A non-OpenSim post for a change. This time on HTTP SSL certificates and the people who think self-signed certs are actually doing something.
I see this a lot on places like Slashdot, people’s blogs, mailing lists, etc. “SSL Certificates are worthless, self-signed certs are perfectly fine, Verisign are a rort charging money for nothing.” – and it’s completely false.
Simplified, SSL certificates consist of two main security properties – property #1, they facilitate public key encryption, which secures the transmission between you and a foreign entity from interception by a third party, and property #2 – they verify that the foreign entity on the other end is infact the server you want to be transmitting data to (ie, they are who they say they are.).
Both of these principles work in tandem – each server certificate is signed by a higher authority who vouches for the identity of the bearer; they are “signed” using cryptographic principles which prevent them from being tampered with. If a trustworthy third party cannot verify the certificate; then you do not know that the other party is really who you want to send data to.
While verification of identity has slipped with the price of certificates; you can be assured that the provider has at least verified the requestor is affiliated with the domain in question (ie; you cant just go out and get a certificate in paypal.com’s name). The stronger certificates, such as “EV” certificates (which get a green browser bar in modern browsers) – still require a full identity check.
This means, when you see that little padlock and dont get a self-signed warning; you know that the server you are speaking to is at least affiliated with the domain in question.
Which brings us to self-signed certificates. These are missing that little bit of verification – and the problem is, encryption’s purpose is to hide data from untrusted third parties; however with self-signed certificates, you dont know who you are communicating with in the first place – and hence the encryption is effectively worthless.
It’s quite possible for an attacker to generate a self-signed certificate in an identical name to the self-signed certificate you made, and then ‘proxy’ the connection; seeing the encrypted data, with you none-the-wiser. The only way of telling them apart would be to examine the certificate fingerprint; however there are no real effective ways of validating the fingerprint of a site easily.
You might ask where would an attacker be able to do this kind of intercept if they didnt work at say an ISP between you and the server, and a very common answer would be wireless hotspots and public networks. The same techniques which allowed an attacker to replace every image served on the DEFCON conference WiFi network with Goatse are the exact same techniques that would allow you to do a SSL-interception on a self-signed certificate.
So no – while the faux-SSL would raise the difficulty level slightly; it is not securing the connection; only a certificate signed by a trusted independent third party is secure. That does not have to be a subsidiary of verisign – but it does have to be a group who provide enough identity verification that they don’t hand out certificates to anyone who asks for one.
The default trusted authorities (CA’s) included in most major browsers consist of groups who provide some degree of identity verification. The browsers decisions on which CAs to include are based on this principle more than any other.
This also means, when Firefox shows you a big warning saying ‘This site has a screwed up security certificate’ – take heed. It’s saying it for a reason; the site isn’t secure.
Edit: for those who still dont believe self-signed certificates can be forged quickly or easily, read this.
The interesting thing about sslsniff isn’t that it’s a self-signed certificate – it’s actually a certificate signed by one of the trusted CA’s, that has then had additional signatures put in the chain. Web browser implementations incorrectly check that there is *a* signature it trusts, but doesn’t do full inspection of the certificate to begin with.
The whole trust model is a bit broken to begin with anyway however, because there are really only two trust levels: absolute trust and none at all; and is it like your web browser actively checks certificate revocations from the CA? I’ll give you a hint – they don’t.
I disagree that self-signed certificates are useless in general, but only if you already have a trusted copy of your CA’s public certificate on your machine. For example, up until recently I used to self-sign my IMAP/SSL certificate because I can trust it once and explicitly remember the one you trust. This is how SSH works – hosts generate their host key once off and use that for all future communication: you build the trust when you first connect.
Interesting projects for the doubters include the Australian based CACert, which offers web-of-trust style verification and an equivalent level of verification as low-end SSL providers. The only problem is that their CA certificate isn’t trusted in any browsers or OS platforms – though there’s a 10 year old ticket at Mozilla for changing this (and a huge debate surrounding it).
Ultimately, whilst we can keep using bigger and bigger keys (to keep ahead of brute forcing by a comfortable margin) – the weakness with SSL is in how it’s implemented.
Will Dowling
4 Aug 09 at 3:17 am