How many Certificate Authorities do you trust?

31 08 2011

*disclaimer*  This isn’t meant to be a shining example of a good blog post, so don’t take it as such. It’s me throwing this up quickly because I want you all to go read about this issue.  */disclaimer*

Go ahead, I dare you. Open up your certificate stores in the browser you’re using and tell me with confidence that you know what all those certificates are and exactly where they came from. Therin lies a problem. Users blindly trust that when the little lock icon appears, they’re safe and would have no real idea if a Man in the Middle (MiTM) was compromising a supposedly secure connection between them and – anything (e.g., bank, Gmail, Yahoo, etc…).

This week, it was published that DigiNotar was hacked and bad SSL certificates were released to users who may have been subject to attack. Read more here and here.

There are a number of ways to deal with this problem (DNSSEC for one), if you approach it from a “how to fix the entire infrastructure” perspective. That’s daunting and unlikely to be very effective in the near term. You could also just worry about yourself so that you aren’t a victim – hey, we’re all looking out for number one, right? To do that, go download Perspectives, an extension for Firefox developed here at CMU. The short version is that they use notary servers to query well-known sites to validate the SSL certificates that they’re using. They poll them regularly and can tell you how long a particular certificate has been used and it will warn you, if you set the preferences to do so, that it suspects something may be amiss. You should read the long version on their site for yourself.

*UPDATE*  I was clued in to the fact that another tool was recently built and briefed by a well-known researcher named Moxie Marlinspike.  I believe he has used Perspectives as an early model, though I’ve not confirmed this for myself.  So, perhaps you want to use his tool instead, though it’s in beta and may not support Firefox v6.  Link here.

Who can’t wait to get to week 4 when we start crypto?