazis: P in SRP stands for password, so it's alright to say 'SRP protocol' but not 'SRP password')

[edit: correction. Evidently, there is one or two SSL authorities which are now trusted by most browsers, which gives away free (as in free beer) certificates, requiring you to do a funny dance every 30 days to re-validate it or something. Its kind of uncertain where this whole thing is heading - will those certificates eventually show scary warnings as well? Will they start charging money for freebeer certificates?]

No comments:

Post a Comment