Ian G <ia...@iang.org> wrote in part..
>
> (I recall hearing that the Firefox
> software developers are already working on a more direct way to revoke a
> root, and other browsers seem to already have that control.)
In Chrome, it apparently is the two blacklists in the code here..
http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc
One being made up of server leaf certificates in
X509Certificate::IsBlacklisted(), the other CA root and intermediate certs in
X509Certificate::IsPublicKeyBlacklisted().
=JeffH
>In Chrome, it apparently is the two blacklists in the code here..
Yeah, I'd seen that one too. Some thoughts:
- There were *hundreds* of (known) bad certs issued, including quite probably
ones that we don't know about yet (see Diginotar's admission that it missed
fraudulent certs until they were discovered by members of the public).
- As with Comodogate, it's amusing to see that the browser vendors still don't
trust their own PKI-based revocation mechanisms, and fall back to the usual
admission-of-failure approach of pushing out an updated binary with known-bad
certs hardcoded into it that's been going on for at least the last ten years
(since the Verisign "Microsoft" certs in 2001).
Peter.
No hard evidence needed, it's an APT :)
>> In Chrome, it apparently is the two blacklists in the code here..
>
> Yeah, I'd seen that one too. Some thoughts:
>
> - There were *hundreds* of (known) bad certs issued, including quite probably
> ones that we don't know about yet (see Diginotar's admission that it missed
> fraudulent certs until they were discovered by members of the public).
Yeah well. The good thing about stuff we don't know is that it's easier
to believe it didn't happen ;)
> - As with Comodogate, it's amusing to see that the browser vendors still don't
> trust their own PKI-based revocation mechanisms,
Right. Some bright spark had it a while ago, revocation only works when
you don't need it.
> and fall back to the usual
> admission-of-failure approach of pushing out an updated binary with known-bad
> certs hardcoded into it that's been going on for at least the last ten years
> (since the Verisign "Microsoft" certs in 2001).
My earlier comments were more inspired by the fact that we now appear to
need revocation. Have we crossed that line?
This one looks aggressive, coz someone was using it to MITM someone.
That is after all the point of SSL, right? To stop the MITM ...
So we have a targeted CA-hacked cert, in the wild, used to actually do
an MITM of the target.
17 years later, we're out of demo territory, academic waffleland, trust
& lies, marketing science, phishing near-misses, known unknowns and
unknown knowns...
Now it gets serious.
For this reason, we should all expect that Mozilla & other vendors will
be developing their dynamic revocation features into Firefox family,
poste haste.
Does anyone think this is a bad idea?
iang
Will the Comodo is dropped also? :)
Üdvözlettel/Regards,
Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customer Service Executive
Netlock Kft.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
> _______________________________________________________________________
> Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail
> MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
>
> This email has been scanned for viruses and SPAM by the filter:mail
> MessageLabs System. More information: http://www.filtermax.hu
> _______________________________________________________________________
> _
_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________
This is a question [0] isn't it :)
We've got ComodoGate, StartGate, now NotarGate ...
http://www.informationweek.com/news/security/attacks/231600615
http://www.networkworld.com/news/2011/083111-hackers-may-have-stolen-over-250324.html
This is bigger than any CA. Call it TrustGate?
IMHO, we've now crossed the rubicon. That special moment in the
lifecycle of a security system when it is challenged on its own turf
[1], and found wanting, evidence presented, shocking report at 7...
What we'll likely see now is a series of breaches at multiple levels to
acquire and misuse certs. We've seen compromises in the past, but what
makes this new is that we have evidence of an aggressive attack using
the cert.
Now we can count damages. And start to do real security calculations to
show if certs are worth any real money.
iang
[0] One of our questions is what is the procedure for this, on what
basis was the decision made? This process will need to be documented.
But for now, it is better to let people get on and deal with the short
term need of revoking the root.
[1] as opposed to bypassed or downgrade attacks like phishing.
I beg to differ - there was no StartGate. An attack and breach doesn't
makes it a successful one.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Last I heard was, the cone of silence was still lowered over that one.
