Re: Trouble at StartCom?
Peter Gutmann
>Since no relying party has been affected in any way I believe no further
>action or information is necessary
So we have an incident serious enough to completely shut down a major CA for,
what was it, two weeks, and the only explanation is "Nothing to see here, move
along". How can anyone still take this neverending security theatre seriously
any more? We really should just let Honest Achmed run things, at least he's
honest about what's being provided for his customers.
(Bit of a rant, but it had to be said. To quote David Ross' recent posting,
"Trust requires transparency, not secrecy". When you take the "trust" out of
"trusted third party", what's left is a plain protection racket, "pay us money
or your customers will be scared away").
In the meantime I guess we can keep trusting StartCom to issue certs to people
like https://secondzion1.com/. I believe no further action or information is
necessary. We get the picture.
Peter.
Eddy Nigg
>
> So we have an incident serious enough to completely shut down a major CA for,
> what was it, two weeks, and the only explanation is "Nothing to see here, move
> along".
I'm trying to remember, but I don't recall that I have to report to you,
do I? Also it's at the sole discretion of the CA to shut certificate
issuance for as long as it wants whenever it wants for whatever reason.
> How can anyone still take this neverending security theatre seriously
> any more?
Why don't you look at it the other way around, here is a that CA took a
threat serious enough to take measures it deemed necessary even for the
price of forgoing ongoing revenues for a while.
More than that, if no relying party was harmed whatsoever, what are you
complaining about? Isn't this exactly what you would expect?
> We really should just let Honest Achmed run things, at least he's honest about what's being provided for his customers.
I'm probably missing the point you are trying to make.
> In the meantime I guess we can keep trusting StartCom to issue certs to people
> like https://secondzion1.com/. I believe no further action or information is
> necessary. We get the picture.
Yes, which picture exactly?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Kyle Hamilton
On Sun, Jul 17, 2011 at 9:58 AM, Peter Gutmann
<pgu...@cs.auckland.ac.nz> wrote:
>
> In the meantime I guess we can keep trusting StartCom to issue certs to people
> like https://secondzion1.com/. I believe no further action or information is
> necessary. We get the picture.
That's a low blow.
The only thing that the secondzion1.com certificate implies is that
the CA's procedures for verifying domain ownership/control were
followed. It's a Class 1, non-personally-identified, non-wildcard
certificate. It's the same kind that anyone can get, in an automated
manner and for no monetary cost, from StartCom.
Obtaining a free certificate under an automated domain-control system
from a CA which started its Class 1 product specifically to address
the complaint that certificate authorities operate to extort money
from site owners... well, it does not and (in the hypothetical
rose-tinted world that doesn't involve Apple or other corporate walled
gardens preventing the marketplace from buying or selling the things
that they have to trade) cannot imply any kind of endorsement or
agreement of the site's goals, motives, or content by the CA or its
management.
The alternative to sites like that being able to get certificates is
to prevent sites from that being able to get certificates, which would
mandate that every CA implement Apple's App Store censors -- and which
I believe violates the human right to freely, securely, and privately
communicate with each other.
That said, I think a statement why StartCom found it necessary to stop
operations for several weeks is indeed appropriate and indicated.
Specifically, if we could get a sense as to why a major CA would
suspend operations for several weeks, we'd maybe actually (gasp!) have
a better understanding of why we should be trusting them.
-Kyle H
Eddy Nigg
>
> That's a low blow.
This site isn't even listed at Google SafeBrowsing or other similar
services, so it's hard to deny or even detect any wrong-doing.
> It's the same kind that anyone can get, in an automated
> manner and for no monetary cost, from StartCom.
Probably you might want to add, not only from StartCom but a bunch of
other CAs too - with and without payment.
> That said, I think a statement why StartCom found it necessary to stop
> operations for several weeks is indeed appropriate and indicated.
>
Before it gets from already several weeks to several month, lets keep
with the facts, because it was exactly eight (8) days. Anyway, relevant
information to the extend necessary has been reported to the public at
our web site.
