|
Most of us, when we go to a website and see the little lock at the top of the browser, don’t think twice and trust that we are communicating with the right company or organization. However, this is no longer the case because of a rather radical development that has largely occurred without notice or intervention by almost everyone. The web now has its own rapidly spreading version of CallerID spoofing that is about to get worse.
Thirty-five years ago, the National Security Agency working with the private sector, developed what has proven the most important and widely used means for digital identity trust. It is known as the Public Key Infrastructure digital certificate or “PKI cert” for short and was specified in a global intergovernmental standard known as ITU-T X.509.
The idea was simple. Any organization that wants to be trusted goes to a special provider known as a public Certificate Authority (CA) who is supposed to verify certain essential identity basics, and then issue a unique, encrypted key—the PKI cert—to the organization with its identity information securely contained. The platform was approved by all the world’s governments and became the basis for trusted digital identity globally. Europe added further trust features through an ETSI Electronic Signatures and Infrastructures standards group.
Then came the World Wide Web with sites all over the world as a kind of universal user interface to billions of people. The problem was that users couldn’t trust who was actually running the websites. So a little over ten years ago, the five companies which produce most of the world’s web browsers got together with most of the CAs to develop a standard for vetting organization identity for trusted website certificates and display that information in a little lock icon that appears at the top of the browser. They collaborate and reach agreements through an organization known as the CA/Browser Forum. The activity has very far-reaching, fundamental cybersecurity consequences as they control who gets trusted, how verification occurs, and how that trust is provided to billions of users around the world.
Until relatively recently, as required by well-established global standards and practices, the PKI certs had some substantial vetting of an organization’s identity, which was then coded into the certificates and displayed to end-users in the browser lock. There was even a high trust certificated known as an “extended validation certificate” that turned the lock green in most browsers and displayed the validated name.
However, starting in 2013, several parties started up a 501(c)(3) non-profit corporation in Silicon Valley (Internet Security Research Group) to dramatically disrupt the digital identity world by issuing free, zero-trust, instant certificates with no organization identity vetting. These so-called Domain Certificates were then marketed commercially beginning in 2016 under the registered trademark Let’s Encrypt® and browser vendors were asked to recognize them as a trusted CA. If you see one of these Let’s Encrypt certificates (identified as “DST Root CA X3) and click on the lock, the Subject Organization identity information is completely missing and simply says “unknown.” It is caveat emptor.
The tactic proved enormously successful as the organization itself described in a highly detailed, tell-all paper presented in a London conference made public last December. As they note in the paper, it “has grown to become the world’s largest HTTPS CA… and by January 2019, it had issued over 538 million certificates…” The paper also documents how Let’s Encrypt has had a profound effect on the CA market—now dominating it with 57% of the certificates. “Let’s Encrypt has seen rapidly growing adoption among top million sites since its launch, while most other CAs have not.” They also describe how they used the Internet Engineering Task Force (IETF) to leverage their activities. The commercial opportunity was further facilitated through sponsors who make tax-exempt contributions to the organization’s $3.5 million reported 2018 income - some of whom then market the certificates as part of their business offerings.
The paper also admits that “important security challenges remain.” The cybersecurity impacts arise—because with zero validation, anyone with interest in spoofing, hiding their identity, or otherwise exploiting security flaws can do so—and indeed have.
Legal and public policy concerns
Although Let’s Encrypt has a small section in its December paper describing the “legal environment,” it doesn’t even begin to treat the major national security, public policy, public safety, antitrust, tort liability, law enforcement, IRS, consumer protection dimensions that have gone with virtually no notice or discussion. Perhaps the most central concern can be summed up by four questions: who gets to decide who is trusted, with what level of vetting, with what manner of notice to end users, and who bears the consequences.
The challenge of digital identity trust was largely solved 35 years ago through a comprehensive, visionary Reagan Administration initiative known as Secure Data Network Systems (SDNS) that in fact was responsible for today’s X.509 PKI environment. However, all the required public-private administrative and identity vetting actions necessary to successfully implement the platform were eliminated a decade later by the Clinton-Gore Administration in the belief that Silicon-Valley itself could handle everything and grow the information economy.
As a result, we have inherited today a world of rampant cybersecurity and societal problems stemming from an inability to trust anything online, and where some of the most important identity trust decisions for most of the world’s population are made by a handful of firms and organizations with no oversight or control or consequences. It seems long overdue for a concerted global public-private effort to significantly improve digital identity trust for the web and all the giga-objects and services that will constitute the new 5G virtualised communications ecosystem. Potential sweeteners for Silicon Valley with government involvement is the relief from the potentially enormous antitrust, consumer protection, and tort liability consequences.