Begs & differs, salacious rumours, media speculation, advertising and
all that stuff.... Until we see full disclosure, I'd guess that's how
it is.
Anyone see it different?
iang
Not quite correct - it was clearly stated that no relying party was
affected. I think that makes it pretty clear, don't you think?
> Begs & differs, salacious rumours, media speculation, advertising and
> all that stuff.... Until we see full disclosure, I'd guess that's how
> it is.
You got already all the information you need to know. When there is
something to report, trust me you will know about it.
But actually let me help here a little bit, perhaps even shaping some
policies along the way....
Do you think it reasonable that CAs inform Mozilla in case certificates
have been mistakenly issued for a high profile brand (and perhaps also
banks and other financial institutions) and for whatever reasons? I'm
think something along the lines of Alexa top 500 or so.
Do you think it's reasonable that CAs inform Mozilla in case keys of
certificates for high profile brands have been compromised?
Do you think it's reasonable that CAs inform Mozilla in case
certificates have been mistakenly issued for low profile brands and
"meaningless" sites. Or do you think for such cases the current
revocation mechanisms are sufficient? Perhaps, do you think there might
be limit for such mistaken issuance even for low-profile sites?
Do you think it's reasonable that CAs must have controls in place to
detect and prevent wrongful issuance of certificates for whatever reasons?
Do you think it's reasonable that CAs must have controls and procedures
in place for swift and proactive action in case attempts to obtain
certificates in fraudulent way are made? And do you think it's
reasonable that CAs report such attempts to Mozilla?
I'd be glad for some answers if you may, I'll continue from there.
[snipped]
How do you define low-profile?
In the U.S., Bank of America and Wells Fargo are obviously high-profile.
But California United Bank has only 8 branches, all located in three
southern California Counties.
Western Federal Credit Union is one of the largest in the U.S. with 15
or more branches in 8 states and the District of Columbia and thus might
be high-profile. What about Premier America Credit Union, which has 7
branches in two California counties and 2 branches in Texas?
Any financial institution, no matter how small and obscure, is
high-profile to its customers. The same is true of any merchant, not
merely Amazon.
--
David E. Ross
<http://www.rossde.com/>
On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.
How would you define it?
> In the U.S., Bank of America and Wells Fargo are obviously high-profile.
> But California United Bank has only 8 branches, all located in three
> southern California Counties.
Taking my initial question on high-profile brands and sites, I also
suggested banks and financial institutions. So low-profile wouldn't
apply to them in my opinion.
But you can certainly set your own criteria at the moment....
Yes.
> Do you think it's reasonable that CAs inform Mozilla in case keys of
> certificates for high profile brands have been compromised?
I think it's reasonable for sites themselves to notify the browser, independent of what the CA does. But, I believe that the CA should notify Mozilla, preferably in an automated fashion.
> Do you think it's reasonable that CAs inform Mozilla in case certificates
> have been mistakenly issued for low profile brands and "meaningless" sites.
> Or do you think for such cases the current revocation mechanisms are
> sufficient? Perhaps, do you think there might be limit for such mistaken
> issuance even for low-profile sites?
Yes. We should all be equal before the law here, and the reaction should be standard, equal, and fair. Mozilla/Google should (as part of their safe browsing services) also provide OCSP or some other certificate revocation mechanism. They're already being used in ways that infringe on users' privacy, so for the users who choose to use those services there's no additional disclosure.
> Do you think it's reasonable that CAs must have controls in place to detect
> and prevent wrongful issuance of certificates for whatever reasons?
Yes.
> Do you think it's reasonable that CAs must have controls and procedures in
> place for swift and proactive action in case attempts to obtain certificates
> in fraudulent way are made? And do you think it's reasonable that CAs report
> such attempts to Mozilla?
Yes, and yes. But.
I don't believe that any benefit derives from mandating that CAs do something necessarily proactive, unless there are adequate controls in Mozilla and its certificate revocation infrastructure to be able to deal with the results of failing to meet that mandate as a standard, regular occurrence.
