Friday, January 4, 2013

Surveillance works! Let's have more of it.

If you care about these things, you might have heard that Google recently detected and revoked a bogus Google certificate. Good work, and huge kudos to the folks at Google who lost their holidays to this nonsense.

From what I've read, this particular incident got started in late 2011 when Turkish Certificate Authority TURKTRUST accidentally handed out intermediate CA certificates to two of their customers. Intermediate CA certs are like normal SSL certs, with one tiny difference: they can be used to generate other SSL certificates. Oops.

One of the recipients noticed the error and reported it to the CA. The other customer took a different approach and installed it into an intercepting Checkpoint firewall to sniff SSL-secured connections. Because, you know, why not.

So this is bad but not exactly surprising -- in fact, it's all stuff we've seen before. Our CA system has far too many trust points, and it requires too many people to act collectively when someone proves untrustworthy. Unless we do something, we're going to see lots more of this.

What's interesting about this case -- and what leads to the title above -- is not so much what went wrong, but rather, what went right. You see, this bogus certificate was detected, and likely not because some good samaritan reported the violation. Rather, it was (probably) detected by Google's unwavering surveillance.

The surveillance in question is conducted by the Chrome brower, which actively looks out for attacks and reports them. Here's the money quote from their privacy policy:
"If you attempt to connect to a Google website using a secure
connection, and the browser blocks the connection due to information
that indicates you are being actively attacked by someone on the
network (a “man in the middle attack”), Chrome may send information
about that connection to Google for the purpose of helping to
determine the extent of the attack and how the attack functions."
The specific technical mechanism in Chrome simple: Chrome ships with a series of 'pins' in its source code (thanks Moxie, thanks Tom). These tell Chrome what valid Google certificates should look like, and help it detect an obviously bogus certificate. When Chrome sees a bogus cert attached to a purported Google site, it doesn't just stop the connection, it rings an alarm at Google HQ.

And that alarm is a fantastic thing, because in this case it may have led to discovery and revocation before this certificate could be stolen and used for something worse.

Now imagine the same thing happening in many other browsers, and not just for Google sites. Well, you don't have to imagine. This is exactly the approach taken by plugins like Perspectives and Convergence, which monitor users' SSL connections in a distributed fashion to detect bogus certificates. These plugins are great, but they're not deployed widely enough. The technique should be standard in all browsers, perhaps with some kind of opt in. (I certainly would opt.)

The simple fact is that our CA system is broken and this is what we've got. Congratulations to Google for taking a major first step in protecting its users. Now let's take some more.

6 comments:

  1. I wrote a comment here about how I think that Perspectives is one of simple, yet pretty effective solutions (except for eclipse attack). Strangely enough, it got deleted (for the benefit of doubt, I admit it could be due to google's overzealous anti-spam).

    Somehow Perspectives default servers just got "lightning-fast" in the last two hours - otherwise I had to use "Force Notary Check" a lot for the past year or two due to servers being overloaded.

    The point: Perspectives *do* really work. It's easy to run your own notary, too. I wrote a Perspective notary server that stores complete chains of X.509 certificates and run two of them, each scanning 1.5M+ hosts every day (google: "perspectives-observatory"). If anybody is interested, I can provide DB dump containing complete history of certchains for every of those 1.5M+ hosts for the past 1-2 years.

    ReplyDelete
  2. Late 2011 or 2012?

    ReplyDelete
  3. The Google feature has added more utilities to the chrome infrastructure and Chrome ships with the series of pins in its source code. This tale is quite a wonder to most users while the testers on the other side are busy to fix the bugs that are associated with the real issues during the fighting of different search engines.

    ReplyDelete
  4. This is a really good project, they just need to improve the program and upgrade it to avoid bugs. I’m sure if the Google team successfully improved the program many homeowners will definitely install this in their houses.

    ReplyDelete
  5. Home Wellbeing has a wide range of One Stop Home Essentials products that care for the wellbeing of You and Your Loved Ones.

    ReplyDelete
  6. Excellent work for the people of Google. Now, those bogus will have to face penalty once they are been caught. They will not be successful in their career if they are busy copying what belongs to other.

    ReplyDelete