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
The problem is that Let’s Encrypt is no more secure or insecure than most of the other CAs. We’ve known for a long time that the vetting many CAs present by default in browsers is insufficient to really guarantee anything about the identity of the party requesting the certificate. That’s on top of actual CA signing certificate compromises, or even worse legitimately-issued wildcard certificates that allow the holder to impersonate literally any Web site on the Internet (necessary for the MiTM process needed for enterprise security software to monitor SSL traffic, but the scope for abuse is horrendous and all it takes is one compromise of one security vendor somewhere in the world). And let’s be honest, for the most part users don’t depend on the lock icon or SSL certificate details to validate web sites, they depend on their own bookmarks, the assumption that Google and such are good about filtering out malicious search results (hah!) and the assumption that DNS lookups are hard to corrupt (pull the other one, it’s got bells on). All the users want is to have their session encrypted so it can’t be eavesdropped on, which doesn’t require validation of the site operator’s identity at all.
I find it amusing that we already have the infrastructure to eliminate the need for reliance on CAs to certify identity. Create your own self-signed private CA, apply name constraints to your certificates to limit them to your domain(s), publish TLSA records (DANE) and secure your DNS zones using DNSSEC. Support’s there in the major browsers and other software, all the browser vendors really need to do is flip TLSA checks from default-off to default-on. At that point users are primarily vulnerable just to typos in the URL, and they’re vulnerable to that now to the same degree (and if users are doing the sensible and lazy thing and using bookmarks or search engines to get the URLs rather than trusting links in emails or the like, it’s exponentially harder to compromise them).
Oh, for extra amusement, CircleId itself uses unencrypted HTTP to serve up this article, and when I try accessing it via HTTPS it redirects to the unencrypted protocol instead. :)
The “no more secure or insecure” retort is well known here by those attempting to justify Let’s Encrypt actions. There are two problems with that justification. One is that the evidence clearly does not support it. The second is that the “let’s blow it all up and have no identity information” is not an appropriate course of action and is contrary to the primary purpose in creating X.509 - which was to provided verified, encrypted identity information.
That these actions to take over a market and significantly alter the marketplace by offering free services, establishing commercial partner relationships, and engaging in industry standards activities are being undertaken by a 501(c)(3) corporation, are disconcerting. To their credit, they described everything they did in the London paper.
The developments here profoundly impact global cybersecurity and consumer protection, and government authorities should be engaged in making the necessary decisions and provide resources. It is time for them to do something.
I'm confused. What evidence? Let's Encrypt issues Domain Validated certs. As do most CAs. Domain Validated certs were not invented by Let's Encrypt! And you said
What do you mean? Why would a Domain Validated cert need an Organization field?The ISRG d/b/a Let's Encrypt paper as well as IETF and CABF records appear to indicate an intent to flood the market with free, automated, zero trust vetted PKI certs subsequently called "Domain Validated." The admitted goal was to further TLS deployments. As the London paper indicates, they were wildly successful, and although other CAs issue DV certs, ISRG dominates the market. This was certainly not the original intent of the X.509 platform - which was to provide for trusted organization identity, not TLS encryption. A domain validated certificate is by definition worthless for an end user to know who is responsible for the site, and the average website user isn't going to understand this. The decisions here should be made by governmental authorities; and arguably, undertaking this effort through a 501(c)(3) is inappropriate.
I’m not denying the identification and authentication issues. One of the concerns is that a strong identification/authentication system also implies something akin to a king (or council) of names who has the power to say whether you exist or not on the internet. That raises fears (not completely illegitimate fears) in some circles.
And as was mentioned in a comment, TLS on a proxy-able protocol such as HTTP or MQTT does tend to open the door to man-in-the middle proxies. And that, in turn, means that yet another mechanism is needed for true end-to-end identification/authentication/protection.
But there are other issues here as well.
Over the last few years Google and the IETF have pushed the notion that the net must be entirely encrypted. Search Engine Optimization (SEO) folklore (and maybe reality) have made website operators use HTTPS whether the data on the website needs protection during transport or not.
TLS is not free. It is still the case that TLS handshaking adds multiple packet round trip times to the connection setup. There has been a massive increase in websites that drag in sometimes more than a hundred third party things and trackers and what-have-you. That TLS overhead really adds up and is often noticeable by humans who have to wait. (Newer TLS will improve it, but things like this sometimes are deployed quite slowly.)
By coincidence, this article was published yesterday:
Multi-Perspective Validation Improves Domain Validation Security
The additional technique is essentially irrelevant. It demonstrates that someone has control of the website. However, it provides zero information about who that someone is, or verification of that entity to any level of trust. The CA providers here need to stop providing what amount to fake ITU-T X.509 PKI certificates. The FBI issued a warning last June on the matter.