Ben Laurie is right though; the fact that shoddy CAs will cut you a cert for MOZILLA.COM (or presumably anyone else) without verifying who you are does kind of steal some of the thunder from today's announcement.
What's really fucked up here is that Verisign will never hear the end of it about mistakenly issuing a Microsoft certificate in 2001 --- it was just mentioned again in the New York Times --- but in 2008 Comodo can just mint certificates for random companies without checking, and all it merits is a blog post.
Let me ask some basic questions, that I might someday know what I'm talking about on this topic.
I can self-sign certs. The problem is that no browser recognizes my self-signed certs, so they put up dialog boxes filled with warnings. (Which many users will just dismiss without a second thought, since they are very used to their machines crying wolf. But let's ignore that big problem for now.)
So the problem is that some of the CAs whose credentials are pre-installed and pre-trusted in various browsers or clients turn out to have shoddy verification practices. Does the answer to this involve Mozilla, Webkit, Microsoft et al. decertifying these CAs, which would turn them into the equivalent of someone like me, signing certificates in his basement?
I guess the problem with that is that all the existing paying customers of these CAs would wake up one day to find that their certs don't work anymore and that their money was wasted.
What is the answer to this problem? What kind of contract do you have to sign to become a CA, and with whom?
If you ask me, the biggest problem is that we've acclimated the whole user population of the Internet to ignorance and a cavalier attitude towards security. Companies like Comodo "get away" with stuff like this because people see certificates as a nuisance --- they're a pain to request, a pain to install, and they make browsers complain.
The fact is that SSL simply doesn't work without the PKI component. The PKI component is most of the actual security in SSL. But because technical people get away with saying "even if you're not authenticated, you're at least encrypted", it isn't the end of the world when Comodo (or RapidSSL) screws up.
As for "what kind of contract do you need to sign", what you need to do is convince Microsoft and Mozilla to add you to their root CA store; both organizations have standards and practices, and both incur an audit, and neither are particularly inclined to add more CA's (there's a bit of grandfathering that appears to happen here).
A bit of an aside, but it used to be damn near impossible to get a root cert in IE (think mid to late '90s). I would love to know how Thawte managed the hat truck of getting approved so long ago when it was clear the big boys wouldn't let anyone else in.
Shuttleworth deserves credit for creating a good company; lots of hard work, for sure. But it couldn't have happened without getting approved my Microsoft. How a young man from Cape Town pulled this off seems to be an untold part of his success story.
Thawte is apparently one of the fuckups in the Sotirov et al report from this morning. Paul Kocher, one of the designers of SSL3/TLS, told the NYTimes that he was astonished that anyone would rely on MD5 in 2008; is it possible that nobody at Thawte really understands how SSL and x509 works? If so, is it really an industry success story that they got included with IE?
Thawte is unfortunately not the same company anymore. It doesn't surprise me a bit that Verisign let it degrade.
Thawte _was_ a success story for its time. When Shuttleworth created it he severely undercut prices which is why Verisign had to buy them since he was quickly working up the food chain. After Verisign bought them, they carefully controlled the product offering to keep it the low-price step-child that it is today.
I have used Thawte a few times but the last few years I have been dissatisfied. Do you have any recommendations? I would like to give my business to someone other than Verisign if possible.
"But because technical people get away with saying "even if you're not authenticated, you're at least encrypted", it isn't the end of the world when Comodo (or RapidSSL) screws up."
Speaking for myself, the causality flows in the other direction. Because there will always be somebody like Comodo who will issue certs with insufficient verification (Comodo being an extreme but there's been a long history of merely insufficient verification; ISTR a lot of "fax me a letter on official letterhead", which is just total BS), the PKI component of SSL, being basically a binary yes/no system, is fundamentally flawed. Market forces compel a race to the bottom in this situation and there's just no way around it. (Not even moving it to a government function; nobody is immune to having money waved under their nose.) So all you get from SSL is encryption, not authentication. Whether you like it or not.
