Disclosing the private key in this blog post was extremely irresponsible. Although the certificate has been revoked, revocation basically doesn't work[1], so for practical purposes this key will usable for MitM until it expires on Mar 19, 2016. Hopefully browser vendors will push out updates that explicitly blacklist it (Chrome is pretty proactive about this, not sure about other browsers), but that won't help non-browser clients or users running out-of-date browsers.
If you ever do this, please, please destroy the private key immediately. There are other ways to prove you had possession of it, such as by signing something with it.
Revocation is Hard. The problem is that the way certificates work is supposed to be asynchronous: You get a certificate from the CA, the client has the CA's public key, so you give the certificate to the client which can verify it without talking to the CA. This is pretty important if you want to secure something that needs to keep working even if it isn't on the internet, or the internet is down, or the CA's servers are down (or under DoS), etc.
But you can't do revocation that way. The client can get the certificate from the server being certified, but it can't get a revocation that way because nothing forces the server provide the revocation.
To do revocation you have to have a database of all the revoked certificates and check every certificate against the database before accepting it. But there are too many revoked certificates to store on the client; the database is too big. And if the client has to query some server then the attacker can DoS or MITM that server.
The best way to handle "revocation" is to fully automate certificate issuance like Let's Encrypt, but then only issue certificates for a short period of time, like 10 days (but renewed every 7). Then you don't have to worry about revocation because the certificate expires in about the same amount of time it would take to be detected and distributed in a revocation database.
> only issue certificates for a short period of time, like 10 days (but renewed every 7)
That's essentially the situation we're in with OCSP stapling, if you consider the certificate plus OCSP response to be the certificate. (The "must staple" cert extension[1] would make it even more similar.)
Someone please tell me why doing it that way is better than the following:
You validate yourself in the usual way and present a CSR to the CA. The CA signs the certificate but only with a very short expiration. However, unless the certificate is "revoked", you can come back at any point and the CA will automatically sign an identical certificate with the sole exception of the expiration date. (Then maybe they stop after e.g. two years unless you validate again, to keep an "actual" expiration.)
The advantage of that over OCSP stapling is that it requires zero modification to the client. What advantage does OCSP stapling have over that?
There is another solution, the CRL Distribution Point, or CDP. Entrust implemented this rather elegantly in their product starting in the mid 1990s and still use it today.
Instead of having a monolithic CRL, the CA publishes smaller CRLs and writes the CRL location on which a certificate would appear if revoked in the certificate itself.
In other words, every X certificates, the CA creates a new CDP, call it CDP_n, and all subsequent certificates issued between now and +X from now have the location of CDP_n written in them: That's where you look for their CRL.
+X certificates from now, the CA creates CDP_n+1 and starts writing that into the certs.
The size of X can be set, tuned, based on certificate lifetimes, number of users, etc., etc. If you want your CRLs to be fresher, use a smaller X, have more CDPs.
The other nice thing about the CDP is that it ties the CRL retrieved from wherever (an LDAP repo, a web site, etc.) to the certificate: The certificate contains within its signed payload a reference to the CDP location and the CRL contains within its signed payload a reference to the same location (the issuingDistributionPoint) so you have a high integrity check that the CRL being used to verify the certificate is actually the right one, even if the certificate is valid and therefore not listed thereupon.
This prevents an attacker from fooling you into trusting a revoked certificate by replacing its CRL with one that doesn't match it: The replacement CRL will have the wrong iDP, one that does not correspond to the CDP in the cert.
> The best way to handle "revocation" is to fully automate certificate issuance like Let's Encrypt, but then only issue certificates for a short period of time, like 10 days (but renewed every 7). Then you don't have to worry about revocation because the certificate expires in about the same amount of time it would take to be detected and distributed in a revocation database.
That can make it less likely that your certs will be used in revocation attacks. It does absolutely nothing to protect your visitors from other compromised certificates.
The "best" known way (to my knowledge) is to use a blockchain, which doesn't have the revocation problem.
Here is a comparison of a blockchain-based approach I'm working on with some other folks called DNSChain to other approaches people have suggested:
Bloom filters have false positives. Then you need some way to verify that a hit isn't a false positive, and whatever method is used for that will have the same availability problem in verifying a hit in the bloom filter as it would have in obtaining the revocation that way to begin with.
