I have said over and over third party trust on security certificates is stupid. I’ve never really been able to articulate in a simple way why it is stupid. Read below and Karl articulates this beautifully. This should be a wakeup call to EVERYONE in the wake of PRISM. I still see the “security industry” pushing SSL as a panacea against Prism. Read below as Karl destroys the reliance on the CA’s that make up our “secure Internet”. This is why i won’t use a third party cert for any site i wish to secure…ever.
Ok, so let’s start demolishing fools.
First, “SSL” certificates and everything based on them are only as secure as the certificate authorities. What this means is that all commercially-issued certificates cannot be trusted. You must assume that every public CA has given their private key to the NSA, either voluntarily or not-so-voluntarily.
This means that if you’re going to be using public-key cryptography of any sort, whether to authenticate or encrypt VPN traffic, to secure email, or to secure access over the Internet you must either be the CA or the CA that signs your certificate must be some entity you trust entirely.
No, Verisign does not count. I have no knowledge that their keys have been compromised but I am forced to assume that all of them have been, no matter who the CA is!
So you must generate your own certificate authority, publish the public key and make damn sure the private key is secured and not compromised.
The reason for this is that if I can interject myself in the middle of the conversation (as the NSA has to be assumed to be able to do) and I have compromised the CA I can replace your key with another one that allows me to decrypt the transmission and your browser or other tool will not detect it. I can then use the original certificate to send on the communication undetected. Since a web server doesn’t know who’s talking to it and thus doesn’t verify a machine certificate for the client and even if it did your key would probably be signed by a “public” CA there is no way for the server to detect the tampering.
Note that you can detect a server being attacked in this fashion if you connected to it before it was tampered with and if you saved its key fingerprint. That’s a lot of “ifs”, but if you did then you can detect that the fingerprint has changed. The problem is that there are perfectly-valid reasons for the fingerprint to change (the key expires and is replaced, the company changes its address, etc.) — but it at least can raise an alarm. Unfortunately browsers in general don’t flag this (nor should they) because the model presumes that CAs are trustworthy.
In short you cannot use any key that requires verification against a public CA because it can be spoofed by someone interjecting themselves in the middle if the CA has been compromised. Since we now have bald assertions that companies that have claimed to be secure have in fact cooperated with warrantless interception you can’t trust any of them.