In other words, I don't trust most of the CAs out there to keep themselves secure. I trust them to believe that they're secure, but not to proactively learn about new threats or even to have competent risk managers.
We need to figure out how to recover from CA control failure safely and routinely.
-Kyle H
Since we still have absolutely no idea what happened at StartSSL apart from
whatever it was being sufficient to shut down a major CA for some weeks, I
think it's justifiable to call this StartGate. If it hadn't been for the
public discovery of malicious certs, DiginotarGate (dammit, CA's should be
required to pick names that work better with -gate) wouldn't even have been
noticed, making it even less of a -gate than StartGate. And who knows how
many other breaches there have been that the CAs have successfully hushed up.
(Both ComodoGate and DiginotarGate were valuable in this respect, ComodoGate
for showing that browser vendors are willing to collude with CAs to cover up
breaches, and DiginotarGate for showing that CAs are willing to hush up
breaches more or less indefinitely until forced to disclose by external events
outside their control).
Peter.
Ian G <ia...@iang.org> writes:
>What we'll likely see now is a series of breaches at multiple levels to
>acquire and misuse certs. We've seen compromises in the past, but what makes
>this new is that we have evidence of an aggressive attack using the cert.
I wonder if we're going to see something like the four-minute-mile phenomenon,
until Roger Bannister did it, it was thought to be impossible, but once he'd
proven it was possible an avalanche of others followed his lead. So now that
we've had repeated public cases showing you can own a CA, will others follow?
(Two possible counterarguments: (1) For all we know this has been going on
forever, but noone's ever noticed since the CAs, in some cases in collusion
with the browser vendors, have kept quiet and hoped no-one would notice, and
(2) Since the value provided by browser PKI is near zero, there's no point to
owning a CA for commercial attackers, so few will bother apart from hackers
showing off).
Peter.
Diginotar were also quite clear that no relying party was affected. Until one
was.
>You got already all the information you need to know.
... and given the situation with Comodo and Diginotar, to be safe we have to
assume the worst based on this lack of information.
Peter.
Thanks Kyle for participating in my little survey. I'll wait for the
answers from Ian for full comment...
>I saw the new update (6.0.1), and nice to see, that the root was dropped.
>
>Will the Comodo is dropped also? :)
Nope, they're Too Big To Fail, and like other equivalent CAs can do whatever
they want without repercussions. The affected Diginotar CA OTOH had only
issued about 700 certs in total, and there were at least 200-250 fraudulent
ones (and possibly many more yet to be discovered), so they were small enough
to fail.
As Lucky Green pointed out in a posting on another list, we now at least have
a lower bound for how small a CA has to be to be pulled by browser vendors (or
possibly how big a catastrophe it has to be involved in, since a quarter or
more of all its certs are fraudulent).
Peter.
I think that's too easy - Comodo was proactive in detection and
disclosure of the mistakenly issued certificates. I think there is a
huge difference also in the extend of the incident. Plus they have a bit
market share which is certainly a valid argument too.
But look what's going in over in the Netherlands, the impact there
could be much bigger than just server certificates.
Er, no? Clear as mud, to me: there is no consistent definition of
"relying party" [0] so what escaped out of the cone of silence sounded
to me like "mumble, mumble, rhubarb, mumble."
Was Mozilla informed? Because, they are a relying party? Other CAs?
What Peter said, with added salt & liability?
>> Begs & differs, salacious rumours, media speculation, advertising and
>> all that stuff.... Until we see full disclosure, I'd guess that's how
>> it is.
>
> You got already all the information you need to know. When there is
> something to report, trust me you will know about it.
Other than the fact that a CA saying "trust me" is sooooo 1990s ... if
you're serious about that -- we should trust the CA in compromise? -- I
think you owe at least Comodo the mother of all apologies for all the
abuse loaded on them over the years?
iang
[0] depending on your religion, "relying party" means one of:
everyone who uses a browser,
one tiny buried list of contract parties (see Steve's comments), or
Mozilla.