Btw, is there any reason why CRLs are not widely published via DNS (https://tools.ietf.org/html/rfc4398)? It would lower the costs associated with distribution of CRLs...
CRLs are way too large to distribute through the DNS (e.g. the Comodo CRL mentioned in the blog post is 740kb). And what does that RFC say to do when a CRL is too big? Return a URL instead. So we're back to square one.
Yeah, right. But any CRL smaller then 64 KB can be distributed this way. So it would be CA's responsibility to keep them small, otherwise they would pay for the full traffic.
"The RDATA field in the DNS protocol may only hold data of size 65535
octets (64kb) or less. This means that each CERT RR MUST NOT contain
more than 64kb of payload, even if the corresponding certificate or
certificate revocation list is larger. This document addresses this
by defining "indirect" data types for each normal type."
Personally, I am for an overridable hard-fail option for OCSP, which should not be the default for now. What I want is an actual interstitial with an override option, because it will show before the HTTP request is sent.
Yea, there always would be a risk, but the user can evaluate the situation and determine whether it would be acceptable. This is part of why I said it would not be enabled by default for now though.
Does anyone know if there is a way to blacklist a certificate on a windows 8.1 machine? To me, managing certificates between the os, IE, Chrome and Firefox is a bit of a joke in 2015. Besides blacklisting, I would love to know of script that will output the certificates that the PC has trusted but are not trusted by Verisign.
It's more like the way domain ownership is validated is awful. If the only way to validate domain ownership was to ask the domain owner to create a TXT entry, with both the entry name and its contents being nonces chosen by the certificate authority, it would be much harder to do these attacks (one would have to be able to MITM between the certificate authority and the domain's DNS servers, or compromise the DNS servers).
Well before the sorta recent DNS port fixes, wasn't spoofing a DNS result rather trivial? If you knew where they were going to validate from, you could start spamming spoofed responses for that nonce record. Or do I misunderstand entirely?
I agree, when I first heard about it being based on email validation one of my first thoughts was "owning an email address hosted on a domain does not necessarily mean owning the domain."
On the other hand, being able to modify the DNS records is a much stronger proof of ownership.
I strongly disagree. We need to move towards using TLS everywhere and part of doing that is making it easy for everyone to get a cert. You can validate domain control through DNS / whois records instead of the standard group of admin email address.
The linked post talks of phone verification, but we know GSM networks don't use strong cryptography and stationary phones aren't better secured either. Do you perform any additional verification? I'd want to see use of government issued personal certs for this purpose, surprised even that this isn't commonplace.
Of all the CAs my browser trusts, any single one of them can compromise the entire web by fucking up and issuing bad certificates.
I have no say in which CAs I "trust", since my list has to match the list that site owners pick from. Site owners have no benefit from picking better CAs on the list over worse CAs also on the list, because my browser trusts them the same.
How could anyone think this is a good system!?
[Edit: and yeah, things like cert pinning can mitigate the damage a bit. That's not enough to make a bad idea suddenly a good idea, and it only took approximately forever to start being implemented.]
The idea, as far as there is one, is that if a CA does fuck up for real, then they get revoked and are out of business. But the Comodo "let's trust resellers to validate" didn't have any impact (and I get 2-8 calls s week from em often).
Browsers might consider showing the country of the registrar, in the UI. So if I ever connect to a Canadian or US domain, and the registrar is some totally unrelated country, I could be alarmed. OTOH this might just end up confusing people even more.
If users had and at least some exercised control over trusted CAs, at least to the extent of disabling if not adding, then site owners should have an incentive to choose better CAs, since worse CAs would be disabled by security-conscious users.
When another Dutch ISP launched in 1998, I was able to register the root@ email address and a friend of mine got info@. It took them over one year to figure out that they might want to take those away from us.
Surprising to hear that this is still possible all those years later, especially with an ISP like xs4all.nl. Those guys always had a good reputation, security-wise. I see they still have the tradition that you get an apple pie for responsible disclosure (https://www.xs4all.nl/over-xs4all/beleid/responsibledisclosu...). So bon appetit!
