While you thought it was here to help all along, things like this happen all the time: A Spotify publisher was down Monday night. The culprit? A lapsed security certificate
Public Key Infrastructure is pervasive and some would say it brings great benefits and makes the internet better. You can’t disagree that being able to encrypt our connections with the websites and services we use has security and privacy benefits, but while the concept of PKI sounds good on paper, it seems to be a solution that has many issues, and has created some issues of its own.
(Note: Wireguard is a great example of how to do public key encryption without public key infrastructure)
One: PKIs Behaving Badly
You are supposed to trust PKIs. But can you really trust them? What if a PKI authority fails to verify if someone owns a domain (CertStar 2008), creates intentionally certificates for domains without the knowledge of the owner (ANSSI 2013), or it is plainly hacked and abused (Diginotar 2011). Well, apparently there is a certification for Certificate Authorities that should guarantee that they take appropriate security measures, WebTrust CA. All Certificate Authorities that are certified should be secure, right?
Diginotar, as far as you can check, was WebTrust CA certified! This means that any Certificate Authority being certified does not mean being secure. This either means that WebTrust certificate is useless or our trust in a Certificate Authority is disconnected to it being certified or not.
Two: Who can create a CA?
Anyone! The only gatekeeper for the creation of Certificate Authorities is the pre-installed root list that comes with the most popular operating systems and browsers. If you get included in the list, the user does not need to install your root certificate, which is complicated for many users. Misbehaving CAs are so problematic that a patch was necessary, Certificate Transparency.
Recent developments in EU Law will not make this problem neither better, nor worse.
Three: Who owns the digital certificate, Jekyll or Hyde?
The methods used to validate who owns an ID are different between different Certificate Authorities, an ID can be a URL, an email or any other identifier. So the level of assurance of a certificate issued by different CAs is not only different, but the final non specialist user has no way to determine what level it is.
Four: Warranty aka Responsibility
So anyone with enough money and influence can create a CA, secure it to unknown levels of security, and finally implement inconsistent methods of validation of IDs. So what degree of trust does a user get from this setup? None. No user has ever received compensation for any damage caused by a unreliable or bogus certificate. Certificate Authorities do not provide any warranty on the certificates they issue beyond being compliant with technical standards. As Ian Grigg notes, this creates a race to the bottom in certificate quality between CAs.
Five: Lack of Usability
Users should be able to check if a website is authentic, and current. But how do users, including professionals, check if they are connecting to the right website? Doing a search in a search engine, not checking the digital certificate.
Can you improve your security rotating your key more often? No, it is hardcoded by CA and industry practices. Can you rotate your key less often as your environment is low security and does not need it? Again, no you can’t, and many companies suffer incidents related to certificate renewal.
Conclusion
PKI does not deliver hardly any of the benefits it is supposed to. But there is no current alternative so we are stuck with it. Why are most issues identified in PKI Problems Draft RFC version 0 gone in version 5? Are the issues solved, or perhaps there is an interest to keep them muted?
Sometimes one wonders if PKI was a clever way to prevent public key cryptography from being widely deployed to final users…. ever notice how client server side certificates are almost never used due to the many implementation hurdles?
Final note: The PKIX workgroup that publishes Digital Certificates standards has been closed for 10 years now. Are they perfect now?
Sources:
Source link
lol