As I say, it's a religious thing.
If you would bother answer my questions from the little survey I can
help you a bit further.
What do you know?
> -- I think you owe at least Comodo the mother of all apologies for all
> the abuse loaded on them over the years?
Abuse? I was the one warning them amongst others. But you can ask them
if they feel I should do that - I believe not.
Ian, I'm keen to get your honest answers to my questions...here they are
again (updated with David's suggestion):
Do you think it reasonable that CAs inform Mozilla in case certificates
have been mistakenly issued for a high profile brand (and perhaps also
banks and other financial institutions) and for whatever reasons? I'm
think something along the lines of Alexa top 500 or so.
Do you think it's reasonable that CAs inform Mozilla in case keys of
certificates for high profile brands have been compromised?
Do you think it's reasonable that CAs inform Mozilla in case
certificates have been mistakenly issued for low profile brands and
"meaningless" sites (which excludes financial institutions). Or do you
think for such cases the current revocation mechanisms are sufficient?
Perhaps, do you think there might be a limit for such mistaken issuance
even for low-profile sites?
Do you think it's reasonable that CAs must have controls in place to
detect and prevent wrongful issuance of certificates for whatever reasons?
Do you think it's reasonable that CAs must have controls and procedures
in place for swift and proactive action in case attempts to obtain
certificates in fraudulent way are made? And do you think it's
reasonable that CAs report such attempts to Mozilla?
--
I'll play :) but apologies in advance, wet blanket warning /!\
The answer depends on who's perspective. So, picking one set of
assumptions [&] at random, here's an answer:
No way, Jose! Not with our non-profit browser Foundation
that serves a public of 250 million parties, dependent
on the survival of the Foundation. Thanks but *NO Thanks* .
that said, onwards.
> Do you think it reasonable that CAs inform Mozilla in case certificates
> have been mistakenly issued for a high profile brand (and perhaps also
> banks and other financial institutions) and for whatever reasons? I'm
> think something along the lines of Alexa top 500 or so.
No. It's definately not reasonable, prima facie [0].
From the pov of a vendor, and Mozilla especially:
It has dramatic implications for liability, among other things. And, as
there is no strong contract between the CA and this vendor as yet [1]
vendor should seek legal advice on the ramifications before they accept
any liability shifting.
Or, show me the liability clause in the contract?
Also, we (Mozilla) have just managed to clear up own direct liability
with own contract to users, still young at 2 years ... it's not
tactically prudent to go mucking up the waters so quickly (IMHO).
> Do you think it's reasonable that CAs inform Mozilla in case keys of
> certificates for high profile brands have been compromised?
No, as above, prima facie. This is between the CA and the brand, their
contract will rule this. The CA is *the authority*. It should simply
pay damages out to the brand. Solved.
Unless, one concedes that the arrangement between the CA and the brand
is insufficient, in some sense?
If you're prepared to concede that, then our (Mozilla's) answer should be
"sure, let's talk. But it'd better be good....."
If conceded, the entire concept of *CAs as authorities* , audits,
revocation, vendors, relying parties, contracts, liability, and so forth
and so on ad nauseum is now undermined. Mozilla will need serious
answers to serious questions.
Pandorra's box?
> Do you think it's reasonable that CAs inform Mozilla in case
> certificates have been mistakenly issued for low profile brands and
> "meaningless" sites.
No (ditto).
> Or do you think for such cases the current
> revocation mechanisms are sufficient?
(Mozilla's Lawyer speaks with firmness:) liability is your problem not
ours! If you have a problem with the mechanism, go talk to PKIX.
(That's what Mozilla tells us :P )
(snip)
> Do you think it's reasonable that CAs must have controls in place to
> detect and prevent wrongful issuance of certificates for whatever reasons?
These are risk management and/or compliance questions. As they seem to
be a change in topic, I'll defer answering... <snip>
> And do you think it's
> reasonable that CAs report such attempts to Mozilla?
No.
