Recent breaches have tarnished this Web security technology. Here are five ways to keep it going. By Paul Roberts

ne year ago, Gmail users in Iran woke up to a chill- mount a “man in the middle” attack to intercept thority in Beverwijk, Netherlands. DigiNotar ad- ing prospect: Their sensitive and supposedly se- and decrypt email sent to Google’s servers before mitted that it had been the victim of a cyberat- cure communications on Google’s email program passing the messages along to the intended tack a month earlier whereby the attackers gen- may have been tapped by unknown parties. A recipients. erated hundreds of bogus certificates in the Ophony digital certificate in Google’s name was In the search for the source of the phony certifi- names of some of the Internet’s most trusted used to impersonate the site and let the culprits cate, all eyes turned to DigiNotar, a certificate au- brands, including Google, Yahoo, Skype and the darkreading.com Copyright 2012 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article November 2012 3 reprints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected] anonymity network Tor. Use of the fraudu- CA Compromises Come In Many Flavors lent certificates was concentrated among There’s more than one way for attackers to obtain fraudulent certificates that can be used to impersonate legitimate Iranian users, leading to speculation that the websites. This diagram presents various scenarios. D CA Key Theft: Steal attack was linked to that country’s intelli- or derive copy of gence ser vices, which have been cracking certificate authority private key and issue down on political dissidents. RA Compromise: fraudulent certificates The DigiNotar attack was the worst security Infiltrate registration authority or steal compromise at a certificate authority to date. credentials and authorize fraudulent Certificate But it was hardly the only such attack. It Authority certificates B came just months after an attack on a busi- Impersonation: Trick Registration ness affiliate of Comodo, a New Jersey CA. In registration authority Authority that incident, the attackers generated phony into issuing a fraudulent C certificate A certificates also in the names of prominent CA System online brands. Compromise: Use malware or other These successful attacks were earth shaking infiltration tactic to get because digital certificates and the encryp- fraudulent certificate signed by certificate Hacker tion keys they represent are the bedrock of In- authority (without ternet communications. They secure every- getting copy of CA key) thing from VPN connections to protocols such as TLS (Transport Layer Security) and SSL (Se- organizations before issuing digital certifi- der attack from sophisticated and possibly cure Sockets Layer) that protect billions of cates that contain the public and private en- nation-backed hacking crews, exposing Web sessions and online transactions daily. At cryption keys used to secure online ex- security lapses and poor internal controls. the heart of this system is a global public key change of information. The current system leaves security-con- infrastructure network of some 300 CAs en- At least that’s how it's supposed to work. scious businesses in a pinch. More than ever, trusted with issuing certificates to individuals As the DigiNotar attack revealed, CAs aren’t they need secure and reliable identity services and organizations. Fort Knox-style identity vaults but rather are to back up their growing online presences, Certificate authorities are gatekeepers. businesses subject to their own security but the system in place is more vulnerable They verify the identities of individuals and mishaps. In the last year, CAs have come un- than ever.

darkreading.com November 2012 4 What’s to be done? Many experts say certifi- CAs, letting them issue cer tificates that are site that offers a suspicious or expired cer- cate technology still has a future and that se- accepted worldwide. Microsoft alone recog- tificate. If you need a certificate for a website curity-conscious organizations can protect nizes more than 300 CAs linked to more or other purposes, companies such as themselves by understanding the gaps in the than 80 organizations, says Hurst, who man- VeriSign and Go Daddy make buying system and taking common-sense steps to aged that company’s root server and other one easy and affordable. avoid them. cryptographic initiatives for close to a Convenience aside, all of those private and decade. commercial CAs make for a rickety identity A Disjointed Ecosystem Most Internet users have only a passing fa- infrastructure, says Craig Spiezle, executive DigiNotar’s compromise and the resulting miliarity with this global system of online director and founder of the Online Trust Al- collapse of that certificate authority exposed trust. Most major online service providers of- liance, a nonprofit that promotes privacy, se- deep cracks in the global PKI system. Chief curity and identity best practices. “So much among them is the sheer number of organi- of the Internet relies on SSL and the whole “So much of the Internet relies on zations with a license to issue certificates and chain of trust,” Spiezle says, “but it’s a vouch for online identities. SSL and the whole chain of trust, confusing, convoluted and disjointed An offshoot of the development of SSL by but it’s a confusing, convoluted ecosystem.” Internet pioneer Netscape, CAs were envi- and disjointed ecosystem.” First, there’s no single list of supported root sioned as highly secure and single-purpose CAs. Instead, each browser platform has its — Craig Spiezle, Online Trust Alliance facilities, akin to passport offices, says Ryan own policies for selecting the root CAs it rec- Hurst, a cryptography expert and CTO at ognizes. That means each browser supports GlobalSign, a CA. fer their users the option of communicating a slightly different mix of CAs, with lots of As use of the Web and e-commerce ex- over encrypted connections; many even re- overlap, says Serge Egelman, a security re- ploded, however, the job of issuing certifi- quire it. The major browsers offer Web users searcher at the University of California, Berke- cates turned into a business — and a prof- clear visual cues to let them know when a ley. Second, the sheer number of competing itable one. Dozens of companies entered the particular session is protected using SSL or CAs has created a race to the bottom, he says, market, led by firms such as VeriSign (now some other encryption method. These cues putting financial pressure on companies to owned by Symantec). National govern- include the well-known “padlock” icon in cut corners. ments, large corporations and commercial the URL bar. Browsers keep track of rep- Further down the chain of trust, browser certificate vendors set up their own root utable CAs and warn users when they visit a makers such as Microsoft, Google and the

