Saturday, April 9, 2011

The failure of fragmented security

With recent attacks against SSL/TLS and certificates, everyone has been thinking a lot about security. What can we do to prevent security problems in the future?

The problem really stems from the fact that our different security components are separate from one another, and don't entirely see eye to eye, leaving gaps for attackers to walk right on through. The current certificate system for certifying the identity of a website is flawed in theory, and in its implementation in many browsers.

The current system works as follows: An entity submits proof of ownership of the domain(s) it owns to one of hundreds of certificate authorities out there, who follow some kind of verification process, and then proceed to give a certificate identifying the site to that entity. This certificate is digitally signed by the certificate authority itself using their private unknown keys. Since no one but the certificate authority itself has their private keys, they're the only ones able to sign certificates in their own name. Browsers ship with a certificate bundle identifying the certificate authorities they trust. In this way, when you see a site with a certificate signed by a known certificate authority, you know it's the site you intended to visit.

Except there's some flaws with this idea. If terrorists wanted to, they could attack a certificate authority's physical headquarters and steal their private keys from their server and sign whatever they want for whichever domain they wish. Or, hackers could hack into machines remotely and perhaps get lucky and find some private keys on them. Or, anyone could start their own certificate authority. It really isn't that hard. Once your new authority becomes trusted by the various browsers, you can proceed to generate certificates for any domain desired.

This entire system has multiple points of failure. Further compounding the issue is that several "trusted" certificate authorities also are in themselves ISPs or run various links in the vast internet. Having both components in your control allow you to impersonate any site for any information passing through your systems. America Online for example is both a trusted certificate authority and an ISP, and anyone who works there and has access to their infrastructure and private keys can view all HTTPS encrypted data passing through their network as unencrypted. Want to buy something with your credit card online? You might want to traceroute your connection first and ensure no one along the way is also a certificate authority your browser trusts.

In order to mitigate a certificate authority signing something it shouldn't have, they invented Certificate Revocation Lists. Where an authority can revoke specific certificates it once signed, since every certificate also has an ID number associated with it. But, some browsers don't even bother checking these lists. Further, some browsers which make use of CRLs and their friends, resume as if nothing happened if they couldn't access a CRL for some reason. Further, these CRLs are subject to the same security problems just described for domains in general. How do I know this is indeed the real CRL? Also, browsers themselves don't have CRLs for the root certificates they ship with, so they are unable to revoke a certificate of a rogue CA if they need to.

But in reality, this entire system is flawed from the ground up. It's so flawed, it doesn't even make the slightest bit of sense. Imagine the following scenario where my boss asks me to inform him of all purchasing details for our web presence needs, and explain why they're needed.

<Me> Okay, we're going to need $35 a year to register all the domains we want for our company, such as and and so on.
<Him> Sure, that's fine, what else?
<Me> Then we're going to need $200 a year for each domain for certificates.
<Him> Why do we need these certificates?
<Me> To prove that we own the domain in question.
<Him> Prove it? Why?
<Me> Browsers like Internet Explorer and Firefox won't realize when they visit our domain that its really our domain, and not some hacker out there trying to impersonate us.
<Him> So if we don't buy these certificates, hackers will be able to get the domain names registered as their own instead of ours?
<Me> No, the domain names are protected by a central authority, they know that we own them, and we tell them to point the domains at our servers, but hackers in between our customer's browser and our server can hijack the connection and make believe they're us without a certificate.
<Him> I don't get it, why can't our customer's browser just check the domain registry and make sure the server they reach is the one we told the domain registry about? Why do we need to buy something from a 3rd party?

This seems strange to you? He's absolutely right. Why can't the hierarchy for domain management also distribute the public keys for our servers? The systems will need to be modified to combine several components and have encryption at each level, but does anything else make an ounce of sense?

Imagine you wanted to buy some property. You have your lawyer, accountant, realtor, and other people directly related to the purchase. After everything is taken care of, and you submit forms to city hall and everything else, you then go down to Joe's House of Fine Refrigerators and have him give you a signed deed that you indeed own the property in question. Makes a lot of sense, right?

Now you call a construction company down to work on your new property, say to merge it with the property next door to it. They want proof you own both properties before beginning. What do you do? You pull out your deed from Joe's House of Fine Refrigerators.

This is the exact state of internet security today. This problem is even pervasive down to every level of infrastructure we use.

Take cookies for example, the system it uses to match domain names runs completely counter to how the domain name system works. It's actually impossible for any browser to properly know for every set of domains in existence whether they're paired or not when it comes to handling cookies for them. It will either fail to submit cookies to some sites that it should, or submit cookies to some sites it shouldn't. Some browsers try to solve this problem with a massive hack, a list of domains that cookies should know are or aren't paired together, which is also incomplete, and needs never ending updates. Without the list, the only difference is that the browser is just wrong more often than without it.

Really, if the hackers were out there, we'd be in big trouble.


square5net said...

We are the best ppc services in Noida and we make sure that every penny you spend fetches you positive results. Pay per click (PPC) is a paid advertising model that comes under search engine marketing (SEM). With PPC, the advertiser only pays when people interact through impressions or clicks. SEM is the paid form of making a digital ad that appears on the result page of the search engine. Advertisers bid on keywords that are usually used by the users in order to search for something. PPC ServicesPPC Services greatest strength is that it creates an opportunity for the advertiser to showcase to their ads to the motivated customers who have the potential and will of making on the spot purchase.

