3

Browsers and Operating Systems come with a set of default SSL certificates for well known organizations, such as root certificates from CAs.

I understand that the trust model is as follows: I pick (actually my software's developers pick for me) a few major certificate authorities and decide I trust them. While I hardly ever go to the sites of these CAs, the sites I do go to use certificates that are dependent on the CAs, such that I automatically trust any certificate descended from a root certificate that I trust.

However, I actually trust the sites I visit more than the root CAs. So, I don't want to use this tree-based model. Instead, I would like it to be my personal responsibility to individually verify and store the certificate of every site I visit. I understand that this may introduce risks since my own resources for detecting compromised certificates are limited.

It seems like I could do this today: I can delete all my root certificates, and just start adding exceptions for every site I visit (assuming that I decide to trust them). However, this would introduce a very frustrating adjustment period where my browsing is frequently interrupted by having to constantly add exception for sites I browse frequently.

I further imagine that this impracticality can be easily solved: Many sites I visit are uncontroversial, trustworthy, straightforward cases like Google, StackExchange, news sites and so forth. If a few random strangers on the internet all agreed that a certificate is the legitimate SSL certificate for www.cnn.com, I could believe them and just use the certificate they gave (what are the odds that these people have compromised the certificate of CNN and at the same time conspired to fabricate an apparent consensus in favor of the forged certificate?). So, there could be a crowd-sourced online repository of common, uncontroversial sites so that I can simply download their certificates in bulk every year or so and massively reduce the number of exceptions I need to add. Obviously, sensitive cases like my bank would not be included in this repository - I would manually vet that certificate myself after careful consideration.

This would eliminate my need to trust root certificates, and eliminate the risk of compromised or malicious CAs. In exchange, the new risk is that there happens to be a very concerted operation to poison the repository with forged certificates of an inconsequential site that has been compromised just as I download my certificates for the year (I can further compare those to the ones I already have and scrutinize unexpected changes). The impact on usability is negligible: After installing my browser, I just need to download a zip full of certificates and dump them into my certificate cache. I would now need to personally decide whether to trust obscure or sensitive sites instead of automatically trusting them through the root certificate, but perhaps that is not such a bad thing.

Is this sort of model possible? Does such a repository already exist? Are there important flaws that I have failed to consider?

Note that I am interested also in implications of long-standing security problems. For instance, I think it is interesting to consider the implication of adopting my above proposed scheme, given the possibility that my root CA and my bank have already been compromised and have been so for several years.

Superbest
  • 1,104
  • 8
  • 21

2 Answers2

2

The model you're talking about is Certificate and Public Key Pinning. The primary flaw is maintainability; it's the traditional hosts-versus-dns issue with the added burden of making sure your manual updates are trustworthy (because if you don't pay attention there, you haven't gained anything).

It also may be harder to manage support for it in your commodity software. I note that Firefox seems to have added something for it. Chrome has had some pinning since Chromium 13, although it's not clear to me that it's a user-accessible interface.

In short, it's a good idea, not trivial to set up, harder to maintain over time. It makes sense in certain limited scopes of highly sensitive trust relationships (your bank is a good one), but not as a general way of life.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • "Chrome [...] it's not clear to me that it's a user-accessible interface." -- I don' think it is. It's pre-loaded and if your site is large enough for Google to listen to you, then you can get on the list. (Bottom paragraph from [Adam Langley's 2011 blog](https://www.imperialviolet.org/2011/05/04/pinning.html) is still current I think.) – StackzOfZtuff Dec 31 '14 at 14:24
1

Is this sort of model possible? Does such a repository already exist?

I don't think such a thing exists yet. Also I don't think it's practical because of the large size.

However: Below are some things that go in a similar direction.


Google does a somewhat similar thing with their pre-loaded cert pin-sets. (But they only pre-load a small number of sites as far as a I know.)

There are similar things. I know of several Firefox Addons that do similar things. -- All of them are interesting in their own ways, but none of them really satisfying.

Online mechanisms for monitoring/adding certs.

Here are some ideas that require an internet-connection.

There is the "Perspectives Project". The idea is that there are several notaries all over the internet that you can ask if a given cert is somehow new or weird. (Firefox addon)

An extension of "Perspectives" is Moxie Marlinspike's "Convergence" Project. (Firefox addon)

And there is "Certificate Patrol" that alerts you to (more or less) unexpected cert changes. -- I found the noise level terrible for general browsing. It was pop-up hell. -- But it's quite useful to get an insight into the sheer amount of changes that happen in cert-sphere. (Which I think would count against distributing a set of certificates as a zip file or something.) (Firefox addon)

An idea to eliminate the "Rogue CA that just issues certs for *.google.com, *.microsoft.com and nobody noticed"-problem is Adam Langley's "Certificate Transparency" initiative. The basic idea is that a cert is not considered valid until it is publicly announced in a registry. This would not eliminate rogue/hacked CAs but it would make the damage much easier to assess and fix.

There is "DANE" which just keeps a cert hash in DNS. This can be used in addition to the regular CA chain-of-trust system. -- Or it could be used instead of it.

Offline

Here are some ideas that don't require an internet connection.

Chrome pre-loaded pinsets
Chrome ships with (and regularly updates) some certificate hashes. https://www.imperialviolet.org/2011/05/04/pinning.html

StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86