darkreading.com November 2012 5 Mozilla Foundation worry that they’ll drive attackers then used that account to generate berg. Poorly implemented SSL and certificate fickle users to other platforms if they issue too nine fraudulent certificates, signed by Co- infrastructure within organizations is also a many security alerts and warnings, so they modo, for seven domains, including big problem. bundle into their software a liberal list of CAs google.com and yahoo.com. SSL Pulse, a real-time online dashboard whose certificates they accept. This approach In an age of nation-backed attacks, certifi- that surveys the security of close to 200,000 lessens the likelihood users will get an irritat- cate CAs with ties to authoritarian regimes SSL-enabled websites, documents the over- ing error or warning message when connect- also bear scrutiny. Felix Lindner, the hacker all health of the SSL eco sys tem based on ing to a website, but it also increases the known as FX, says travelers connecting to several measures, such as proper configura- chances that certificates from a compromised online services within China should treat tion and the strength of the encryption keys or disreputable CA will be trusted, Egelman even secure Web sessions there with skepti- used to sign certificates. Close to 40% of the says. cism. “We’ve seen [fraudulent] certificates sites that are monitored support weak or in- Having so many companies with a hand in that checked out as valid on iPhones and secure cipher suites of 128 bits or less, while issuing certificates also extends the risk. That other Apple devices for sites like mac.com,” about a third still support the 17-year-old was evident in the case of fraudulent certifi- he says. “Your little lock icon is not good in SSL v2.0 protocol, which is known to be in- cates issued by Comodo, in which attackers China.” secure, according to SSL Pulse. compromised an administrative account at a In response, Microsoft and other vendors Comodo reseller, which was acting as a regis- Poor SSL Implementation are putting pressure on software publishers tration authority, a sort of subordinate CA. The Compromised CAs are just the tip of the ice- and downstream websites to clean up their