David E. Ross
> On 07/17/2011 09:42 PM, From Kyle Hamilton:
>>
>> That's a low blow.
>
> This site isn't even listed at Google SafeBrowsing or other similar
> services, so it's hard to deny or even detect any wrong-doing.
>
>> It's the same kind that anyone can get, in an automated
>> manner and for no monetary cost, from StartCom.
>
> Probably you might want to add, not only from StartCom but a bunch of
> other CAs too - with and without payment.
>
>> That said, I think a statement why StartCom found it necessary to stop
>> operations for several weeks is indeed appropriate and indicated.
>>
>
> Before it gets from already several weeks to several month, lets keep
> with the facts, because it was exactly eight (8) days. Anyway, relevant
> information to the extend necessary has been reported to the public at
> our web site.
>
Where on your site?
--
David E. Ross
<http://www.rossde.com/>
On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.
Eddy Nigg
> Where on your site?
All pages during this period had this message.
Ian G
> Peter,
>
> On Sun, Jul 17, 2011 at 9:58 AM, Peter Gutmann
> <pgu...@cs.auckland.ac.nz> wrote:
>>
>> In the meantime I guess we can keep trusting StartCom to issue certs to people
>> like https://secondzion1.com/. I believe no further action or information is
>> necessary. We get the picture.
>
>
> the CA's procedures for verifying domain ownership/control were
> followed. It's a Class 1, non-personally-identified, non-wildcard
> manner and for no monetary cost, from StartCom.
OK, I feel excessively tired and dopey at the moment and would ask that
y'all check my logic.
Would this fit into BR 11.5 High Risk Status? Have additional
verifications & precautions been taken?
Is there an implication under 8.1(1) ?
> Obtaining a free certificate under an automated domain-control system
> from a CA which started its Class 1 product specifically to address
> the complaint that certificate authorities operate to extort money
> from site owners... well, it does not and (in the hypothetical
> rose-tinted world that doesn't involve Apple or other corporate walled
> gardens preventing the marketplace from buying or selling the things
> that they have to trade) cannot imply any kind of endorsement or
> agreement of the site's goals, motives, or content by the CA or its
> management.
OK and (leaping onto hobby horse here) assuming that we have zero
liability in place at the CA in question, no harm can come to any
parties then ?
> The alternative to sites like that being able to get certificates is
> to prevent sites from that being able to get certificates, which would
> mandate that every CA implement Apple's App Store censors -- and which
> I believe violates the human right to freely, securely, and privately
> communicate with each other.
So, it's out of scope for us to police and moralise over our customers?
OK, I see that. I fully agree with the libertarian agenda of full and
free trade with all comers...
There is the little thing about it being presumptively against the law
to trade in CVVs, but maybe such things and their accessories are
dispensed with in Second Zion.
I'm curious what CABFOrum thinks. Is there any email address we can ask
CABForum what they think about supporting a group that they were
nominally formed to combat?
Is it not ironic that we would issue certs to people who's modus
operandi is the MITMs against our MITM-conscious customers?
iang
Peter Gutmann
>Where on your site?
The information has been on display at the local planning office for the last
nine months, in the display department in the cellar, at the bottom of a
locked filing cabinet stuck in a disused lavatory with a sign on the door
saying "Beware of the Leopard".
Peter.
Peter Gutmann
>That's a low blow.
It was really meant more as a criticism of browser vendors than of CAs, see
below.
>The only thing that the secondzion1.com certificate implies is that the CA's
>procedures for verifying domain ownership/control were followed.
Sure, CAs aren't in business for their health, they're in business to return a
profit to shareholders. The way to do this is to minimise expenses (the less
checking you do, the better) and maximise revenue (the more certs you sell,
the better). I'm not faulting them for that, it would be economically
irrational to run your business in any other manner.
However, since the sole statement that a certificate makes is that the CA
(probably) followed their documented procedure and that they (usually)
received payment, this is what users should be told. I have never, ever seen
any browser or any CA's web site tell me this (except Honest Achmed, who was
rejected by Mozilla for being too honest about the service he was providing).
