michael orlitzky

Against CA-signed certificates

This is pretty obviously a companion to In Defense of Self-signed Certificates. That article was focused on the man-in-the-middle issue, whereas this is a more general tirade against certificate authorities. There's some stuff in common.

Update 2015-04-02: Oh look, China (CNNIC) let some company man-in-the-middle the entire world. Why are people surprised? This is how the system was designed to work.

Interestingly, the issue was discovered through certificate pinning. Where have I heard that idea before? The browser vendors obviously think pinning is a good idea, but only for their sites. Why not give the rest of us a way to use it, assholes?

Update 2013-09-05: Recently released Snowden documents confirm earlier suspicions.

Update 2013-07-14: The FBI and NSA are going after the keys to the SSL infrastructure. Since the companies involved won't deny anything, the feds probably already have them (under gag order). Self-signed certificates with pinning could have prevented (and still can mitigate) this.

Against What?

Websites can be secured with something called an SSL certificate. In an act of unparalleled oversimplification, we'll say that there are two types of SSL certificate:

  1. Self-signed, which you can create yourself
  2. CA-signed, “legitimate,” certificates which must be purchased from a certificate authority (CA)

This topic comes up occasionally, and when I tell people that I'm against using CA-signed certificates, they look at me like I'm made of cheese.

In a Nutshell

I oppose CA-signed certificates because it's bad policy, in the long run, to negotiate with terrorists. I use that word literally—the CAs and browser vendors use fear to achieve their goal: to get your money. The CAs collect a ransom every year to “renew” your certificate (i.e. to disarm the time bomb that they set the previous year) and if you don't pay up, they'll scare away your customers. 'Be a shame if sometin' like that wos to happens to yous…

Lies

The CAs will tell you that a CA-signed certificate is better. It's for your own good. They'll tell you it makes you more secure. If you buy a certificate from them, you can even display their “secure logo” (usually a padlock or a shield) on your site to let your customers know that they're safe! Sadly, flame decals for one's vehicle were not available at the time of writing. What they don't tell you is that even a CA-signed certificate is simply a large number. They generate them for free, and the number twelve is the same number no matter how much you pay for it.

Man in the Middle Attacks

So there are some problems with their story. It turns out, the most legitimate claim that they have to better security involves man-in-the-middle (MITM) attacks. In a MITM attack, someone sits between you and the website, intercepting traffic and modifying it. CA-signed certificates are supposed to prevent this, but they don't. It suffices to say, with a trivial modification to the web browsers, self-signed certs are better at preventing MITM attacks than CA-signed certs are.

Untrustworthy Certificate Authorities

The next problem that we run into is that the certificate authorities are themselves untrustworthy. You've got the mafia keeping people from peering into your windows. I mean, it keeps them out, but it doesn't really solve the problem.

Some CAs, like the government of China, are even a priori your enemy. Why would you trust them with the security of your site? Others like GoDaddy are not malicious—merely incompetent. If there's a security breach anywhere at GoDaddy, your site is now vulnerable. In fact, depending on how bad the breach was, your site might be vulnerable for all eternity (or at least until we dismantle the CA system).

Popular belief is that these CAs are run by experts in network security, cryptography, and other cool-sounding professions. They're not. The ones in the US at least are run by marketers. The “boring” technical details are outsourced to the slums of Bangalore, and the person who handles your account would probably slit your throat for a chance to get the fuck out of there. Now send him your credit card info, already.

With self-signed certs, there's no China, no GoDaddy, no Rajiv who might not be doing exactly what he's supposed to be doing with your personal information.

Bad Certificate Authorities

We spoke above of CAs as if they're the passive victims in these attacks. Anyone can have a bad employee, or get hacked, right? This need not be the case.

It's not well-known, but it is true that any CA can forge any certificate. That means (among other things) that the government of China can write itself a certificate for www.bankofamerica.com, and your web browser will accept it without question. The certificate is “fake” only in a vague moral sense. Technically, it is perfectly legitimate. And a number of CAs have been caught doing this.

Unreasonable Doubt

If you have any doubts regarding the motives of the CAs and browser vendors, consider the following. Even if you ignore the argument about the man-in-the-middle attacks, self-signed certificates still provide encryption and no one will try to deny this. So self-signed certs are at least safer than using no encryption.

But when you visit a site with a self-signed certificate, you'll be faced with a big red warning that the site is run by hackers and you should leave immediately. What happens if you visit the same site over plain HTTP with no encryption at all? Nothing! If you lose the encryption, the warning goes away. What the fuck?

Whenever someone brings up this obvious incongruity, the browser vendors will respond with something like “encryption is meaningless without authentication.” This sounds deep, but in essence, they're trying to convince you—with a straight face—that one good thing is worse than zero good things. Hell, even if you believe them, why does only one deserve a warning? They both should, or they both should not, if one is no better than the other.

The Point

The point of all this is that CA-signed certs are in fact worse than self-signed certs. The only feature missing from self-signed certs is the feature by which the CAs transfer your money into their bank accounts. They are essentially parasites on the system who shouldn't be fed. They're an extraneous tax on every transaction that takes place on the web. And they're a disincentive to proper security. The sooner they die, the sooner we can replace them with a system that actually works.