tag:blogger.com,1999:blog-4503292949532760618.post7133652595747845073..comments2024-03-28T07:23:23.408-07:00Comments on DSHR's Blog: The Curious Case of the Outsourced CADavid.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4503292949532760618.post-84557601788545171592019-01-12T20:03:31.001-08:002019-01-12T20:03:31.001-08:00trump's partial government shutdown is reveali...trump's partial government shutdown is revealing one of the <a href="https://boingboing.net/2019/01/11/shutdown-dot-gov-websites-vul.html" rel="nofollow">risks of the Federal government outsourcing trust to commercial CAs</a>:<br /><br />"<a href="https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html" rel="nofollow">A Thursday report from Netcraft</a> estimates that the .gov websites are using 80 or more expired TLS certificates. ... Funding to renew the certificates is on hold while the shutdown continues.<br /><br />Any of the government websites with an expired cert becomes newly vulnerable to any number of internet-based assaults, including man-in the-middle (MITM) attacks that enable third-party bad guys to intercept what passes between an internet user and a web application on the affected site. Bad guys can eavesdrop on traffic, assume the identity of the government website, and siphon off data input by the user.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-25615054651611509602018-05-24T08:11:40.622-07:002018-05-24T08:11:40.622-07:00"In a letter [PDF] sent by US Senator Ron Wyd..."In a <a href="https://www.wyden.senate.gov/imo/media/doc/wyden-web-encryption-letter-to-dod-cio.pdf" rel="nofollow">letter [PDF]</a> sent by US Senator Ron Wyden (D-OR) to the DoD's CIO Dana Deasy, Wyden points out that HTTPS and HSTS (to direct browsers to the HTTPS site if they request the unencrypted version) are required of all American federal civilian agency websites under a 2015 Office of Management and Budget (OMB) directive." writes <a href="https://www.theregister.co.uk/2018/05/24/dod_failing_on_encryption/" rel="nofollow">Richard Chirgwin at <i>The Register</i></a>:<br /><br />"Wyden is frustrated that those agencies are taking their own sweet time. So far, the letter states, only “a small number of DoD websites” (including the Army, Air Force, and NSA) are encrypted.<br /><br />The DoD is also self-signing certificates, something once fiercely defended as a right by Internet utopians, but which now looks anachronistic at best.<br /><br />“Unfortunately, many other sites, including the Navy, Marines, and your own office's website at dodcio.defense.gov, either do not secure connections with encryption or only prove their authenticity with a certificate issued by the DoD Root Authority”.<br /><br />The DoD Root Authority isn't a CA listed as trusted by (for example) the Chrome browser, visitors get security warnings"David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-52091148130434767002017-11-01T11:11:54.776-07:002017-11-01T11:11:54.776-07:00Certificates that sign code can be bought on the d...<a href="https://www.theregister.co.uk/2017/11/01/digital_cert_abuse/" rel="nofollow">Certificates that sign code can be bought on the dark web</a> and are being abused to sign malware to avoid detection by virus scans:<br /><br />"Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-79120926657036748022017-10-29T11:20:40.237-07:002017-10-29T11:20:40.237-07:00Among the governments that your browser trusts is ...Among the governments that your browser trusts is the Dutch government which, on January 1, will acquire new powers to <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1408647" rel="nofollow">subvert the Certificate Authority system</a> to enable their spooks to mount Man-in-the-Middle attacks:<br /><br />"Article 45 1.b, explicitly authorizes the use of "false keys" in third party systems to obtain access to systems and data."<br /><br />Of course, there is no way any of the other CAs that your browser trusts would be doing this, with or without legal authority. Hat tip to <a href="https://www.listbox.com/member/archive/247/2017/10/sort/time_rev/page/1/entry/0:136/20171029122507:B7F5E7D6-BCC5-11E7-8A45-89E2E0B8E3A8/" rel="nofollow">Lauren Weinstein</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-6097211747813726252017-05-02T12:51:35.392-07:002017-05-02T12:51:35.392-07:00At Slate, Joshua Oliver's Google Is Making Swe...At <i>Slate</i>, Joshua Oliver's <a href="http://www.slate.com/articles/technology/future_tense/2017/05/google_is_making_sweeping_changes_to_how_we_keep_secure_websites_secure.html" rel="nofollow"><i>Google Is Making Sweeping Changes to How We Keep the Internet Safe</i></a> is an informative, non-technical overview of Google's push for <a href="https://www.certificate-transparency.org/" rel="nofollow">Certificate Transparency</a>. They'll make it mandatory in Chrome by October.