Friday, 30 August 2013

Self Signed Security

For many years we have been evangelising the strength of the hierarchical trust model of PKI and putting up large warning signs whenever we see a self-signed certificate.  I think we got it completely backwards, and have been putting our trust in the wrong place.

The entire PKI architecture was designed to solve the man-in-the-middle problem: how do I know you are who you say you are, and aren't someone else pretending to be you.  To do this we created certificates, which are signed public keys.  The theory is that we trust the certificate authority that signed the key, and believe that the registration authority have validated the identity of the subscriber who asked for the key to be signed.

But nearly everything about the theory is provably wrong.

We know that certificate authorities get to be that by paying a tax to browser manufacturers.  They are trusted because of a commercial agreement that is an externality to the users of the system.

We know for sure that we can't trust the certificate authority.  The breaches of Comodo and Diginotar allowed certificates to be minted by a CA that were false.  We know that intelligence agencies around the world can buy wildcard root certificates from CAs that will allow national governments to intercept all traffic.

We know that registration authorities do as little as possible to validate the subscribers, usually requiring no more than an e-mail from the domain in question, or merely trusting WHOIS records.

So what are the alternatives?

Definitely not certificate pinning.  This is not scalable, and doesn't address the underlying problems with the architecture.  It's a band-aid on a gaping wound.

Convergence looks interesting, but I suspect that if implemented as suggested it would suffer from all the same problems.  We now have to trust notaries, rather than certificate authorities, and it ends up looking like the web of trust model from PGP, and that failed dismally.

I propose that the answer is self-signed certificates.  I know that I trust me.  I control everything about the issuing and revocation of my certificates.  And so does every subscriber.  While it is possible to for anyone to mint a certificate that looks like me, they would have to mint certificates for everyone to undertake the current man-in-the-middle attack strategy.  We don't make it less secure for the defenders, but we make it exponentially more difficult and costly for the attackers, and that makes all us more secure.

Sometimes the old ways really are the best.

Phil Kernick Chief Technology Officer

No comments:

Post a Comment