REPOST: Delete your root certs!


Repost from my dead blog. 2006-02-27

I promise, this will be a long one. But I’m venting on something I’ve known to be an issue for awhile.

First, look at Schneier’s blog on the phishing attack.

For a couple of years, I’ve been telling folks to delete their root certs from their browser. And this phishing attack is precisely why.

For the non-technical, when you visit an SSL site, part of the process involves your browser determining that the site belong to whom it is purported to belong to. In fact, channel encryption is a by-product of this verification process. During this exchange, the server sends your browser its certificate, which may or may not be digitally signed by a Certificate Authority (CA). A CA’s responsibility when signing a certificate is to verify the identity of the entity requesting the signature on the certificate. So if you’re getting a certificate for myreallycoolcompany.com, they have to do some work to verify that you’re actually the proper owner of myreallycoolcompany.com.

Notice what I DIDN’T say they do. I DIDN’T say that they check to make sure the site is not a knock-off of a legitimate site (nor should they), nor do they ask if you intend to use the certificate for fraudulent purposes (nor should they), nor do they verify any kind of association between the name of the website (myreallycoolcompany.com) and the name of the company requesting the certificate (My Parent Company, Inc.), nor should they. They DO check the registration information for the site in the registrar with information you send to the CA. Usually, this whole process involves sending a certificate signing request (CSR), and out-of-band sending the CA a piece of letterhead - this PROVES beyond any doubt whatsoever that you indeed own the company (tongue in cheek) - and a substantial wad of cash.

Now, when your browser visits myreallycoolcompany.com and goes to the SSL portion, the site sends their certificate, and your browser checks the signature chain to see if a CA that the browser trusts has signed the cert. Once the signature is found, your browser assumes that you the user indeed trusts the site. So you get the cool little padlock that tells you the connection is secure and that you can trust this company with all your personal and financial information.

But again, the CA only checks identity. Somebody (Botswana Holding Company) in Botswana could easily register thestranahtans.com (misspelling deliberate). Then they send their letterhead (for Botswana Holding Company) and the CSR to a CA. They get their cert, and almost every browser on earth will transparently trust anything that comes from the site. So then, they send out their phishing attack, make it look just like thestranathans.com, and everybody who is savvy enough to LOOK for the SSL icon and knows vaugely what a CA is implicitly trusts the site as thestranathans.com because the URL looks right (it’s as easy to mis-read misspellings as it is to type them that way) and some CA says that the site is “safe”.

In addition to my three rules for using the internet, on occasion when using a new machine, I’ll delete all the CA certificates from my browser. There are cases where this simply doesn’t work - some tools (like Windows EFS if you have it or use it) have to have certain root certs installed. But in Firefox, I’ll delete all my root certificates. Then I’ll manually visit the SSL sites I visit most - my ISP, mail provider, bank, credit card holder, etc. The first time, the browser will complain because you don’t trust the site because the CA that signed the cert can’t be found. So you carefully review the URL you typed in and the information in the certificate. But it protects you in two ways:

1) If you mistype a URL or (heaven forbid!) click a bad link in a phishing email and you go to a site that looks like the legitimate one, your browser will complain because you don’t trust the certificate. So you get a visual red flag not to interact with the site, or at least to see 2)

2) YOU become in control of trusting the sites you want to trust. Without deleting your root certificates, you’re implicitly trusing any website the CA says you should trust - which happens to be exactly the subset of websites with owners who have the $400 to spend per year on a certificate. Hackers usually have a lot more than $400 when they stand to gain more than that in return.

And just to continue the rant, Verisign intends to add another tier to their signing offering. If you pay them twice as much, they will do twice the work to verify your identity. But they still do absolutely zero (as they should) to verify your INTENT. And what they hope will happen is what Microsoft intends to do wth Vista - you don’t get a yellow address bar unless the site is REALLY secure (meaning that whoever bought the cert was REALLY rich, meaning they’re prolly twice as malicious).

See, all this time, you thought SSL meant “safe”. That somehow SSL wasn’t allowed to the bad guys. Or that you couldn’t sign code if you were a bad guy.

Just trying to protect the browsing public.