> I'd be glad for some answers if you may, I'll continue from there.
So, as I mentioned above, pick another set of assumptions and get a
different answer. Who's interest are we protecting today?
The second big issue with all this "reasonableness" is that it questions
the sanctity of the CA, according to the PKI bible.
Such "reasonableness" hides a shift for the entire industry into a
position where, because we failed, all players now must cooperate and
work together on breaches, and/or seek some protection from some big
umbrella player e.g. Mozilla, and/or whatever other liability shifting
can be conducted.
Now, some have said that has to happen anyway [2]. But (a) we're not
seeing the climb-down necessary:
"ok, we were wrong, now what?"
It's not being merely nitpickity and toldyasoish - Peter was right to
point it out, I just had to think it out.
There is no point in talking about bringing the vendor in to the
responsibility trap unless we all fully accept that the CA-client
relationship is Fundamentally Broken. Nobody wants to be complicit in
hiding that rot, because it results in the mother of all liability shifts.
We're talking real money now. We crossed the rubicon. Major world
brand [3]; we're not talking small beer.
Also, (b) there is no institution anywhere here or close that can be
trusted to deal these proposals properly [4].
iang
[&] Including, I'm assuming "inform Mozilla" means "inform only
Mozilla" as opposed to "full and open disclosure which also informs
Mozilla."
[0] by that, I mean, without some other very careful strong elements,
about which it is unlikely that anyone knows about.
[1] by strong contract, I mean a single purpose-written document.
There is a contract, it's just not that.
[2] Maybe me included. I among many others proposed the inter-CA
approach on falsely issued certs around 2005 I guess...
[3] The cost of the Sony hacks was around $150m? What's the issuance
of a false Google or Amazon cert worth in costs? How much did the RSA
hack cost?
[4] Scratch CABForum, wrong structure.
Thanks for the warning, unfortunately I can't do anything with your
answers. They don't make any sense for me.
So perhaps somebody else would like give some strait answers on my
questions? Perhaps Gerv or another representative of Mozilla can join in
and provide insight about what they consider reasonable for the cases I
mentioned in my little survey?
On 2/09/11 9:34 AM, Eddy Nigg wrote:
> Do you think it's reasonable that CAs must have controls in place to
> detect and prevent wrongful issuance of certificates for whatever reasons?
Either you comply with a control that is imposed from on-high (BR has
such a control IIRC), or, you have a risk management process (again BR)
that answers that question, whether/why/how.
That said, imho: it's highly likely that risk management will say yes.
There's gotta be some controls, otherwise, what does a cert mean if it
is not checked?
(Maybe you have in mind a certain sort of control, or a certain
definition of wrong?)
> Do you think it's reasonable that CAs must have controls and procedures
> in place for swift and proactive action in case attempts to obtain
> certificates in fraudulent way are made?
Logic, ditto.
Risk control: much less likely to be in place, c.f., spam. Compliance:
you're half way to hell already, no reasonableness argument need apply.
> And do you think it's
> reasonable that CAs report such attempts to Mozilla?
No, Mozilla ain't anyone's IDS.
iang
Thanks Ian, those answers made some more sense to me in relation to the
questions I asked. I'll wait for some further input....
....and continue from there.
Walk in with your CPS. Read out these words to Mozilla, to all of us:
Liability
StartCom gives no guaranties whatsoever.... The
certification services are operated ... without
any warranty. Relying parties ... are solely
responsible ... and therefore shall bear the
legal consequences.... Under no circumstances ....
shall StartCom ... *be liable* ....
http://www.startssl.com/policy.pdf
Mozilla nods. Mozilla reads out its no-liability statement, taken from
its Firefox user agreement.
You nod. Everyone does the same thing. We all nod. We all agree.
Now, we can all have a reasonable discussion. Now, we're not afraid.
Read on...
On 2/09/11 9:34 AM, Eddy Nigg wrote:
> On 09/01/2011 10:22 PM, From Eddy Nigg:
>> You got already all the information you need to know. When there is
>> something to report, trust me you will know about it.
