Certificate Authorities are Actually a Tremendous Problem

published by Eric Mill on

I was surprised to see myself quoted in Marc Ambinder's post this morning on the viability of the NSA collecting Gmail data in bulk — not through court orders, but by tapping the network itself:

Unless NSA has found a way to mess with the traffic cops — the certifying authorities — I don't see how NSA possibly reads Google emails in real-time, looking for content, using keyword searches. Indeed, I don't know NSA would be able to break the encryption of an email that somehow fell under what secret safe harbor provisions they have for emergencies. They really do need Google's help to read every email they do not steal from either end of the communication.

Eric Mill, a developer for the Sunlight Foundation, summed it up for me in a Tweet: "NSA can and does sniff traffic as it moves across the Internet, especially through backbones. Encrypted traffic is safe-ish."

Marc Ambinder, How does NSA hack into emails?

It's very important to emphasize the "-ish", because there are huge concerns over "the traffic cops" (the CAs) that very much bring the integrity of encrypted traffic into serious question, as I'll explain a bit later on. Encrypted traffic is only safe-ish by comparison to the plain text emails that live on Google's servers.

And it's that comparison I was initially trying to make, because I thought when Marc first posed his question about NSA bulk collection, he was mistaking transport encryption for content encryption.

Once I noticed that Marc already understood this, and that I'd taken his tweets out of context, I realized "safe-ish" was ambiguous and overly generous, so I followed up:

I didn't elaborate further or provide more links, mostly because I felt embarrassed at taking his original tweets out of context. But since the same has now happened to me, I think it's important I point to how flawed Marc's downplaying of the NSA's data collection ability is.

The reason your browser trusts your bank's website and doesn't yell at you to GET OUT OF THERE is because your bank has had its encryption "certificate" signed by a "certificate authority" (CA). Verisign is the most widely known CA; there are many others, and browsers trust a long list of them. If anyone hacked or coerced Verisign or any other trusted CA, they could fake a certificate for any website using that CA that any browser would trust, and then decrypt all the traffic they could intercept.

How bad is this? Slate covered the state of affairs in 2010, and pointed to the EFF's research There's even a fun color map! showing the Internet's 600+ points of security failure:

Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft's software trusts more than 100 private and government institutions.

Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren't tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motors—and a UAE mobile phone company called Etisalat.

The Internet's Secret Back Door

Sure enough, in 2011, two CAs were hacked by an Iranian IP address. Browsers had to ship updates revoking their trust in the hacked CAs for users to stay safe. In January of 2013, the same thing happened again with two Turkish CAs. It will continue to happen — in fact, there's no reason to assume other CAs aren't currently compromised.

At this point, no one likes the Certificate Authority system (except the institutions which benefit from it), but there's no clear path to change it. After the 2011 incident, Moxie Marlinspike got mad and designed Convergence, which attempts to work around the CA system by letting you choose whose eyes you trust to see the world. It's a brilliant idea, but has not gone anywhere, and I'm not sure what the security community's vision is for where to go next.

But the biggest reason I didn't enjoy being quoted in this way is more personal.

I've been utterly horrified and completely changed by the long (and ongoing) chain of disclosures Edward Snowden has made about the NSA — at this point, we simply should not assume we know the limits of what the NSA is capable of. And I'm not comfortable empowering anyone's argument that we should believe we do understand those limits and calm down. The Internet is a very long term project and its future as a decentralized and empowering force is under serious threat. We should be working to secure it.


  1. David Spector

    You might do some research into how some CAs are supporting free certification, and how the Let's Encrypt project is paving the way for converting the entire Internet into a secure environment. This posting is fine, but way out of date. If you are going to leave this on the WWW, please update it.

  2. Ron

    I don't understand why Moxie stopped developing Convergence. Even more, I don't know why he doesn't run the notary servers anymore. The notaries are not a 100 percent solution, but as an adjunct they are fine. Anyway, I've really been leaning towards the blockchain as a solution. See https://programmingmiscellany.wordpress.com/the-certificate-problem/ for some insight. Especially the last two or three pages.

    • Ron
  3. Daniel

    A web of trust is a pretty fundamental facility in serious security installations. And the CA web is one. I don't think it's going away anytime soon.