MBBS in Philippines said...

UV GULLAS COLLEGE OF MEDICINE is one of Top Medical College in Philippines in Cebu city. International students have the oppertunity to study medicine in phillipines at affordable cost and world class University. The college has successful alumni who have achieved well in the fields of law, business, politics, academe, medicine, sports and other endeavors. At University of the Visayas, we prepare students for a global competition.

Direct MBBS Admissions Open: 2020-21
Mobile No: +91 90329 55688
Apply Now:

Unknown said...

Sobha Windsor - 3&4 BHK Apartment for sale Whitefield Bengaluru by Sobha Developers. Know more about the builders, construction status, offers, site visit

Solidwork Assignment Help said...

Are you scared of Perdisco Assignments given by professors? We understand that it is a very tough student and students need to have plenty of knowledge as well as experience to get good marks in their Perdisco Assignments. To make things easier for students we provide Perdisco Assignment Help to all our students. To avail us just visit Assignment Help and let us complete our assignments in just 4 simple steps. We will make sure that you get good marks on your assignments without burning your pocket money. So avail the best and cheapest Perdisco Assignment Help today.

Alice Perrir said...

I need a Statistics Homework Help expert to handle my assignment on median regression. This model is just the same, and the quantile regression, which is estimating the median. The assignment requires you to fit the model in STATA. I hope that you are in a position to solve it. I won't accept anything other than a grade A. I will also need Statistics Assignment Help in other topics but first finish this one.

Alice Perrir said...

I have just gone through your website and I am highly convinced that you can offer quality economics homework help. I have seen several samples and the quality looks good. If the samples are done by you then I am more than willing to hire you for my assignment. I just hope that anytime I contact you for an economics assignment help you will be available to help because some of these assignments are always very urgent.

Alice Perrir said...

I am happy that many students have received the right Math assignment help through you. I am in my third year in college and I have not had a chance to get such help. Since I have come across your post, I hope I will find the right Math homework help through you. My only obstacle would be finances. I hope that you are pocket friendly or should I call it student-friendly

Alice Perrir said...

I have a ledger posting assignment involving several entries. I am currently fishing for the best Accounting Homework Help tutor to help me with the task and from what I have read, you guys don’t seem too bad at your job except for the few flaws. I may consider taking Accounting Assignment Help from here and hopefully I will be back with positive feedback.

Quickbooks error said...

hen QB error 3371 occur then an error message comes up which states: "Could not initialize license properties." When you click OK on then another dialogue box appears which shows the message: Quickbooks fatal Error, now again you click on OK then it will just close the Windows.
Quickbooks Error 3371

Sarah Wilson said...

Just what I was looking for. I am struggling with my accounting assignment. I want an Accounting Assignment Help tutor to offer me two services. One is to complete my accounting assignments and the other is to provide me with online classes. I believe you are experienced enough to offer both Accounting Homework Help and online classes. I know you charge assignments based on the bulk. Tell me how much you charge for the online classes per hour.

Sarah Wilson said...

As much as there are discouragements, it is true that mathematics is hard. Like in my case, I was never discouraged by anyone about math but I still find it very hard and that is why I am requesting your Math assignment help. I am tired of struggling with mathematics and spending sleepless nights trying to solve sums that I still don’t get right. Having gone through your Math homework help, I am sure that I will get the right help through you. Please tell me what I need to be able to hire you.

Sarah Wilson said...

I have submitted my assignment to your website without any challenges. The economics assignmenthelp expert handling my assignment has already contacted me and I am certain that my work is underway. I am just hoping that I will get quality economics homework help. I have a lot of hopes in you and I am just hoping that you will not disappoint me.

Sarah Wilson said...

How much do you charge for a Statistics Assignment Help task? Take, for my case, where I need you to provide me with the Statistics Homework Help on plotting a scatter plot with a regression line? How much should that cost? Do you charge on the basis of the workload or have a constant payment?

Digital Vishnu said...

This is incredibly useful information!! Excellent work. All is very fascinating to learn and simple to grasp. Thanks for sharing such great info. Keep Post These kinds of Articles in the future.

Digital Marketing Course in Coimbatore
Digital Marketing Course Training in Tirupur
Digital Marketing Course Training in Madurai
Digital Marketing Course Training in Theni
Digital Marketing Training in Coimbatore

bamgosoo said...

Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though.

Try to check my webpage :: 대구오피

Jennifer Winget said...

what is cloud computing - Cloud Computing Models · Infrastructure as a Service (IaaS) · Platform as a Service (PaaS) · Software as a Service (SaaS). Learn types of cloud computing. For more visit thewebseeker

MBBS in Philippines said...

Wisdom Overseasis authorized India's Exclusive Partner of Southwestern University PHINMA, the Philippines established its strong trust in the minds of all the Indian medical aspirants and their parents. Under the excellent leadership of the founder Director Mr. Thummala Ravikanth, Wisdom meritoriously won the hearts of thousands of future doctors and was praised as the “Top Medical Career Growth Specialists" among Overseas Medical Education Consultants in India.

Southwestern University PHINMAglobally recognized university in Cebu City, the Philippines facilitating educational service from 1946. With the sole aim of serving the world by providing an accessible, affordable, and high-quality education to all the local and foreign students. SWU PHINMA is undergoing continuous changes and shaping itself as the best leader with major improvements in academics, technology, and infrastructure also in improving the quality of student life.