Re: Need Some Perspectives, Again

Talk about internet security, computer security, personal security, your social security number...
Post Reply
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Need Some Perspectives, Again

Post by al_9x »

http://hackademix.net/2010/03/30/need-s ... ves-again/

Though I don't know the details of the Mozilla CA auditing, it seems to me an audit by definition can not produce trust.

trust = the will and intent to do the "right thing" under virtually any circumstances
successful audit = the capability to do the "right thing," if one so desires (in this case, to pass the audit)

So none of the CAs can really be trusted, but when even a single rogue trusted CA breaks the whole system, forget about it. Under the current system it would actually be better to have a single global CA. At least all scrutiny could be focused on it. Each new CA reduces the trust of the system, due to it's weakest link nature, the new CA can only lower the bar by becoming the new weakest link, it can never raise the bar. The way things are now with dozens of obscure root CAs each of them with the capability to spawn unlimited numbers of secondary CAs (every CA can resell by signing the child CA's cert, and the child CA is not even audited), it's almost a complete joke. This system appears to be broken by design.

There is another extension Certificate Patrol, whose functionality, if combined with perspectives ideally in a single extension, could possibly solve this problem:

Patrol has the functionality to detect changed certs (like SSH) and perspectives has the functionality tell you if the changed cert (or new cert, if first time) is the same as other users are seeing. This would work pretty well also with self signed certs.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Need Some Perspectives, Again

Post by al_9x »

Interesting thread on the subject.

It also underscores the completely ridiculous practice I mentioned of selling sub-CA certs.
Eddy Nigg wrote:
> On 04/01/2010 02:40 PM, Michael Ströder:
>> You could also spend ~5000 EUR and have your own corporate sub-CA issuing
>> certs for whatever DNS name you want.
>
> Which doesn't imply that no domain control validation is performed.

Off course everything is covered by contracts. But there isn't any domain
control validation in the particular case I know of.

An organization I know has such a sub-CA cert signed by a pre-installed
trusted root CA. Domain control validation is practically impossible for the
superior CA since this organization has tens of thousands domains registered.
I know that this organization does not do anything bad so I won't mention the
root CA here.

But personally I take this as evidence that if you spent this fairly low
amount of money you could issue arbitrary certs without the superior CA
noticing it. IMO this could not even be discovered by audits if someone would
want to hide bad activity.

Ciao, Michael.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Need Some Perspectives, Again

Post by dhouwn »

I wonder what would happen if the name of the CA company would become public…

/edit:
http://patrol.psyced.org/ wrote:Comodo, GeoTrust, GlobalSign, QuoVadis, RSA WebTrust and StartCom are known to offer intermediate CA for money. Still StartCom is extremely popular with small and private web sites for its free services.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.366.2 Safari/533.4
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Need Some Perspectives, Again

Post by al_9x »

The Certificate Patrol authors are wondering why there should be closer integration with perspectives:
al_9x suggests we should combine CertPatrol with Perspectives in a single add-on, but they already do great team work side by side, no?
Since they don't appear to have a forum, I guess I'll answer here. Patrol should support on demand Perspectives notaries querying at the moment that a new cert is added to the Patrol store and when a change is detected.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Need Some Perspectives, Again

Post by dhouwn »

al_9x wrote:Since they don't appear to have a forum
They have a multi-protocol (PSYC/IRC/Jabber/…) chat: http://www.psyced.org, major developers seem to be there pretty often and are all very friendly.

IRC-Link: [url]ircs://ve.symlynx.com:9999[/url]
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.9 Safari/533.4
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Need Some Perspectives, Again

Post by dhouwn »

And in the meantime we had at least four other occurrences, two with Comodo, one with a French CA and now recently with DigiNotar, time to bring this up again…
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0a2) Gecko/20110830 Firefox/8.0a2
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Need Some Perspectives, Again

Post by dhouwn »

Two words: Trustwave MITM
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Need Some Perspectives, Again

Post by Alan Baxter »

Thanks. No link necessary. A web search gives lots of info.
Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Hungry Man
Junior Member
Posts: 43
Joined: Wed Oct 19, 2011 9:42 pm

Re: Need Some Perspectives, Again

Post by Hungry Man »

Auditing is important. The problem is... who is doing the auditing?

In an open source environment communities do the auditing. In the CA environment either the CA does internal auditing or they are audited by another company. In the second situation you either have people holding themselves accountable or a company they hire holding them accountable... but who holds the auditing company accountable etc etc it's an endless chain.

Trust has to be community based.

I like the idea of self-signed cert internet with community vetting. It would be a lot more complicated than just that of course. Very similar to perspectives.
Mozilla/5.0 (X11; CrOS i686 1660.34.0) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.32 Safari/535.19
Post Reply