[agwa]

Yes, but:

1. Major browsers (Chrome, Safari, Edge) only accept certificates which are published in Certificate Transparency logs.

2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

So it's not really viable to use the existing CA system for MitM attacks.

The eIDAS proposal would:

1. Prevent browsers from distrusting CAs which are used in MitM attacks.

2. Ban mandatory checks (such as Certificate Transparency) on certificates unless the EU agrees to them.

That creates a system that is very viable for government MitM attacks.

[andyjohnson0]

> 2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

Thats reassuring but, not knowing much about this, I have a couple of questions:

1. Is this proactively monitored for? And how? And by whom?

2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

[agwa]

> 1. Is this proactively monitored for? And how? And by whom?

Yes, security researchers like myself are constantly looking in CT logs for suspicious certificates, and I've found many, most notably Symantec issuing certs for example.com (https://groups.google.com/g/mozilla.dev.security.policy/c/fy...) and Certinomis issuing for test.com (https://bugzilla.mozilla.org/show_bug.cgi?id=1496088). Both CAs were eventually distrusted. (But Certinomis will be back once eIDAS is adopted!)

Domain owners can use Certificate Transparency Monitors to learn about suspicious certificates for their own domains. Here are some monitors:

https://crt.sh/ - allows you to search for certificates for a domain

https://github.com/SSLMate/certspotter/ - open source tool which notifies you when a certificate is issued for one of your domains

https://sslmate.com/certspotter/ - commercial service that does the same, operated by my company

> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

In 2017, Chrome and Firefox distrusted Symantec, which was at the time the world's largest certificate authority: https://security.googleblog.com/2017/09/chromes-plan-to-dist...

Symantec hadn't even issued MitM certs - they were just grossly incompetent. Distrusting them was very painful, but necessary to uphold the integrity of the CA system, and demonstrated conclusively that there is no such thing as a too-big-to-fail CA.

[jrmg]

It looks like the Symantec distrusting was done with the cooperation of Symantec, which agreed to wind things down and transfer clients to a new provider in an orderly fashion?

[omginternets]

Can you help me intuit what a suspicious certificate might look like in practice?

[agwa]

If you're a domain owner monitoring your own domains, a certificate is suspicious if it was not issued by one of the CAs that you use (e.g. you use Let's Encrypt, but you see a certificate for your domain in CT that was issued by Certinomis). If you keep an inventory of all of your certificates, then you can also cross-reference certificates from CT against your inventory, and flag any certificate that isn't in your inventory.

If you're a security researcher monitoring other people's domains, you have to rely on heuristics - e.g. if a domain has a long history of getting certs from a major US CA, and then suddenly a tiny European CA issues them a certificate, that's pretty suspicious. When I found the example.com certificate misissued by Symantec, I though it was suspicious because it was also valid for subdomains like products.example.com and support.example.com, which don't make sense for a domain that's reserved for documentation purposes. ICANN operates example.com, so I emailed their security team to confirm that they did not authorize the certificate.

The system works best if domain owners are monitoring their own domains, because only they know for sure if a certificate is authorized or not.

[omginternets]

That makes sense, thank you.

Follow-up question: presumably, a state actor with dominion or leverage over a CA can coerce said CA into issuing a certificate, right?

[agwa]

Yes, though eventually the state actor would run out of CAs to coerce as all the CAs in their country get distrusted.

The threat of distrust means CAs have a very strong incentive to contest any government orders, since if they comply their business is destroyed.

[uxp8u61q]

That's your smoking gun? CAs that issued certificates for example.com and test.com? You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?

[agwa]

> You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?

Care to point out where I said that?

example.com and test.com are real domains, and their owners did not authorize those certificates to be issued, so issuing them was a serious breach of the trust which CAs are expected to uphold. Furthermore, the discovery of these certificates led to investigations which turned up additional issues which are documented in detail here:

https://wiki.mozilla.org/CA/Symantec_Issues

https://wiki.mozilla.org/CA/Certinomis_Issues

[debugnik]

> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

Pretty much every browser distrusted the root certificate from Spain's FNMT-RCM for a decade, so I think the answer's yes.

[miohtama]

You can find more about certificate monitoring and who are involved here

https://certificate.transparency.dev/