Certificate Authorities Under Attack Jan. 2001 July 2003 aug. 2008 Dec. 2008 March 2011 May 2011 June 2011 June-Sept. 2011 Sept. 2011 nov. 2011 Feb. 2012 Sept. 2012 VeriSign issues Thawte warns Thawte issues Comodo issues Comodo issues Flame malware StartSSL CA DigiNotar CA Researchers Dutch CA KPN Trustwave is Researchers release Microsoft code customers of certificate for Mozilla.org nine counterfeit authors forge compromised. compromised, reveal details of says it will cease caught issuing Crime attack, signing certificate doppelganger Live.com, a certificate to Start- certificates Microsoft CA 531 fraudulent Beast attack on operations “skeleton key” allowing hijacking to a non-Microsoft certificates. Microsoft Com. Researchers (Google, Yahoo, certificates using certificates issued. common SSL temporarily certificates that of HTTPS sessions. employee. website, to a use MD5 collision Live.com, etc.) MD5 collision Dutch govern- deployments at after detecting let its customers non-Micro soft attack to forge SSL following attack. ment experiences Ekoparty hacking a breach. spy on their employee. certificate at Chaos compromise major outages. conference. employees’ Computer Club at registration communications. conference. authority. darkreading.com November 2012 6 acts. Microsoft recently raised the mini- sands of server certificates.” the idea of saving his employer the cost of ob- mum certificate key length requirements Ideally, a company keeps an inventory of taining hundreds of application-specific cer- allowed for use with Windows applica- those certificates and tracks their creation tificates from an outside vendor. Those certifi- tions, blocking any application that uses date, expiration date and who, internally, is re- cates, used for mission-critical internal keys of a length shorter than 1,024 bits, con- sponsible for them. But that’s rare, Turner says, ap plications, were given 10- to 20-year life - sidered a baseline for security. and the volume of certificates makes manag- spans, but the CA itself only had a five-year That’s a start. However, most SSL deploy- ing them difficult. lifespan. Had the problem not been identified, ments aren’t visible to outside services such At one customer, Venafi staff found that an Turner says, all the issued certificates would as SSL Pulse. Large companies, and some IT administrator had set up an ad hoc CA with have expired simultaneously, crippling the small ones, also can be their own certificate authorities, creating signed certificates for Beyond SSL: The Convergence Project use by internally developed or deployed applications. he compromise and eventual collapse of Dutch certificate authority DigiNotar was a dis- A typical global company might own hun- aster for the tens of thousands of private and public sector organizations that relied on dreds of certificates issued by third-party CAs Tthe CA to vouch for their online identities. Furthermore, many governments — including to secure communications on public-facing Iran and China — maintain their own CAs, which are recognized by software publishers and systems, says Paul Turner, VP of products and browsers but can become problematic in the age of state-sponsored attacks. strategy at digital key management firm Ve- Enter Convergence, the brainchild of SSL security expert Moxie Marlinspike. Based on re- nafi. And internally, that company might man- search done for the Perspectives Project at Carnegie Mellon University, Convergence aims to age tens of thousands of application-specific replace the static list of trusted CAs with a dynamic, global network of “notaries” who vouch certificates signed by an internal CA. So it’s no for the identity of a given website. surprise that security and management prac- Convergence provides what Marlinspike calls “trust agility.” Users choose which notaries tices are all over the map. they trust and for how long — granting and revoking trust themselves, rather than deferring “This is infrastructure that has grown organ- trust decisions to browser makers, governments and other authorities. ically within organizations,” Turner says. “We For now, Convergence is in the beta stage, with two notaries (Marlinspike’s Thoughtcrime have customers who, eight years ago, had Labs and security firm Qualys) and a free Firefox plug-in. However, the plan is to get more hundreds of certificates that they managed. notaries to sign up, expand Convergence to work with more browser platforms and begin Four years ago, it was thousands. Today, it’s offering Convergence as an alternative to certificate authorities. — Paul Roberts tens of thousands or even hundreds of thou- darkreading.com November 2012 7 company’s operations. graphic keystore management to IT staff, any man researchers discovered that more than Stories like that aren’t unusual, according one of whom could export the private keys a thousand of the most popular free mobile to Turner. “The folks who work within these for their own use. And the credentials for ac- applications on Google’s Play marketplace organizations are not encryption experts,” cessing these keystores are frequently hard- fail to properly implement SSL and TLS. In a he says. “Often, they follow the path of least coded into internal applications that retrieve paper presented at the Conference on Com- resistance.” encryption keys to secure application-to-ap- puter and Communications Security (CCS Loose security practices are common in plication transactions and communications. 2012), the researchers, from two leading Ger- other parts of the trust chain, Turner says. Hundreds of applications within an organiza- man universities, presented the results of an tion might all have the same keystore pass- audit performed with an automated tool, “This is a relationship that goes word written into their code, creating an enor- dubbed MalloDroid. They found that 1,074 of mous disincentive to update the passwords, the 13,500 popular free applications tested beyond the delivery of a shrink- Turner says. on Play has SSL and TLS implementations wrapped product. You have The results are predictable: Banks and that left the applications open to man-in- dependency on them long after other financial services organizations that the-middle attacks. they’ve issued you certificates.” might force users to update their laptop In many cases, application developers relied password every 90 days may rely on a years- on dodgy SSL trust managers or hostname — Ryan Hurst, GlobalSign, on picking a CA old and insecure password, known to current verifiers. Many applications didn’t bother to and former employees, to protect their cer- perform authentication. Rather, they simply Web servers, database servers and other crit- tificate keystore, he says. allowed the application to trust any certifi- ical systems each have their own crypto- cate, regardless of who signed it, and any host graphic keystores, in silos, spread across the Apps And Developers In The Crosshairs that offered a certificate, regardless of organization. And 95% of all cryptographic Even when the underlying certificate in - whether the certificate offered was for the keys are stored in software, not tougher-to- frastructure is rock solid, enterprises can end host offering it. break hardware security modules. Instead, up exposed because of loose coding prac- Application developers don’t have a good each platform stores them in a different lo- tices and improper design weaken crypto- understanding of cryptography or how PKI cation, with different levels of protection, graphic protections in common software such implementations work, GlobalSign’s Hurst Turner says. as Web browsers and mobile applications. says. One reason is that the tools they use — Worse, administrators delegate crypto- In the latest example of this problem, Ger- such as cryptographic APIs — assume a high

