[nadams]

> great free StartSSL

It looks like they cleaned up their forums from when they were last mentioned[1] but I'll still keep my distance.

Anything like this is really a bandaid for the real problem with SSL/CA. As in why can't I be a CA for my own domain? I think Android is a perfect example of this problem - if you import a CA cert using the built in Android credential storage every time you reboot it will show a vague and useless message saying that people may be spying on you. Not which CA cert was added and when - just "hey, you added, on purpose, a CA cert. I'm just making sure you are aware of this".[2] I understand the warning? error?...err simply because now I can sign a cert for ANY domain and Android will accept it as legit. This makes sense for the average users who don't understand or care what a CA is, not advanced users or enterprise users who will most likely use their own CA infrastructure. In this case - it would make more sense for them to be a CA over just company.tld rather than any domain.

Personally - I'm using a modified version of PHP-CA[3] (as in changed the OpenSSL defaults to something sane and fixed some small issues). It's obviously not very advanced (for lack of better words kind of sucks) - but I wanted to hit the ground running with being my own CA for personal use and I have other projects I'm working on.

[1] - https://news.ycombinator.com/item?id=8901822

[2] - https://code.google.com/p/android/issues/detail?id=82036

[3] - http://php-ca.sourceforge.net/

[dsacco]

You're right that SSL has problems, but you cannot be the certificate authority for your own domain, and I'll explain why.

The certificate authority system is an imperfect solution for the problem of public key infrastructure. It is designed such that a trusted, independent third party can verify messages between two communicating parties. The third party's trusted signature verifies that the user is who they say they are.

Now, if anyone can be a certificate authority, and you can be your own certificate authority, you have effectively removed certificate authorities entirely - you now end up with de facto two parties. This is convenient for you to certify that you are yourself, obviously.

This is inconvenient and dangerous for you when anyone else certifies that they are you using themselves as a certificate authority - if they can sign their public key using their own nominal trustworthiness, the entire problem is back where it started without the certificate authorities in the first place.

By design, certificate authorities need to be 1. trustworthy, 2. highly vetted and 3. very few. If everyone is a certificate authority, then no one is.

[nadams]

> By design, certificate authorities need to be 1. trustworthy, 2. highly vetted and 3. very few. If everyone is a certificate authority, then no one is.

Isn't that the situation we are in now? All it takes is one CA with poor security coughDiginotarcough and the whole system is broken. I'm obviously ignoring the fact we have CRLs - but if someone has a signed cert for say chase.com or google.com they can do a lot of damage in a very little amount of time.

Maybe I'm just cynical that there is a profit motive to CAs. I mean, you can't tell me that it's just greed that you can purchase a certificate to turn a user's address bar green because it's "extended validated". The average user won't notice, or even know what that means. Big picture behavior - there is no functional difference between a EV and non-EV signed certificates.

My opinion: if we keep the SSL/CA system the way it is today - we need fewer CAs but create non-profit CAs where the average person can get CA signed/trusted certificate for free or next to free. I'm not talking about grabbing some random dude off the street and start a non-profit - it should be funded and sponsored by companies like Google/Verisign/Microsoft etc.

[dsacco]

I agree with everything you've said here. Certificate authorities are, like all organizations, prone to corruption and misaligned incentives. There are certainly issues, and it's very much an imperfect solution. The trouble is that getting rid of them (right now) is a net loss for cryptographic integrity. SSL, and perhaps public key infrastructure underpinning it, needs to be redesigned. There is no viable alternative just yet.

[thanksgiving]

Or better, cut out Verisign completely out of this... correct me if I am wrong but if the major browser vendors: Microsoft, Google, Apple, Opera, and Mozilla come together can't they basically decide to cut off any certificate authority as they wish? Can't they basically tell Verisign to issue certificates for free of cost or get booted out?

[nadams]

The only reason why I suggested Verisign is because they have been in the industry long enough to know what they are doing (presumably) and not make the same mistakes that were made in the past.

Worst case scenario - if Verisign doesn't want to share the toys in the sandbox, Microsoft/Google/Mozilla et all can just refuse to include their CA certs as trusted certs.

However, Verisign is in a very interesting position as they currently manage/control .com tld.

So what I'm saying is - if the children don't agree to play together then they can take their toys and go home then no one can play.

(I like to use the analogy of children and these big companies because, in my opinion, it appears that's how they operate. They just can't come together, like mature adults, and form some sort of solution to this. Last I heard is that Google wants to show an error page for non-HTTPS enabled sites, on Chrome, which will make everything even worse[1]. Don't even get me started on the whole self-signed cert error message page...).

[1] - http://www.chromium.org/Home/chromium-security/marking-http-...

[pdkl95]

> trustworthy

Do you really trust all of these keys?

https://www.mozilla.org/en-US/about/governance/policies/secu...

Even companies like AOL, VISA, Wells Fargo, and the historically-problematic VeriSign and GoDaddy, and lets not forget the Even the companies with serious legal issues in the past, and several governments (China, Japan, Turkey, etc).

This reliance on a single point of trust is why the PKI systemd is destined to fail in the long run: that single point of trust also a single point of failure. The entire concept of a CA requires handing over key parts of our infrastructure over to a small list of "authorities" (which grants the CA a lot of power), while simultaneously trusting those authorities to never abuse that power or be corrupted from the outside.

> If everyone is a certificate authority, then no one is

This is actually the core problem with PKI. Not only does it presuppose that a "few" trusted authorities is even possible, it also frames the discussion by assuming that only a globally supported solution is required. This attitude also dismisses the capabilities to evaluate trust and merely asserts that most people shouldn't worry about this kind of security problem.

A better idea is to recognize that everybody solves pieces of the trust problem constantly in their daily life. Some of the decisions are made of personal experience or observation, but we also rely on others that we see as an "authority". These are powerful behaviors that should be built upon. Everybody can be a CA, because they already are in.

Someone that sets up an "authority" that is only used between a group of friends is perfectly safe IFF 1) stays at the scale where trust already exists, AND 2) the people involved have some easy way to select the trust basis they wanto to use.

Criteria 2 is the most important. The CA system is de facto boolean trust. (i.e. HTTP-vs-HTTPS). There is no sane way for the typical user to say they want, for any particular transaction or communication, to only trust some specific authority (or authorities). and then switch to a completely different trust basis as needed. Once this ability is in the hands of the average person, I suspect the key distribution problem will solve itself as people self-organize.

[Animats]

As in why can't I be a CA for my own domain?

Because then anyone who can hijack DNS for your domain can also be a CA for your domain.

[nadams]

I'm sorry I didn't make that more clearer - that was a hypothetical question. The question is a loaded question and it raises other deeper rooted issues like what you pointed out (MITM attacks against DNS being one such example).

There would have to be some sort of authoritative list where it says "this CA cert can sign certificates only for this domain". However, such a system I described would basically be CAs as they currently stand. The question/problem is who would maintain such a list? This is hard question considering we can't even agree on web standards coughMicrosoftcough.

[btgeekboy]

Is that any worse than what we have now? If I can hijack your DNS, I can certainly insert or replace enough infrastructure to acquire a basic cert from numerous providers. All I really need is to hijack the MX. Bonus points if I can do it without you knowing, such that mail is first delivered to me and then on to you.

In other words, if you could put a CA into a TXT record at the root of the domain and have browsers/etc trust it, how is it any less secure than what we have now?

[technomancy]

The scenario you've described leaves an audit trail. If you don't have a CA, hijacking the DNS means you can pull off an attack completely silently.