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-26496851472329648682017-03-23T20:07:31.995-07:002017-03-23T20:07:31.995-07:00Google has revealed that Symantec's mis-behavi...Google has revealed that Symantec's mis-behavior has been <a href="https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/" rel="nofollow">MUCH worse than previously known</a>:<br /><br />"Google's investigation revealed that over a span of years, Symantec CAs have improperly issued more than 30,000 certificates. Such mis-issued certificates represent a potentially critical threat to virtually the entire Internet population because they make it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers. They are a major violation of the so-called baseline requirements that major browser makers impose of CAs as a condition of being trusted by major browsers."<br /><br />Google is starting a gradual process of untrusting Symantec certificates. Of course, what they should have done back when Symantec was initially caught issuing bogus certificates (including for google.com) was to immediately remove Symantec as a trusted CA, since they were obviously untrustworthy. But they are "<a href="https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/" rel="nofollow">too big to fail</a>":<br /><br />"Symantec's repeated violations underscore one of the problems Google and others have in enforcing terms of the baseline requirements. When violations are carried out by issuers with a big enough market share they're considered too big to fail. If Google were to nullify all of the Symantec-issued certificates overnight, it might cause widespread outages. The penalties outlined by Sleevi seem to be aimed at minimizing such disruptions while still exacting a meaningful punishment."<br /><br />The reluctance of browser makers to pull the plug on a rogue CA has led to years of insecurity for their users. A temporary inconvenience while sites replaced their certificates with less untrustworthy ones would have been much better, and since it would have put Symantec out of the CA business, it would have been a wake-up call for the others. But no, like the US Fed, Google, Mozilla and Microsoft were too chicken. They're still too chicken, letting an obviously untrustworthy CA be the basis for trust in much of the Internet.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-23403350620946823832017-01-29T15:05:37.162-08:002017-01-29T15:05:37.162-08:00Google has become irritated enough with the incomp...Google has become irritated enough with the incompetence (or worse) of CAs such as Symantec to <a href="http://www.theregister.co.uk/2017/01/27/google_root_ca/" rel="nofollow">set up its own root certificate authority</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-74983581209873400902017-01-20T20:15:16.908-08:002017-01-20T20:15:16.908-08:00Dan Goodin at Ars Technica reports that Already on...Dan Goodin at <i>Ars Technica</i> reports that <a href="http://arstechnica.com/security/2017/01/already-on-probation-symantec-issues-more-illegit-https-certificates/" rel="nofollow"><i>Already on probation, Symantec issues more illegit HTTPS certificates</i></a>:<br /><br />"One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to <a href="https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg05455.html" rel="nofollow">research published Thursday</a> by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate."<br /><br />Commentor fazalmajid has it right:<br /><br />"Symantec has attained Too Big To Fail status. Symantec issues such a huge number of certificates that if a browser manufacturer blacklisted them, the browser would become unusable, and for this reason they are not able to hold Symantec (or Comodo) to account for blatant disregard of the rules."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-75113250994972345142016-08-26T06:52:04.068-07:002016-08-26T06:52:04.068-07:00Yet more CA malfeasance has been detected. WoSign ...Yet more CA malfeasance has been detected. <a href="https://www.techdirt.com/articles/20160825/12181835347/certificate-authority-gave-out-certs-github-to-someone-who-just-had-github-account.shtml" rel="nofollow">WoSign gave sub-domain owners certificates for the top-level domain</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-21814348694334741012016-04-05T19:29:18.448-07:002016-04-05T19:29:18.448-07:00Speaking of all-powerful Chinese hackers.Speaking of <a href="http://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years" rel="nofollow">all-powerful Chinese hackers</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.com