Instead, there's endless repetition of "trust", "trusted", "secure", "safe",
"trust", "trust", and more "trust".
The problem isn't really the CAs, it's the browser vendors. According to the
browser vendors, the only thing that can indicate "goodness" for a site is
whether they've got a certificate. No matter how diligent and scrupulous a CA
is in checking sites, the browsers treat their certs identically to the most
negligent, unscrupulous CA of the lot (which incentivises the race to the
bottom that we've already seen). What's more, any browser will happily take
users to a site claiming to belong to a major bank that's hosted on a botnet
running on a Windows XP Home machine in Kazakhstan and that contains drive-by
Javascript-driven malware (pretty much every warning sign you can think of),
but the only time they'll bother raising an alarm is if the site contains a
non-commercial-CA-signed cerficate. Even worse, the browsers haved blocked
any other security mechanisms like EKE that might threaten the CA's business
model (see the recent discussion of this on the randombit crypto list).
So we have CAs acting in a manner that's economically rational for the CA, and
the browser vendors acting to protect the CA's business model at any cost.
That's a fatal combination, and the only winners are the phishers (well, and
the CA stockholders too, as long as the browser vendors keep playing ball).
Peter.
Jean-Marc Desperrier
>> > Before it gets from already several weeks to several month, lets keep
>> > with the facts, because it was exactly eight (8) days. Anyway, relevant
>> > information to the extend necessary has been reported to the public at
>> > our web site.
>> >
> Where on your site?
Peter and I quoted here the message that was on the site on the 20/6 :
Due to a security breach that occurred at the 15th of June, issuance
of digital certificates and related services has been suspended. Our
services will remain offline until further notice.
Subscribers and holders of valid certificates are not affected in any
form. Visitors to web sites and other parties relying on valid
certificates are not affected.
There was also the interview to the register :
http://www.theregister.co.uk/2011/06/21/startssl_security_breach/
As I said back then :
We need an account of what happened to assess by ourselves if this
really holds true.
Eddy Nigg
>
> As I said back then :
> We need an account of what happened to assess by ourselves if this
> really holds true.
>
Really? What exactly do you imply with that? Can you elaborate?
Ian G
> On 07/19/2011 08:13 PM, From Jean-Marc Desperrier:
>>
>> We need an account of what happened to assess by ourselves if this
>> really holds true.
Jean-Marc, put yourself in the shoes of the CA business. It is going to
say as little as possible, guaranteed!
The reasons are twofold - bad news scares away customers, and, claims
made in public can later be used against it in court.
The latter part is ye olde liability thing again. As liability is
uncertain, no CA or vendor is going to comment on it. Any comment can
be turned by a clever lawyer into an admission of liability [0]
> Really? What exactly do you imply with that? Can you elaborate?
Your incentives are based on the liabilities and risks to your CA.
Jean-Marc is concerned about the risks and liabilities of the Mozilla
users. There may not be an intersection.
iang
[0] e.g., Have a look at those slides that Steve posted, at the end
there is a clever argument that the CA admits risk to the end-user in
the CPS and this is the basis for tort. (Don't rely on my comments tho,
it was from slides, very brief, and I wasn't totally sure that was what
the author was trying to say.)
Ralph Holz (TUM)
> I'm curious what CABFOrum thinks. Is there any email address we can ask
> CABForum what they think about supporting a group that they were
> nominally formed to combat?
>
> Is it not ironic that we would issue certs to people who's modus
> operandi is the MITMs against our MITM-conscious customers?
I just wish G+ enabled me to set a +1 for this in their Groups Web interface.
Ralph
Ralph Holz (TUM)
> I'm curious what CABFOrum thinks. Is there any email address we can ask
> CABForum what they think about supporting a group that they were
> nominally formed to combat?
>
> Is it not ironic that we would issue certs to people who's modus
> operandi is the MITMs against our MITM-conscious customers?
I just wish G+ enabled me to set a +1 for this in their Groups Web interface.
