Web trust dies in darkness: Hidden Certificate Authorities undermine public crypto infrastructure
Boffins measure the black hole of dubious certs and find it troubling
Security researchers have checked the web's public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities.
Certificate Authorities, or CAs, vouch for the digital certificates we use to establish trust online. You can be reasonably confident that your bank website is actually your bank website when it presents your browser with an end-user or leaf certificate that's linked through a chain of trust to an intermediate certificate and ultimately the X.509 root certificate of a trusted CA.
Each browser relies on a trust store consisting of a hundred or so root certificates that belong to a smaller set of organizations. Mozilla's CA Certificate List for example currently has 151 certs representing 53 organizations.
Some of the more well-known CAs in the US include IdenTrust, DigiCert, Sectigo, and Let's Encrypt.
But it's not the known CAs that are the problem. Researchers affiliated with universities in China and the US recently examined the certificate ecosystem and found that there are a great many hidden root certificates. They're a concern because root certificates and their associated CAs are supposed to be known – that's the basis of the chain of trust.
Seven computer scientists – Yiming Zhang, Baojun Liu, Chaoyi Lu, Zhou Li, Haixin Duan, Jiachen Li, and Zaifeng Zhang, affiliated with Tsinghua University, Beijing National Research Center for Information Science and Technology, 360Netlab, and QI-ANXIN Technology Research Institute in China, and University of California, Irvine, in the US – explore these obscure CAs in a paper titled, "Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem."
The paper[PDF] was presented at the Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security this week.
With the help of the 360 Secure Browser, a widely used browser in China, the researchers analyzed the certificate chains in web visits by volunteers over the course of five months, from February through June 2020.
"In total, over 1.17 million hidden root certificates are captured and they cause a profound impact from the angle of web clients and traffic," the researchers report. "Further, we identify around five thousand organizations that hold hidden root certificates, including fake root CAs that impersonate large trusted ones."
Hidden root certificates refer to root CAs that are not trusted by public root programs. The situation is vaguely analogous to looking in your wallet and finding what appears to be official currency until you realize the banknote depicts Bozo the Clown. You're not sure how this dubious bill arrived in your wallet – maybe you were defrauded – and you might be able to spend it – if no one looks too closely – but there's probably something fishy going on.
"Certificate issuance of hidden root CAs is usually not audited, allowing them to arbitrarily issue forged certificates and intercept secure connections, which breaks authentication and poses security threats," the paper explains.
- Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years
- Let's Encrypt completes huge upgrade, can now rip and replace 200 million security certs in 'worst case scenario'
- Police drone plunged 70ft into pond after operator mashed pop-up that was actually the emergency cut-out button
- Let's Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs
Hidden root certificates, the authors explain, come from a variety of sources – some benign, others less so. They may be installed by VPN, parental control, or security software, malware, enterprise networks, or government agencies. Fundamentally, they are all problematic because they generally don't conform to audited policies or allow for monitoring through a system like Certificate Transparency. And they undermine the chain of trust because they don't offer the same modes of verification as public root CAs.
Baojun Liu, a postdoctoral researcher from Tsinghua University, offered an example of the risks posed by fake root CAs. "We discovered that a Windows Trojan implanted root certificates disguised as SecureTrust CA 2 into infected hosts, which was confirmed by the threat intelligence of Cisco [PDF]," he said in an email to The Register. "Cases of malware employing fake root certificates have also been reported in previous works."
These hidden root certs were implicated in about 0.54 per cent of all visits measured. Together they represented 5,005 certificate groups, most of which (4,362 groups or 87.2 per cent) included only one certificate. The remaining 12.8 per cent of groups accounted for 99.6 per cent of all certificates.
The largest of these groups consisted of 254,412 root certificates from "Certum Trusted NetWork CA 2" – an entity posing as Certum CA, which uses a lowercase "w" in its certs with the word "Network". Another lookalike CA identified was "Verislgn trust Network" – not to be confused with the legitimate "Verisign".
Even in scenarios where hidden root certs were being used legitimately by government agencies and enterprises for appropriate purposes, the researchers found implementation flaws – 75 per cent of those certificate chains had verification errors from weak signature algorithms. This would be less of an issue if the certs were internally facing, but the researchers say a majority of self-built root CAs sign certificates for public websites.
These hidden root certs magnify security problems though improper implementations. For example, the researchers found 41.4 per cent of hidden root CAs owned by government agencies and enterprises are used for direct signing of certificates in the chain. Root certs are supposed to sign intermediate certs which in turn get used to sign leaf certificates – that way the intermediate certificate can be revoked if there's a security problem, leaving the root intact.
Another problem: Over 79 per cent of hidden root certificates are valid for more than 60 years (current thinking, the boffins say, is that a lifespan of between six months and 16 years is more appropriate, depending upon the strength of the public keys at issue).
The paper makes several recommendations for how to improve the situation. Operating systems should regulate root store modification better, the authors argue. Browsers should do more to communicate certificate concerns to internet users, and the ways in which local applications intercept traffic should be normalized, to help make malicious intervention more evident.
"It could be quite beneficial if software [makers] would make their certificate usages more transparent for regulatory oversight," said Liu. "As for far-reaching plans, establishing hierarchical authorization structures (e.g., managing system root certificates separately from user root certificates) or other forms for limiting the effective range of third-party CAs is also an admissible option."
Asked whether better automated detection measures might be built into browsers to catch non-compliant certificates, Liu said there aren't presently any suitable lightweight tools for browsers yet and more serious tools like Zlint aren't a good fit.
"However, such validation modules could be extended by sorting out security-sensitive non-compliances with rule-based checking, which is not an overly complex task for automated deployment," he said. "And we're also looking forward to doing so." ®