Wednesday, October 6, 2010

Who do we trust

In the old days of the internet (10-15 years  ago) there used to be about 10-20 trusted root ca's installed on my operating system. On my windows-xp machine at work i have hundreds.

For those of you who don't know what i'm talking about, here's a basic intro:

Root Certificate Authorities

When you connect to certain websites you will see a "Secure lock" icon appear in your browser in an address that starts with https.
What this is supposed to mean is that the connection is "secure".
This security is provided by a number of protocols, most importantly each website has a certificate that says "the company X owns this address".
Now the problem is that you can't just take someone at their word - you need some trusted third party that verifies that this person is who they are.

This is a similar idea to personal id- your government serves as a trusted authority that provides a certificate (id) that verifies someone is who they say they are.
In the world of the internet, this authority is called a Certificate Authority (CA).

The difference between the government and the internet in this case is that we implicitly assume that the government is a trusted issuer of id's.
In the world of the internet, there is no accepted, trusted authority that we can count on to produce these id's. Several commercial organizations then took this role and has been accepted as "trust worthy".
This makes them what is known as Trusted Root Certificate Authority.
What this means is that certain organizations were accepted as trusted and are allowed to ascertain  the identity of others.
The root ca is responsible for the validity of the certificates it provides and holds the power to revoke them if they are misused or stolen.

The problem is that once a certificate authority is accepted as root, it holds tremendous power for abuse.
So when you find yourself with hundreds of them installed on your machine - then something is very wrong.
What could a rouge root certificate authority do with it's power?

First of all, a rouge root ca is in a sense unstoppable - once a certificate is accepted as trusted on your machines local certificate store there is no "higher authority" that can revoke the certificate.

If someone gains control of a root certificate authority they can use it to fake the identity of anyone.
This opens up all "secure" traffic to an undetectable man-in-the-middle attack.

Main In The Middle

in  a man-in-the-middle attack works something like this:
say that you and i talk to each other on the phone.
we both assume that you are listening to me when i say something, and that when you speak i am hearing you talk.
now let's assume we've never met and neither of us knows what the other one sounds like.
I call you and i assume you answer, but in fact some other person is on the other end and he is on a separate call with you.
They repeat most of what i am saying to you, and most of what you are saying to me.
But since they are in the middle of the line, they can change what is being said.
Neither one of us is even aware that something is wrong...

This is the essence of a man in the middle attack. On the internet, the equivalent to you and me knowing what we sound like is the certificates given to us by the root certificate authority.

What could someone do if they were able to impersonate a root ca?
They could monitor any secure channel you have - you email. your Facebook account, basically anything you log into. They could also act on your behalf and you would not even suspect something is wrong, no software would alert you, no anti virus.


My intention is not to alarm anyone about someone reading your emails because of compromised root ca, but to point to the fact that the more root ca's are installed by default on our operating system, the grater the chance that one of them is compromised.
And that my computer has root ca's installed by certificate authorities around the world, many of which i do not consider the least bit trustworthy.

No comments: