By Peter Horne, one of Patty’s Pioneers
How Does the Internet Verify Identity? But what if they have your passport number and have the government machine that makes passports? What are the odds the bad guy will get through the process? They are now close to 100%. Your web browser is nothing more than a TSA official that checks web site passports (using Secure Socket Layer or SSL technology). It is trained to look at web sites using a set of black lights that are shipped with it. It uses these black lights to check the passport a web site presents to the browser to see if it has an “official” stamp on it. If it sees the right stamp under the right light, it tells you the site is who it says it is.
We all know that when you travel internationally, your passport ties the whole security process together. So let's play a thought experiment. If someone wanted to pretend to be you and travel with your identity, they would have to have your passport number so that they could book an international flight, then they would need a fake passport as photo ID at the counter to pick up the ticket, and then they would have to present the fake passport to a TSA or customs official who has been trained to study passports, including what to look for when they shine the ultra violet, or black light, on your passport. Let’s assign some very low odds to the chances of success. Let’s say that they have a 1/100 chance of getting your passport ID without detection and being able to book a flight in your name. Now let’s assume they have a 1 in 100 chance of producing a fake passport that has your passport number and photo that fools the airline ticket staff and their computer, or works in the auto check-in kiosk. Now let’s assume that there is a 1/100 chance the passport is of high enough quality to beat the trained official with their black light and experienced eye. That gives the bad guy a 1 in a 1,000,000 in making it through the process. Nice odds against the bad guy.
How Does the Internet Verify Identity?
But what if they have your passport number and have the government machine that makes passports? What are the odds the bad guy will get through the process? They are now close to 100%.
Your web browser is nothing more than a TSA official that checks web site passports (using Secure Socket Layer or SSL technology). It is trained to look at web sites using a set of black lights that are shipped with it. It uses these black lights to check the passport a web site presents to the browser to see if it has an “official” stamp on it. If it sees the right stamp under the right light, it tells you the site is who it says it is.
There are two parts to the SSL passport system. There is the technology — the Public Key Encryption or PKE technology (very nerdy math) — which allows encryption and validation using keys and certificates to occur. And there are the processes — the Public Key Infrastructure or PKI — that manages how keys and certificates are created and distributed.
Public Key Infrastructure is organized as a tree of trust, where, at the very top, or root of the tree, are the root-certifying authorities or CAs. These are the “officials.” Root CAs issue their own certificates and apply to have them shipped by vendors with the vendors’ browser software. Once you are in this select group, you can sign other peoples’ certificates. So your company, if it has an SSL website, will have gone to one of these companies, or their delegate, and paid some money so that when your certificate is shown to a browser, the black light shines through and sees one of the CA certificates that the browser has in its list of included certificates.
When you pay to setup your SSL web site, you are paying for nothing more than to get your certificate certified by someone who has got their certificate in the special list. If you use a certificate that is not ultimately certified by a CA in the special list (it's actually quite easy to create and sign your own certificate), then your browser will give you a big warning telling you that the site is not trusted, and it is on your head if you go any further. Sites can pay even more and have their company information officially checked and certified as well — those are the web sites that show the company name in the green area of your browser address bar.
Public Key Infrastructure Has Failed
Those of you responsible for critical business functions or technology processes know that any system that has a single point of failure will ultimately end up failing. You've probably already worked out that the PKI infrastructure is built on a single point of failure — the certificates from the CAs. And the bad news is that it has failed — the bad guys have compromised some CAs. This means that they have the passport printing machine, and your browser’s black lights are no longer trustworthy. Sure, your browser still works, it's black lights still work and can be shone on a passport and show the right stamp — but the infrastructure that produces the passports has been compromised.
It is known that someone has hacked at least two certifying authorities and has used these certificates to produce bogus SSL certificates. In one case, it was known that bogus Google, Microsoft, Yahoo, etc. web mail web site certificates were produced, and, in another more comprehensive attack, bogus certificates were produced for *.*.com and *.*.net. With those certificates, you can pretend to be anyone. So how does that work?
A simple, real life, and chilling example: I have read a report that described that when some of the CAs were identified as compromised and their certificates were added to the certificate revocation list that browsers (may) use, a web mail provider received support calls from some users in some extremely internet- & freedom-unfriendly countries to say that they were getting security warnings using the web mail website. Why? The likely answer was that someone had put a false site in between the user and the real web mail site using a bogus SSL certificate. This allowed the false site to pretend it was the real site, and the browser told the user everything was OK. If this account is true, that user would have been putting their username and passwords into an unfriendly proxy site, which would have seen their login details "in the clear" as it passed data back and forth between the user and the real site. This is called a “man in the middle” attack, and if you live in a country that takes out dissidents, the stakes can be life threatening.
Browser Providers Are Covering Up This Issue!
But it's not just the keys that have been compromised. In my opinion, the way the browser providers have acted has also compromised any level of trust we could have in them. The way we know this is because there are some seriously motivated, seriously skilled people who are thankfully watching what browser providers are doing. The Tor project is a project that allows users to create and communicate over anonymous SSL sessions. This is handy if you need to hide from state powers, and it is used in countries that practice internet surveillance with unfriendly intent. (Note that it may also be used in friendly states by people with unfriendly intent, but the bad guys will always find a way to do their evil, so I prefer to focus on the positives.) So the Tor project is motivated to watch what is happening in SSL land. Jacob Appelbaum from Tor noticed some changes in certificate management in both the Chrome and Firefox open source projects, and basically proved that the browser producers were quietly working to remove compromised certificates. You can read the story here.
What Does This Mean for You?
What does this mean? It is in neither the browser nor the CA authorities’ interest to "fess up" to a broken system. It’s their system, and there are business models at stake. However, as I write, the list of compromised SSL certificates has gone from a few, to many, to many hundreds, and no one knows how many other certificates are compromised. So this means that the single point of failure has been realized, and without wanting to sound alarmist, the whole CA trust system is probably hopelessly compromised at this point, and many browser root certificates are probably being changed as we speak. We can't rely on the CAs or the browser manufacturers to tell us, either.
What does this mean for individuals and companies? I'm not really sure how to assess the threat level at the moment, and I think it’s too early to say whether this is the start of some major change. I, for one, am going to keep doing my banking online and hope for the best. However if the system is broken, then we will start to see a whole body of SSL-related attacks in such areas as identity theft or anonymity breaches, and the questions about the system will escalate. However, at this point it is hard to tell. My hunch is that the next few years will see identity and anonymity start to become major issues and there will have to be a technology change in response.
Time will tell.
~ Pete Horne