Certificate Authorities and PKI (2): Industry Self-regulatory Efforts

Posted byStasyHsiehPosted in2. Technology & Science

Introduction

In this article, we continue the discussion of Certificate Authorities (CAs) and Public Key Infrastructure (PKI), with a focus on the flaws in the trust model used by CAs and the industry response to address these vulnerabilities. The lesson examines the structural issues in the trust model, key security breaches, and subsequent industry reforms aimed at improving security in web communications.

1. Trust Models Overview:

• Trust models define how credibility and trust are maintained within security frameworks. There are several types of trust models:

• Web of Trust: Decentralized and based on first-hand experience, similar to how one would trust their circle of friends. It does not scale well and is rarely used for large-scale implementations.

• Hierarchical Trust Model: In this model, a single centralized root (trust anchor) delegates trust to subordinate entities. While reliable, it concentrates power in one entity, which can create risks if the root authority is compromised.

• Flat Trust Model: This is the model historically used by certificate authorities. Any CA could issue certificates for any organization, and browsers would accept them based on their inclusion in a list of trusted certificate roots. However, this model lacked unified control, creating vulnerabilities.

2. Flaws in the Flat Trust Model:

• In the flat trust model, any CA could issue a certificate for any organization, and CAs could delegate authority to intermediaries. This delegation process lacked formal controls, making the system susceptible to exploitation.

• The lack of a single unified trust anchor meant that the compromise of one CA could undermine the security of the entire system. The lesson highlights that this structure led to serious breaches.

3. Key Breaches:

• 2011 Comodo and Diginotar Breach: A major turning point occurred in 2011 when fraudulent certificates were obtained from CAs such as Comodo and Diginotar. These certificates were used to target Google and Gmail in Iran, where a man-in-the-middle attack was carried out using forged certificates.

• Despite passing audits just months before the breach, Diginotar was compromised, allowing attackers to issue wildcard certificates that breached secure communications. This resulted in Diginotar’s bankruptcy and highlighted the flaws in the existing system.

4. Industry Response and Reforms:

• The Certificate Authority Browser Forum emerged as a key body to address the vulnerabilities exposed by these breaches. The forum brought together CAs, browser vendors, and other industry players to enhance the security of web communications through collective action.

• Two key reforms were implemented following the Diginotar scandal:

1. Certificate Authority Authorization (CAA): CAA, introduced in 2017, acts as a whitelist of authorized CAs for a domain’s DNS records. If a CA is not listed, it is prohibited from issuing certificates for that domain. This measure aims to prevent unauthorized certificate issuance.

2. Reduction of Certificate Validity Period: While there was a push to reduce certificate validity to one year, a compromise was reached to limit it to two years, with Google playing a significant role in advocating for this change.

5. Certificate Transparency and Google’s Role:

• Certificate Transparency was introduced as an open framework for monitoring and auditing SSL certificates in near real-time. It enables the detection of mistakenly issued or maliciously acquired certificates and identifies CAs that deviate from expected behavior.

• Google also played a significant role in driving reform, particularly in its stance against Symantec’s certificate authorities. Citing failures to comply with industry standards, Google announced that Symantec-issued certificates would no longer be trusted in the Chrome browser, which controlled 60% of the browser market. This decision had a significant impact on Symantec’s certificate business.

6. Other PKI Implementations:

• The lesson briefly mentions two additional examples of PKI implementation:

1. DNSSEC (Domain Name System Security Extensions): A security extension that verifies that the domain responding to a query is the actual domain holder, based on certificates. While it has been implemented at the root level by ICANN, its adoption at lower levels remains limited.

2. RPKI (Resource Public Key Infrastructure): This standard uses digital certificates to verify if an organization is authorized to use certain IP addresses. BGPSEC is another example that uses certificates to validate network routing information.

Conclusion:

• The article concludes by reflecting on the evolution of encrypted web communications and the role of industry cooperation in improving security. The early success of CAs was followed by significant security breaches due to flaws in the trust model, but collective industry action, driven by key players like Google and associations like the CA Browser Forum, addressed many of these issues.

• The article highlights the importance of balancing commercial incentives with strong security measures and underscores the need for continuous monitoring and reform in the industry.

Published by StasyHsieh

A physicist by training, I’ve traversed seven countries, shaping my path through Cybersecurity, AI, and Astrophysics, while nurturing a deep passion for art, writing, and societal change. I advocate for inclusivity in STEM and explore the intersections of equality, economics, and the evolving digital world. My work—whether in technology or the arts—seeks to provoke thought and inspire change. Let’s connect and explore the dance between innovation and humanity.

Leave a comment