Nov 15 2008

Self-certification

Published by Dougal at 1:21 pm under Computing, Security

There’s been a really interesting discussion going on in various circles about a bug report that was filed against the Firefox 3 browser. The user who reported the problem had been annoyed that Firefox seemed to reject the security certificates of every major website she visited — Paypal, Facebook, Amazon. Each time the browser put up an error message the user would press the button that said “this is all okay, accept this as valid and secure”.

Of course, the sting in the tail is that it was not Firefox that was in error. This user was being subjected to repeated Man-In-The-Middle attacks — there was someone else between her and the desired website, intercepting all her traffic and putting her privacy in serious jeopardy.

The interesting aspect is that every single error message which Firefox displayed to the user was valid and pertinent. She really was under attack. But the user, savvy enough to report this bug, didn’t realise that these messages weren’t in error. Clearly there is something very wrong with the usability of this system.

Piggy in the middle

The security mechanism built in to modern browsers, called SSL, can encrypt messages between you and whoever you are talking to. If the messages are being encrypted the browser will often show a padlock icon or some other sign that encryption is being used. But this does not mean you are not at risk — in fact, as this story shows, the feeling of security is all an illusion.

Let’s assume that there is an encrypted channel (<===>) between Alice and Bob.

Alice <====> Bob

What you and Alice don’t know is where that encrypted channel ends. If there is some eavesdropper in the middle she could easily be talking, securely, with them!

Alice <==== Mallory ----> Bob

This is essentially what was happening to the Firefox user mentioned above. The way around this problem is called “certification”. Each domain has a certificate which is unique to that domain. No-one else can pretend to be Bob, since no-one else has Bob’s certificate. This allows Alice to say, with some measure of certainty, not I am talking securely but I am talking securely to Bob.

Certificates are an interesting commodity now. They’re the stamp of approval that says “I am Bob”. What’s to stop someone else claiming to be Bob with their own certificate? Certificates are issued by certification authorities, many of whom charge money for the privilege. But it’s also possible to make your own — so Mallory can make a certificate “proving” he is Bob. What can Alice do to spot this?

As I said, certificates are issued by certification authorities. There are not many of these, so it’s easy for a browser to carry details on all of them. Alice can look at the Mallory’s certificate and notice that it wasn’t signed by any certification authority she knows. In fact, it was signed by Mallory himself. A little bit suspicious, no?

If you have to apply for a passport you need a signature from someone like a doctor who knows who you are. This is the equivalent of a certification authority. Signing your own passport application is just as insecure as signing your own digital certificate.

And that is exactly where the above user tripped up. They received a certificate from Mallory, pretending to be Bob, and the certificate was signed by “Bob”. There was no third party to say “yes, this is definitely Bob”.

The really pernicious danger is that self-signed certificates are not rare. Many smaller websites have self-signed certificates. Browsers will flag up a warning and users will click Ignore and carry on anyway. This behaviour becomes ingrained. Popup cancelling is a horrible danger of having too many messages flashing up with useless messages in the first place.

Nuke it from orbit

This problem is slow and insidious, a slow choking danger. Every time another website appears with a self-signed certificate there’s another reason for users to assume this is normal. Before you know it people don’t know there is a difference between the padlock icon and the authenticated padlock icon. Which is how we end up here, because chances are that you didn’t know what the difference was either. And the problem is not going to go away without several changes, some of them quite drastic.

Bridge to Nowhere
Bridge to Nowhere
© Martin Burns

  • The first problem, and the easiest to solve by an internet mile, is that browsers treat self-signed certificates as secure when they are obviously not. The padlock icon that appears in the browser is meaningless for the reasons outlined above — it’s a secure bridge to nowhere.

    So the first step is not to show a padlock if the session is not properly secured.

  • All those lame websites which use self-signed certificates for commercial purposes are then going to appear as unsecure as they were all along. This will annoy many people and be regarded as a very bad move. But it’s not the job of browsers to lie about how secure things are, so web designers shouldn’t expect this.

    The next step will be to force websites to pony up for a proper digital certificate1, or abandon secure connections. (I hope that modern web users are savvy enough not to transmit their bank details in the clear. Maybe I hope too much.)

  • Systems which bother users with useless messages cost lives. The history of “human error” in nuclear power, avionics and the military speaks volumes. Unfortunately this simple lesson is repeatedly ignored.

    Firefox already does a good job of not bothering the user. It rarely does anything unexpected (I regard 404/connection down messages as expected for a network application) but not everyone plays as nice. Windows itself is notorious for alerting the user to endless inconsequential changes of circumstances — hardware found, driver found, driver installed — and trains users to ignore error messages in the end.

    So, the impossible step in the three step solution is to (a) stop all those useless error messages and (b) stop users from ignoring error messages. You can see why I don’t hold out much hope for this part.

As terribly unlikely as these steps are, they are still not actually enough to get the security people expect to get when they see the padlock icon on their browser.

Not out of the woods yet

I still haven’t touched on issues of phishing (how do you know Bob is trustworthy?) which certification does very little to help. Maybe another day. But for now, pay close attention to what your browser says, because it may be saying something important.

  1. I’ve been ignoring the case where people have legitimate reason for signing their own certificates, but that’s for good reason. If you’re working on a corporate LAN then you can become your own certification authority. But even then, don’t use it for interaction with the public. 

2 responses so far

2 Responses to “Self-certification”

  1. # Kenon 17 Nov 2008 at 11:52 am

    Excellent. How can the folk who make browsers be persuaded to implement stage 1, which is pretty key to all this?

    It seems pretty sensible, nay crucial in this age of increasing internet fraud.

    I hope one of your more connected readers picks up on this and runs with it in the wider press.

    Glad you are on the case (or on our side…. you are, aren’t you?)

  2. # Dougalon 17 Nov 2008 at 2:58 pm

    Alas the behaviour of the browsers on this topic is as variable as on the others. Firefox 3 has received a lot of criticism since it made using self-signed certificates even more arduous than it was before. (This post is a particularly good but slightly more technical treatment of the same risks I mention in my post. The technical details are more specific because they tell you exactly how easy it is to download a Hacking for Dummies tool to become Mallory, the Man in the Middle.)

    This stuff has been well discussed for months now, but I have no idea how much the mainstream press pick up on it — or more importantly, how many pertinent facts would exist after “translation”.