CRLSet 2140 contains a public-key block for this. If you're on desktop Chrome you can go to chrome://components and check for a CRLSet update manually. If you're testing it, note that Chrome caches certificate validity results for a while so you might need to restart Chrome to see the effect.
Is there any way to discover a list of SSL certs that have been issued for a domain?
The problem here is, once someone has shown that they could receive emails for administrator@yourdomainname, you have no idea how many SSL certificates they bought, and from which CAs.
Even if they publish a blog post about it and show you a certificate, surely your domain is now compromised? You can revoke that certificate, but how do you know that was the only one they obtained?
From this point on, all you know is that your domain name is potentially compromised and there's nothing you can do to fix it...
Imo the problem is of the issuer. They only opens holes by doing this kind of things. Imagine if you already secured the admin@domain.com and tomorrow the issuer thinks that admin-ssl@domain.com could be used for validation. Now what, you should keep up with their updates every hour?
This is why self-signed certificates are more secure than CA-signed certificates. When you expand the trust model to include three parties rather than two, it gets much more complex and vulnerable.
If I see a self-signed certificate from CitiBank, I know that the counterparty claims to be CitiBank. That's all I know. When I receive a Verisign-signed certificate from CitiBank, I know a party claiming to be Verisign claims that the counterparty is CitiBank. That doesn't realistically help me much.
Many email systems don't exactly support unicode usernames in the first place, and provisioning systems will just send to administrator@ ([a-z]). It's not "enter your own email", you just get to pick from a variety of emails to provision a cert like admin@, ssladmin@, postmaster@, and the whois email.
there's no reason having a cert should prevent you from registering another one, afaik. There are plenty of reasons you might legitimately want to do that, and running the certpatrol firefox extension shows that lots of sites change cert (and even issuer CA) fairly regularly.
I think it's Old Webmaster Lore that there exist roughly ten email addresses which are Widely Considered To Be Special. abuse@, postmaster@, and administrator@ are three of them.
There exist a lot of systems in the world which rely on this being true, irrespective of whether it is in fact true.
I seem to recall DNS being one of them, that is that you have to have somebody monitor abuse@.
But either way, this is yet another reason to ditch certificates: it is way too fragile a system (not the least because it gives users the "it has a lock, it means it is safe").
Email is an incredibly common method for domain validated certificates. The other common options are a TXT/CNAME record or uploading a specific file to a certain URL.
The requirements for domain validation are:
11.1.1 Authorization by Domain Name Registrant
For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the
Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate,
collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or has
control over the FQDN by:
1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar;
2. Communicating directly with the Domain Name Registrant using an address, email, or telephone number
provided by the Domain Name Registrar;
3. Communicating directly with the Domain Name Registrant using the contact information listed in the
WHOIS record’s “registrant”, “technical”, or “administrative” field;
4. Communicating with the Domain’s administrator using an email address created by pre-pending ‘admin’,
‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign (“@”),
followed by the Domain Name, which may be formed by pruning zero or more components from the
requested FQDN;
5. Relying upon a Domain Authorization Document;
6. Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to
information found on an online Web page identified by a uniform resource identifier containing the FQDN;
or
7. Using any other method of confirmation, provided that the CA maintains documented evidence that the
method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over
the FQDN to at least the same level of assurance as those methods previously described.
Again, email addresses are fine, but which email address is important. The address on the WHOIS record isn't bad, as long as that's disclosed to the certificate purchaser ahead of time.
TXT records and uploading files are definitely better, though.
Unless DNSSEC is used, email, DNS, and URL verification amount to almost nothing. I'd guess that there is at least one CA that is not using it and leaving the door wide open.
I'd also guess there are plenty of domains depending on CA validation that haven't enabled DNSSEC.
If you're going to change your messages after posting them, at least disclose that you did so. Some of the replies don't make sense with the new content you added.
Proving ownership by sending email to the contacts in the WHOIS record is the _only_ way I've seen for the cheapest certificates. What other ways are you thinking of, and can you point to any CAs that do them (for their cheapest certificates)?
It's entirely possible the WHOIS data for the domain in question had several email addresses listed, at least one of which was not blacklisted for use by clients.
If you ever do this, please, please destroy the private key immediately. There are other ways to prove you had possession of it, such as by signing something with it.
[1] https://www.imperialviolet.org/2014/04/29/revocationagain.ht...