How is SSL hopelessly broken? Let us count the ways

Blunders expose huge cracks in net's trust foundation


Analysis Every year or so, a crisis or three exposes deep fractures in the system that's supposed to serve as the internet's foundation of trust. In 2008, it was the devastating weakness in SSL, or secure sockets layer, certificates issued by a subsidiary of VeriSign. The following year, it was the minting of a PayPal credential that continued to fool Internet Explorer, Chrome and Safari browsers more than two months after the underlying weakness was exposed.

And in 2010, it was the mystery of a root certificate included in Mac OS X and Mozilla software that went unsolved for four days until RSA Security finally acknowledged it fathered the orphan credential.

This year, it was last month's revelation that unknown hackers broke into the servers of a reseller of Comodo, one of the world's most widely used certificate authorities, and forged documents for Google Mail and other sensitive websites. It took two, seven and eight days for the counterfeits to be blacklisted by Google Chrome, Mozilla Firefox and IE respectively, meaning users of those browsers were vulnerable to unauthorized monitoring of some of their most intimate web conversations during that time.

SSL made its debut in 1994 as a way to cryptographically secure e-commerce and other sensitive internet communications. A private key at the heart of the system allows website operators to prove that they are the rightful owners of the domains visitors are accessing, rather than impostors who have hacked the users' connections. Countless websites also use SSL to encrypt passwords, emails and other data to thwart anyone who may be monitoring the traffic passing between the two parties.

It's hard to overstate the reliance that websites operated by Google, PayPal, Microsoft, Bank of America and millions of other companies place in SSL. And yet, the repeated failures suggest that the system in its current state is hopelessly broken.

“Right now, it's just an illusion of security,” said Moxie Marlinspike, a security researcher who has repeatedly poked holes in the technical underpinnings of SSL. “Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems.”

Although SSL's vulnerabilities are worrying, critics have reserved their most biting assessments for the business practices of Comodo, VeriSign, GoDaddy and the other so-called certificate authorities, known as CAs for short. Once their root certificates are included in Internet Explorer, Firefox and other major browsers, they can't be removed without creating disruptions on huge swaths of the internet.

In that sense, they are like Citigroup, American International Group and other investment companies that received billion-dollar bailouts from tax payers because the US government deemed them “too big to fail.”

“The current security of SSL depends on these external entities and there's no reason for us to trust them,” Marlinspike said. “They don't have a strong incentive to behave well because they're not accountable.”

Mike Zusman, a senior consultant at security firm Intrepidus Group, agreed.

“In terms of what the CAs do, it seems like it's a bit of the old west,” he said. “It doesn't seem like anyone is holding them accountable, even when something as severe as the Comodo incident happens.”

Zusman knows about lax CA practices first hand. In 2008, he applied for an SSL certificate that would allow him to pose as the rightful operator of Microsoft's Live.com domain, which is used to logon to Hotmail and other sensitive online services. In about two hours, VeriSign subsidiary Thawte issued the credential with almost no questions asked. Zusman's sole qualification was his control of the email address sslcertificates@live.com, which was enough to convince the automated processes at Thawte that he was authorized to own the certificate.

In December of that same year, a Comodo reseller issued a similar no-questions-asked certificate for Mozilla.com to a separate researcher who had no affiliation with the open-source software outfit.

The reports of sloppily issued certificates just keep coming. Last week, an analyst from the Electronic Frontier Foundation found that CAs have issued more than 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01.” These are the prefixes that many organizations append to their domains and use to designate Microsoft exchange servers and other internal resources.

Moxie Marlinspike

Moxie Marlinspike (Source: Wired)

GoDaddy was the worst offender, but other CAs were also guilty, said the EFF's Chris Palmer, who warned that the practice aids attackers targeting the mail servers and intranets of huge numbers of companies.

“Although signing 'localhost' is humorous, CAs create real risk when they sign other unqualified names,” Palmer wrote. “What if an attacker were able to receive a CA-signed certificate for names like 'mail' or 'webmail'? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a 'man-in-the-middle' attack!”

In a truly Darwinian market, users can spurn actors with spotty track records. But that's not possible in the world of SSL. With large CAs responsible for validating millions of previously issued certificates, browser makers can't remove their root certificates from their software without breaking the sites that bought them.

As a result, virtually every browser continues to place unbridled trust in Comodo, VeriSign, and other CAs despite their gaffes. They also approve certificates generated by the China Internet Network Information Center, which many argue isn't trustworthy because it's controlled by the Chinese government's Ministry of Information Industry. Even Google, which has accused China of perpetrating a huge hacking campaign against it and dozens of other companies, allows its Chrome browser to trust the certificate.


Other stories you might like

  • EU-US Trade and Technology Council meets to coordinate on supply chains
    Agenda includes warning system for disruptions, and avoiding 'subsidy race' for chip investments

    The EU-US Trade and Technology Council (TTC) is meeting in Paris today to discuss coordinated approaches to global supply chain issues.

    This is only the second meeting of the TTC, the agenda for which was prepared in February. That highlighted a number of priorities, including securing supply chains, technological cooperation, the coordination of measures to combat distorting practices, and approaches to the decarbonization of trade.

    According to a White House pre-briefing for US reporters, the EU and US are set to announce joint approaches on technical discussions to international standard-setting bodies, an early warning system to better predict and address potential semiconductor supply chain disruptions, and a transatlantic approach to semiconductor investments aimed at ensuring security of supply.

    Continue reading
  • US cops kick back against facial recognition bans
    Plus: DeepMind launches new generalist AI system, and Apple boffin quits over return-to-work policy

    In brief Facial recognition bans passed by US cities are being overturned as law enforcement and lobbyist groups pressure local governments to tackle rising crime rates.

    In July, the state of Virginia will scrap its ban on the controversial technology after less than a year. California and New Orleans may follow suit, Reuters first reported. Vermont adjusted its bill to allow police to use facial recognition software in child sex abuse investigations.

    Elsewhere, efforts are under way in New York, Colorado, and Indiana to prevent bills banning facial recognition from passing. It's not clear if some existing vetoes set to expire, like the one in California, will be renewed. Around two dozen US state or local governments passed laws prohibiting facial recognition from 2019 to 2021. Police, however, believe the tool is useful in identifying suspects and can help solve cases especially in places where crime rates have risen.

    Continue reading
  • RISC-V needs more than an open architecture to compete
    Arm shows us that even total domination doesn't always make stupid levels of money

    Opinion Interviews with chip company CEOs are invariably enlightening. On top of the usual market-related subjects of success and failure, revenues and competition, plans and pitfalls, the highly paid victim knows that there's a large audience of unusually competent critics eager for technical details. That's you.

    Take The Register's latest interview with RISC-V International CEO Calista Redmond. It moved smartly through the gears on Intel's recent Platinum Membership of the open ISA consortium ("they're not too worried about their x86 business"), the interest from autocratic regimes (roughly "there are no rules, if some come up we'll stick by them"), and what RISC-V's 2022 will look like. Laptops. Thousand-core AI chips. Google hyperscalers. Edge. The plan seems to be to do in five years what took Arm 20.

    RISC-V may not be an existential risk to Intel, but Arm had better watch it.

    Continue reading

Biting the hand that feeds IT © 1998–2022