You are not supposed to understand the SSL / TLS / HTTPS system. Certificates of authority get “hidden in the weeds” making it hard for customers to verify the security of a given website. In an article for Computerworld, Michael Horowitz argues that secure websites are “security theatre” because they only appear to be secure, when in fact they are “rigged against ordinary users.”
Arrogance or Conspiracy?
He believes that web browsers should issue a warning to users that HTTPS interception is taking place. Similarly, if the browser routinely asked end users about CA certificates it does not recognize, there could be legitimate action taken to secure the user environment. But Horowitz is skeptical. He believes that the tech industry is bent on keeping the public uninformed – an outright conspiracy? Well, perhaps just industry arrogance. The newly made Google Certificate Transparency project appears promising, but Horowitz notes that adoption by major industry players is slow and limited. The SSL Observatory project launched in 2010 by the Electronic Frontier Foundation (EFF) has appeared to completely fizzle out.
Then there is the idea of “certificate pinning.” Horowitz’s associate Jonathan Zdziarski suggests the creation of a Certificate Validation Framework (CVF) which borrows from the concept of Sender Policy Framework (SPF):
PF is specifically designed for email, but the concept is pretty solid: using a secondary service (DNS) as a lightweight means to read information directly from the host you’re interested in connecting to (via SSL here) … If web browsers were to look for certificate validation data within the TXT record of the destination’s DNS records, they could obtain a hash of the certificate that the server is using; the website you’re visiting would effectively be advertising a hash of its own certificate so that any other certificate in the world, regardless of who’s signed it, would fail … There would be a very publicly visible trace of a government or other attacker attempting to MiTM DNS, whereas today MiTMing certs is a very low visibility task.
Certificate pinning appears to have the greatest positive impact, to date, argues Horowitz. It very recently helped to expose fraudulent certificates used by MCS Holdings, and in 2011 put the company DigiNotar out of business for issuing fraudulent certificates in Iran.
Other Improvements that Will Never Catch On
To address the scaling problems of certificate pins, some have proposed HTTP Public Key Pinning, which would function as an extension HTTP protocol. Trust Assertions for Certificate Keys (TACK) is another promising way to help clients avoid unwanted third party intrusions that Horowitz believes will never catch on. Given the industry’s track record of not fixing the system, one has to wonder if this state of affairs is not intentional.
Read the original article at: http://www.computerworld.com/article/2909512/ssl-tls-https-keeping-the-public-uninformed.html