Ralph
Peter Gutmann
>Remember, this is Eddy Nigg, the main CA professional who spends his time
>delving through the CPSes of CAs in the queue. He's shown time and time
>again that he's willing to 1) call out his biases publicly, 2) try to make
>the certification infrastructure stronger, and 3) hold people/entities
>accountable for their violations. He has shown himself to be reasonable and
>level-headed on multiple occasions, and has exhibited nothing at all except
>good faith in his participation in this group.
And that's what makes the "nothing to see here, move along" response in this
case so unusual. Is he being actively prevented from saying anything? In
other words could we be experiencing the scenario that Soghoian and Stamm
discussed last year?
Peter.
Ian G
> And that's what makes the "nothing to see here, move along" response in this
> case so unusual. Is he being actively prevented from saying anything? In
> other words could we be experiencing the scenario that Soghoian and Stamm
> discussed last year?
If it is a choice between "I can't say anything, wink wink, nudge
nudge!" and total transparency of breaches, dull disclosure, then I'll
vote the latter every time.
The former doesn't pass the laugh test. If such a thing were in place,
every CA would invoke it every time. So we'd never hear a thing. Back
to square 0.
I don't see the mystery at all. The CA concerned is a CA. It's
incentives are simple: say nothing. Deny all. Every mistake in public
costs reputation, every hit to reputation costs sales. Every other CA
acts this way, why do we expect an exception?
Meanwhile, back to the breach disclosure question: what do we do?
Full disclosure? To the vendors? To CABForum? To the world? To the
effected users? To the effected RPs? Subscribers? Auditor?
And, what do they do with that info?
iang
Rob Stradling
> On 22/07/11 11:38 PM, Peter Gutmann wrote:
> > And that's what makes the "nothing to see here, move along" response in
> > this case so unusual. Is he being actively prevented from saying
> > anything? In other words could we be experiencing the scenario that
> > Soghoian and Stamm discussed last year?
>
> If it is a choice between "I can't say anything, wink wink, nudge
> nudge!" and total transparency of breaches, dull disclosure, then I'll
> vote the latter every time.
>
> The former doesn't pass the laugh test. If such a thing were in place,
> every CA would invoke it every time. So we'd never hear a thing. Back
> to square 0.
>
> I don't see the mystery at all. The CA concerned is a CA. It's
> incentives are simple: say nothing. Deny all. Every mistake in public
> costs reputation, every hit to reputation costs sales. Every other CA
> acts this way, why do we expect an exception?
Ian, do you seriously believe that every CA always says nothing and denies
everything about "mistakes"?
After the hack on a Comodo Reseller/RA back in March, my bosses moved swiftly
to notify the major browser providers. As I understand it, a joint decision
was reached to keep quiet for ~1 week whilst patches were written. After
that, my bosses published blog articles and an incident report.
Yes, it hurt our reputation and it may well have hurt our sales figures.
No, we absolutely did not say nothing and deny everything.
<snip>
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Ian G
> On Friday 22 Jul 2011 15:15:23 Ian G wrote:
>> I don't see the mystery at all. The CA concerned is a CA. It's
>> incentives are simple: say nothing. Deny all. Every mistake in public
>> costs reputation, every hit to reputation costs sales. Every other CA
>> acts this way, why do we expect an exception?
>
> Ian, do you seriously believe that every CA always says nothing and denies
> everything about "mistakes"?
Nooooo, absolutely not. That's why I said "*their incentives are
simple* ..."
Between incentives and action, there is a big discord.
How each CA operates between their own incentives, and their
responsibilities to the wider community, is really up to them, and a
mark of their professionalism in the industry.
(Yes, I see my last sentance could be revised.)
> After the hack on a Comodo Reseller/RA back in March, my bosses moved swiftly
> to notify the major browser providers. As I understand it, a joint decision
> was reached to keep quiet for ~1 week whilst patches were written. After
> that, my bosses published blog articles and an incident report.
>
> Yes, it hurt our reputation and it may well have hurt our sales figures.
>
> No, we absolutely did not say nothing and deny everything.
Right. So, the big question, from your experience, is this: What would
you like to see as a disclosure policy for the industry?
Is what you did also your view of "best practices," or can we improve on it?
iang