Certs and Uncertainty
What the DigiNotar case tells us about security on the Internet
Schrödinger’s Cat is a famous thought experiment from quantum mechanics illustrating the uncertainty principle: the cat in Schrödinger’s box is both alive and dead at the same time, until it’s observed. The DigiNotar hack and its fall-out in the past week show that the same is true in security: an SSL certificate on a website can be considered be both secure and compromised, until proven to be one or the other.
It is well known to any security expert that 100% security is an illusion; you cannot make a system unhackable (not even a respected security company like RSA) without also making it unusable. We deal with this uncertainty by having trust. I may not be able to know if an IT system is secure, but I can trust a person or organization that tells me it is. The Dutch government, like many others, recognizes this type of trust and safeguards it in laws regarding Trusted Third Parties known as Certificate Authorities (CAs).
In theory, it’s enough to observe the security once in a while through independent audits (required yearly for certification as a PKIOverheid sub-CA for example) and trust on the on the organization to remain secure for the rest of the time. If something goes wrong in the mean time, a CA can simply revoke those certificates which should no longer be trusted by anyone. At least, that’s the theory. In practice with DigiNotar, several things seem to have gone wrong.
First of all, when DigiNotar found out they were partially compromised in July, they kept this information to themselves and tried to put the (allegedly Persian) genie back in the bottle by only revoking the illegally issued certificates of which they knew the existence. Best practice would have been to publicize the hack and revoke the higher level DigiNotar CA certificate. This would have invalidated all suspicious certificates but would also have taken away the trust in many perfectly trustworthy certificates, a costly affair. DigiNotar chose for security through obscurity instead, a practice frowned upon since the 19th century but still all too common.
Inevitably, when the compromise of the DigiNotar root certificate came to light on August 29th, trust in all their certificates collapsed literally overnight as browser manufacturers scrambled to blacklist the offending DigiNotar roots. DigiNotar first claimed that most of this blacklisting was unjustified and that users should just ‘ignore the security warning in the browser’, a statement that could unintentionally set back public security awareness several years. Clearly the marketeers were still overruling the security experts.
There were also questions about the impact on the trustworthiness of PKIOverheid (Dutch Government PKI) certificates issued by DigiNotar (DigiNotar owns one of several certified sub-CA’s that can issue such certificates). The government, in a statement on August 30th, showed it still trusted these certificates but was forced to re-evaluate that position last Friday. Independent audit by Fox IT had shown it ‘could not be guaranteed’ the PKIOverheid certificates were still secure. There was no concrete evidence (none of the 531 known fake certificates fall under this root) and there probably never will be, but the delicate balance of trust had collapsed and all government websites using DigiNotar certificate will have to switch to a new CA (of which there are several) in the coming days.
Much fear, uncertainty and doubt clouds the current media coverage. For example years old hacker messages were found in normally invisible parts of DigiNotar’s website portal, but saying this further compromises their security is like saying a bank robbery is made worse because someone also sprayed graffiti on the front door. Dutch political parties are clamoring that the hack means legitimate government sites like DigiD.nl and the tax authority ‘were insecure for months’, which is like saying that because some forged passports have been discovered, suddenly all other passports have somehow also turned into forgeries.
More significantly, there are voices that claim certificates are no longer a valid way to secure the Internet. The problem however is not with public key certificates themselves, but with the way they are implemented. The fact that there are so many CA’s (about 650 of them are trusted by major web browsers) may seem a problem but having only a few extremely large CA’s causes its own problems in the event of a revocation (large SSL issuer Comodo was hacked in a very similar way to DigiNotar earlier this year but was apparently ‘too big to fail’; now where have we heard THAT term before?). Suggestions that certificate services should be handled by the government exclusively are short-sighted, the community is better served by having multiple vendors to choose from and a lot of commercial brands are better trusted than certain governments.
We need ways to revoke suspicious certificates that can be enacted with the speed of the Internet such as OCSP, websites implementing multiple certificates so there is less disruption if one needs to be revoked and extra security measures such as whitelisting of trusted keys. A more secure Domain Name System would help, since a fake certificate is only useful if you can actually get Internet users to your fake version of a trusted website. In the Netherlands the chance that anyone will run afoul of the fake DigiNotar certificates is extremely small as long as you type in the correct Internet address, but in countries where totalitarian regimes own the ISPs this is not so trivial.
These solutions are already in the works but the most important measures to safeguard trust are not technical but human: companies must adopt a culture of transparency about data leaks and not hush them up. A proposed Dutch law mandating publicizing of data leaks is a good first step. At the same time Internet users must be educated about security and not told to flee back to using paper and postage stamps just because they don’t understand what a digital certificate is. As long as it’s easier to compromise someone’s computer with a Trojan embedded in a picture of a kitten than with a false SSL certificate, we have a long way to go.
Finally it’s worth keeping perspective on actual risks versus possible but very unlikely ones: a security warning on the Dutch tax authority site or web shop is an inconvenience, but the compromise of Iranian political activists’ Gmail accounts and possibly Tor certificates is the true danger. It may yet turn out that when we open the Schrödinger’s box of the DigiNotar fall-out, it will contain very real, dead Iranian dissidents, and in that case it should not be the technology that takes the blame.
[Jacob Boersma worked on the implementation of the Dutch TTP legal framework at ECP-EPN and later on the certification of the Dutch PKIOverheid at Logius. He now works as e-identity and e-payments consultant for Innopay and gives a Masterclass Online Security about the application of SSL certificates and other online security concepts.]