darkreading.com November 2012 8 level of understanding of those topics. The re- ing and staid world of issuing SSL certificates application owners are and how to contact sult is shoddy SSL implementations. isn’t so boring anymore. Many organizations them. Document which CAs issued certifi- “The problem with Android isn’t so much ir- that relied on the DigiNotar CA — the Dutch cates, their expiration dates, the algorithms responsible developers, but APIs that are de- government among them — found them- used and key lengths. signed for folks like me, not for your typical selves in a quandary when that CA failed. Finally, document the trust anchor for each developer,” Hurst says. They were unsure of how many certificates CA — the CA that would be used to validate they needed to cancel and reissue, and they the certificate (typically, the root CA) and Five Steps To SSL Success lacked a quick back-up plan. It can take days make sure you have the contact information So what’s a security-conscious company to or weeks to get up and running with a new for that organization and know the proce- do? Despite the many technical and organi- CA and replace all of your certificates, Venafi’s dures necessary to revoke and replace any zational challenges involved with deploying Turner warns. And, if a CA has been compro- compromised certificates. a secure, reliable SSL infrastructure, organiza- mised, you probably won’t be the only organ- 4. Have a key management strategy. One tions can take five simple steps to implement ization scrambling for a safe harbor. Turner of the biggest exposures large companies digital certificates securely and reliably. recommends having a back-up CA, with a list have to SSL risk is through their critical, 1. Pick your CA carefully. As we noted, the of domains you need authorized and the legacy internal applications. Many of these market for certificates is competitive, and ability to churn out replacement certificates companies use SSL or SSH (Secure Shell) en- sometimes you get what you pay for. When on short order. cryption to secure communications with picking a CA, do your homework. 3. Know your environment. A first step to users and with other systems with which they “You’re picking a business partner, not buy- SSL sanity is knowing which certificates are interact. However, most organizations have ing a product,” Hurst says. “This is a relation- floating around in your organization’s name. only a cursory understanding of how those ship that goes beyond the delivery of a That list should include certificates issued by keys are implemented. shrink-wrapped product. You have depend- public and internal CAs. Do an inventory, re- Companies rarely have a way to change the ency on them long after they’ve issued you viewing all of your applications and servers, many old, easy-to-break embedded keys and certificates.” Look for CAs that are prepared to noting any certificates they pass and any insecure protocols they have in use, and help you address issues such as key manage- they accept from “relying parties” — the in- they’re wary of incurring downtime to do so. ment, key revocation and phishing. dividuals and systems that electronically in- Address the problem head-on by making an 2. Prepare for the worst. If the past year teract with the certificate holder. Next, iden- inventory of the encryption keys used within has taught us anything, it’s that the once bor- tify and document who the system and your application infrastructure, assessing their

darkreading.com November 2012 9 strength and security, and devising a plan to ployments, ensuring that they meet industry and other development tools that enforce replace weak keys and strengthen protections standards for secure implementation. Make best practices, make it easy to understand for all your keys, such as with a hardware se- sure that your SSL implementation uses se- configuration changes that can increase se- curity module. cure protocols and unbreakable ciphers, and curity, and limit the options available to av- 5. Clean up SSL deployment and imple- that you’re using SSL to encrypt all of the traf- erage developers. mentation. Misconfiguration of SSL servers is fic from your website. For internal or special- endemic. As Qualys’s SSL Pulse tracker has purpose applications, consider limiting the list Write to us at [email protected]. shown, many companies continue to rely on of supported CAs to limit your exposure to or support outdated protocols and vulnerable forged certificates. ciphers. Our experts recommend performing Platform vendors such as Apple, Google an audit of your public and private SSL de- and Microsoft would do well to create APIs

darkreading.com November 2012 10