>
> But actually let me help here a little bit, perhaps even shaping some
> policies along the way....
>
> Do you think it reasonable that CAs inform Mozilla in case certificates
> have been mistakenly issued for a high profile brand (and perhaps also
> banks and other financial institutions) and for whatever reasons? I'm
> think something along the lines of Alexa top 500 or so.
>
> Do you think it's reasonable that CAs inform Mozilla in case keys of
> certificates for high profile brands have been compromised?
>
> Do you think it's reasonable that CAs inform Mozilla in case
> certificates have been mistakenly issued for low profile brands and
> "meaningless" sites. Or do you think for such cases the current
> revocation mechanisms are sufficient? Perhaps, do you think there might
> be limit for such mistaken issuance even for low-profile sites?
>
> Do you think it's reasonable that CAs must have controls in place to
> detect and prevent wrongful issuance of certificates for whatever reasons?
>
> Do you think it's reasonable that CAs must have controls and procedures
> in place for swift and proactive action in case attempts to obtain
> certificates in fraudulent way are made? And do you think it's
> reasonable that CAs report such attempts to Mozilla?
>
Ian, you are not even worth that I answer you in seriousness, you have
no clue about anything you talk about. I will talk with people that
appear to be normal and are able to answer a normal answer to a normal
question. Keep your politics out from here if possible.
As such you can learn about liability and negligence with DigiNotar,
just follow the news.
Oh, and by the way I will not discuss with you nor with anybody else
legal aspects and liability issues of our policy - except in case a
binding framework and requirements are established by Mozilla, being it
through policy or otherwise.
> What we'll likely see now is a series of breaches at multiple levels
> to acquire and misuse certs. We've seen compromises in the past, but
> what makes this new is that we have evidence of an aggressive attack
> using the cert.
How so? TLS with the most widely used cipher suites provides precious
little evidence.
Thanks,
M.D.
--
M.D.
Cell: +370-699-26662
Thanks! That makes the case elegantly. We're in total agreement then:
Under no circumstances ....
shall StartCom ... *be liable* ....
http://www.startssl.com/policy.pdf
You declare that your liability is zero.
As long as you are happy with that, you do not really need to discuss
it. There's nothing to discuss. The gordian knot is cut.
> except in case a
> binding framework and requirements are established by Mozilla, being it
> through policy or otherwise.
+1. Let's do it! [0] It's pretty clear that no CA nor vendor will
talk about it until it is established by policy.
Then, as long as vendors and CAs agree (e.g., you & Mozilla and the
lawyers), it becomes entirely reasonable to have a discussion about
reducing risks.
However, without that agreement, liabilities may be being shifted under
the covers...
In which case, you and Mozilla and everyone else here are advised VERY
LOUDLY to NOT discuss it AT ALL any implications to your liabilities.
As you say.
iang
[0] Long thread somewhere around here:
"BR17.1 - Liability MUST be fully disclaimed."
http://groups.google.com/group/mozilla.dev.security.policy/msg/c7a37faf658ce757
[1] lawyers to work out the details in BR...
[2] lawyers will tell you the details...
http://webwereld.nl/nieuws/107826/-maak-geheimhouden-hack-diginotar-strafbaar-.html
>http://webwereld.nl/nieuws/107826/-maak-geheimhouden-hack-diginotar-strafbaar-.html
Interesting:
Het bewust niet bekendmaken van digitale inbraken die mensenlevens in gevaar
brengen, zoals bij DigiNotar, moet strafbaar worden gesteld. De directe
meldingsplicht moet in de wet worden opgenomen.
which is (approximately):
Deliberately concealing intrusions [that endanger human lives] as Diginotar
did must be made an offense. Mandatory breach notification must be made
law.
So since the browser vendors have chosen to ignore this, governments are going
to step in and regulate instead. I'm not sure that that's going to lead to an
optimal result...
(OK, the story is quoting an MP so it may be just political posturing, but
let's wait and see).
Peter.