The NSA has forged web security certificates. What’s worse, we knew that they could, and we still trusted certificate-based web security. Web security as we know it is dead and worthless – worse than worthless, even – and must be rebuilt from the ground up.
When you are going to a website that bills itself as secure, it uses a so-called “security certificate”. Such certificates on the web serve two purposes. One, they encrypt the session between your computer and the web server, so nobody else can listen in, and two, they identify the web server you are talking to and tell you whose web server it is. When you log onto your bank, you will see a little padlock next to the bank’s name in the address bar. The NSA and their ilk have effectively negated both of these security mechanisms.
This makes today’s Web security worse than worthless. It is not just worthless, as in not providing the claimed security whatsoever; it is worse than worthless, as it provides people at large with a thoroughly false sense of security. It’s like if all the front door locks in the world were dead easy to open for somebody who knew the magic word. Unless this lack of security is well understood – and being a technical issue, it won’t – people will keep thinking they’re secure. That’s horrible, frankly.
We should have seen this coming from far away – the mere possibility could have been anticipated for some time, although nobody probably thought the security services would want to break the entire world’s security model. Now we know they won’t hesitate to do so.
Many certificate suppliers are based in the USA. This, combined with the infamous National Security Letters (NSLs) that the U.S. Congress has created, is a death knell. There is nothing stopping the NSA from issuing such a letter compelling Verisign or any other U.S.-based certificate authority to issue a forged certificate to the NSA, and be forced by law to not tell anybody about it.
The mere possibility of this happening is enough to declare certificate-based web security stone dead as a technology – but we know now that the NSA has already used forged certificates to impersonate Google. That’s extra damning. Let’s take that again: the NSA forced web traffic intended for Google’s servers to take a route through the NSA’s servers, where the NSA presented themselves as Google and were able to wiretap traffic intended for Google’s servers, negating both functions of certificate-based security.
It’s extra damning as Google not only relies on the certificate itself to present the session as secure, but Google’s own browser also verifies that it’s not a Google certificate, but Google’s Google certificate. Apparently, NSA foiled this, too.
In an internet technical draft published earlier in response to the first NSA revelations, this practice is coined kleptography – to deliberately supply somebody with a weakened form of cryptography in order to wiretap them. The word is appropriate.
We can no longer rely on a model where one compromised node in the framework means the compromise of the framework as such, which is the case with certificate-based security. We need a much more resilient framework than that, where each client as well as the framework itself is able to detect and reject a compromised security provider, or group of security providers.
SSL is dead. Long live web security. We must rebuild it from the ground up.
One very simple solution could be to allow for self-created certificates and use the DNS framework to validate the certificate for a given website, which would at least give a degree of distributed resilience. While the DNS framework has its own centralization problems, it would be an easily implemented stopgap measure that would have the added bonus of erasing the entire certificate industry, which is artificial anyway. If the client checked a certificate’s signature with its own DNS server and with public DNS servers in five different jurisdictions – say, Canada, Switzerland, South Africa, Brazil, and Japan – getting a greenlight from all of them would be rather good confirmation of the self-created certificate being genuine.