If you really insist on the dichotomy of "SSL provides either perfect security or no security", then the answer is, it provides no security, because it is impossible to use it properly.* The legitimate owner can do everything right and still get CA-rooted with non-zero (and significant-in-practice) probability.
If that's a problem, get designing and implementing.
* Or, even more precisely, the only proper use is to use a separate communications channel with the website to verify the key they are sending out, regardless of who putatively signed the cert. And this use is a myth in the general case, because I can't imagine more than the barest fraction of SSL sites have ever gotten this query and I bet the majority of organizations would either have no idea what to tell you since you can't talk to the guy who knows (if any), or would even think you were a hacker or something trying to get something from them you shouldn't.
Everything you put in the footnote there? That's how SSL actually works. Your computer shipped with a browser (a seperate communications channel) with trusted anchor keys.
No. I'm saying, the trusted anchor keys aren't trusted. You think they're trusted, but they aren't. The trust necessary for SSL to be truly secure can't exist in the real world. If you're not checking the site's key directly with no reference to the trusted keys, you don't have "security".
If you want to be a CA, you need to get Microsoft and Mozilla (among others) to include you in their list. I can't find Microsoft's policy, but Mozilla's CA Certificate Policy is here: http://www.mozilla.org/projects/security/certs/policy/
There are operational requirements and management attestations that must be made such as "WebTrust Principles and Criteria for Certification Authorities".
WebTrust is an accounting entity; it's just a process formalism that allows companies like KPMG to "audit" CAs. I went down that rabbit hole and found the WebTrust standards document:
The technical material in these documents is about FIPS compliance for hardware crypto, key size, and backup/restore; in other words, the exact same stuff you'd read in a Common Criteria document, utterly divorced from actual operational or code security. Compare to the new PCI-DSS standard: on paper, it is actually harder to process an individual VISA card than it is to run a CA.
Neither document contains the letters "M-D-5" or requires serial numbers to be randomized. However, the majority of CAs do randomize serial numbers, suggesting a best practice that simply isn't included in the industry's CA certification standard.
The link you provided to the Bugzilla report on adding GeoTrust/RapidSSL is almost offensive; it reads: "we got audited by KPMG, here's our address", "ok, fill out this document", "ok, we'll add you to the next release".
I'm surprised and a bit skeptical that every CA (except for one) randomizes serial numbers without it being published in a standard or guidance document somewhere. Best practice usually has something worse than a (n - 1) distribution.
was the "one" in those articles? I didn't see. Anyway, who do you trust to buy certs from? I need to get a new one soon and would like recommendations.
do average people even care about a lack of SSL? Do they even notice if a site doesn't have one? I honestly don't see an average user being savvy enough to look for one.
Seems to me, that for most people the presence of SSL is completely meaningless.
Does anyone have any concrete data on the effects of SSLs on sales that comes from a neutral source?
If you accept credit card payment without SSL protecting the entry of the card and CVV2, you are in violation of PCI DSS standard 4.1. Depending on your relationship with your acquiring bank or payment processor, that will result in a passthrough of fines and any fraudulent charges that are incurred, along with possible termination of your account.
Now, for the research on SSL and UI, there is good research on this. My favorite is The Emperor's New Security Indicators - http://www.usablesecurity.org/emperor/
"We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 92% participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants' security behavior: role-playing participants behaved significantly less securely than those using their own passwords."
Users will be happy with no encryption than with a self signed cert.
Personally i think the best solution would be SSH style for most sites (the certificate is stored on first visit and changes are flagged as suspicious), with physical distribution of public keys for sites that really needed security (e.g. banks).
What's really fucked up here is that Verisign will never hear the end of it about mistakenly issuing a Microsoft certificate in 2001 --- it was just mentioned again in the New York Times --- but in 2008 Comodo can just mint certificates for random companies without checking, and all it merits is a blog post.