Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

What Would It Take To Have Open CA Authorities?

The Slashdot crowd has opened a discussion about the possibility of a free, open Certificate Authority. trainman writes:

With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue — the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign. For smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult-to-swallow cost. Does a service such as this need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match? This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive. Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?

Some of the users pointed out CACert and StartCom which issue free SSL certificates but other pointed out problems with them such as CRL size (which can slow down the SSL connection process for your users) and the fact that their root certificates are not included in most web browsers. They have to be imported which makes it almost as useless as creating your own root certificate for free.

A large part of the confusion is about what the point of SSL certificates are in the first place. For example:

Cheater512 writes: "The point of SSL is so you know who you are talking to. It doesnt do anything else."

Antibozo writes: "The point of SSL is validation, then encryption. Without both, it's useless. And if you were paying attention to the noise about DNS cache poisoning last week, you should know that, without validation, SSL is truly useless."

squiggleslash writes: "One entire point of SSL is to ensure that the user can trust the site they're connecting to. If I register citicardbank.com, my inability to get an SSL certificate for it without being traced by my phishing victims severely undermines my ability to rip people off."

AlexCV writes: "No, SSL is about encryption. A certificate is merely a signed public key. Of course you could hijack a session and insert your own certificate in there, but then you'd have to have a CA authority sign it or my browser will throw a fit. And that's why trust is the only thing that matters in SSL."

Evets writes: "People should see SSL certs for what they are - end point-to-end point encryption mechanisms and nothing more. Thinking they are anything more is simply a false sense of security."

Ultimately, SSL Certificates are not for encryption, they simply enable encryption. They are about authentication. I like how BitZtream said it:

As the GP said, certificates are not about encryption, they are about authentication.

You can do the same encryption provided by SSL connections without a certificate at all.

Before you start telling people what certificates are for, please learn about how encryption, and specifically PKI works.

The SSL connection, after authenticated, uses standard symetrical encryption to actually transit the data once the connection has been authenticated and a one time key for each direction has been established.

YOU see certificates used with encrypted websites, but their purpose is not encryption. You can actually use SSL and not have encryption or message authentication at all. But that would be stupid because someone could hijack the data stream and modified at some point after the initial authentication phase.

Quite simply, domain-validated certificates that are freely given to anyone who claims domain ownership are worth very little. Malicious users would be able to and can get these certificates easily. It may enable encryption but it does nothing to verify that you are talking to who you think you are talking to. Free CAs also have issues with the quality of other validation (they don't have to pass audits like WebTrust), quality of revocation lists, and quality of installation support among other things.

What Would It Take To Have Open CA Authorities?  - [Slashdot]

Originally posted on Sun Jul 20, 2008



That's not really the right question, SSL has for the most part been a spectacular failure, the only saving grace is the fact the cost of attacks on the traffic in transit is too high, it's much easier to go crack a database/network/truck full of backup tapes.

Any system that has had such little penetration leaving all of us at risk of having passwords captured/exposed can't be a good thing.

In any case security is never black and white and this is mostly why SSL/PKI has failed, it used to be only trust the website if the lock was showing.

What did/does it mean if the lock is being displayed?

Why are all certificate authorities "trusted" equally?

If they are all "trusted" equally do they all follow the same praactises when issuing certificates?

So the question isn't what would it take to have open CA authorities, CAcert and StartSSL both occupy that niche and haven't really faired any better, but they certainly haven't faired any worst that's for sure, even if people did/do have to import their root certificates.

The question should be 'Ok, SSL is a bad idea in general, it doesn't do much more beyond protecting credit cards, what can we do instead that would promote the wide spread use of encryption on the internet?'

The other PKI model is that of OpenPGP, although it is slightly restricted as well, but it is useful enough to build a confidence system around that could end up being much more useful.


This is a work in progress and I'm still working on the finer points, however the over view on security is just as valid.

In any case I've described my thoughts on the subject in regards to encrypting DNS requests and replies, this isn't a simple topic and security isn't black and white since the amount of security you need may not be much more than that of encryption only, but the browsers don't let us have a say in it, because we aren't smart enough to make those sorts of decisions on our own.

I think it's time the browsers devs got over their own egos and gave us much more info about the CAs signing certificates, however I'm not holding my breath over this one, the Mozilla devs were pushed for years to show Verisign's logo on the browser when a Verisign certificate was encountered.

Advertisement • Hide