Most active commenters
  • agwa(5)
  • omginternets(3)

←back to thread

Last Chance to fix eIDAS: Secret EU law threatens Internet security

(last-chance-for-eidas.org)
548 points mnot | 12 comments | 02 Nov 23 05:57 UTC | HN request time: 1.682s | source | bottom
Show context
5ersi ◴[02 Nov 23 11:55 UTC] No.38112218[source]
If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.

For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA

replies(5): >>38112296 #>>38112304 #>>38112316 #>>38112317 #>>38112423 #
agwa ◴[02 Nov 23 12:01 UTC] No.38112296[source]
Yes, but:

1. Major browsers (Chrome, Safari, Edge) only accept certificates which are published in Certificate Transparency logs.

2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

So it's not really viable to use the existing CA system for MitM attacks.

The eIDAS proposal would:

1. Prevent browsers from distrusting CAs which are used in MitM attacks.

2. Ban mandatory checks (such as Certificate Transparency) on certificates unless the EU agrees to them.

That creates a system that is very viable for government MitM attacks.

replies(1): >>38112418 #
andyjohnson0 ◴[02 Nov 23 12:14 UTC] No.38112418[source]
> 2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

Thats reassuring but, not knowing much about this, I have a couple of questions:

1. Is this proactively monitored for? And how? And by whom?

2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

replies(3): >>38112437 #>>38112520 #>>38114043 #
1. agwa ◴[02 Nov 23 12:24 UTC] No.38112520[source]
> 1. Is this proactively monitored for? And how? And by whom?

Yes, security researchers like myself are constantly looking in CT logs for suspicious certificates, and I've found many, most notably Symantec issuing certs for example.com (https://groups.google.com/g/mozilla.dev.security.policy/c/fy...) and Certinomis issuing for test.com (https://bugzilla.mozilla.org/show_bug.cgi?id=1496088). Both CAs were eventually distrusted. (But Certinomis will be back once eIDAS is adopted!)

Domain owners can use Certificate Transparency Monitors to learn about suspicious certificates for their own domains. Here are some monitors:

https://crt.sh/ - allows you to search for certificates for a domain

https://github.com/SSLMate/certspotter/ - open source tool which notifies you when a certificate is issued for one of your domains

https://sslmate.com/certspotter/ - commercial service that does the same, operated by my company

> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

In 2017, Chrome and Firefox distrusted Symantec, which was at the time the world's largest certificate authority: https://security.googleblog.com/2017/09/chromes-plan-to-dist...

Symantec hadn't even issued MitM certs - they were just grossly incompetent. Distrusting them was very painful, but necessary to uphold the integrity of the CA system, and demonstrated conclusively that there is no such thing as a too-big-to-fail CA.

replies(4): >>38113722 #>>38114787 #>>38115125 #>>38128643 #
2. ◴[02 Nov 23 14:08 UTC] No.38113722[source]
3. omginternets ◴[02 Nov 23 15:22 UTC] No.38114787[source]
Can you help me intuit what a suspicious certificate might look like in practice?
replies(1): >>38115100 #
4. agwa ◴[02 Nov 23 15:41 UTC] No.38115100[source]
If you're a domain owner monitoring your own domains, a certificate is suspicious if it was not issued by one of the CAs that you use (e.g. you use Let's Encrypt, but you see a certificate for your domain in CT that was issued by Certinomis). If you keep an inventory of all of your certificates, then you can also cross-reference certificates from CT against your inventory, and flag any certificate that isn't in your inventory.

If you're a security researcher monitoring other people's domains, you have to rely on heuristics - e.g. if a domain has a long history of getting certs from a major US CA, and then suddenly a tiny European CA issues them a certificate, that's pretty suspicious. When I found the example.com certificate misissued by Symantec, I though it was suspicious because it was also valid for subdomains like products.example.com and support.example.com, which don't make sense for a domain that's reserved for documentation purposes. ICANN operates example.com, so I emailed their security team to confirm that they did not authorize the certificate.

The system works best if domain owners are monitoring their own domains, because only they know for sure if a certificate is authorized or not.

replies(1): >>38115471 #
5. uxp8u61q ◴[02 Nov 23 15:43 UTC] No.38115125[source]
That's your smoking gun? CAs that issued certificates for example.com and test.com? You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?
replies(1): >>38115253 #
6. agwa ◴[02 Nov 23 15:50 UTC] No.38115253[source]
> You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?

Care to point out where I said that?

example.com and test.com are real domains, and their owners did not authorize those certificates to be issued, so issuing them was a serious breach of the trust which CAs are expected to uphold. Furthermore, the discovery of these certificates led to investigations which turned up additional issues which are documented in detail here:

https://wiki.mozilla.org/CA/Symantec_Issues

https://wiki.mozilla.org/CA/Certinomis_Issues

7. omginternets ◴[02 Nov 23 16:01 UTC] No.38115471{3}[source]
That makes sense, thank you.

Follow-up question: presumably, a state actor with dominion or leverage over a CA can coerce said CA into issuing a certificate, right?

replies(1): >>38115639 #
8. agwa ◴[02 Nov 23 16:10 UTC] No.38115639{4}[source]
Yes, though eventually the state actor would run out of CAs to coerce as all the CAs in their country get distrusted.

The threat of distrust means CAs have a very strong incentive to contest any government orders, since if they comply their business is destroyed.

replies(2): >>38116321 #>>38125552 #
9. omginternets ◴[02 Nov 23 16:46 UTC] No.38116321{5}[source]
That tracks. Thanks for helping me get a bead on this!
10. PeterStuer ◴[03 Nov 23 07:24 UTC] No.38125552{5}[source]
In some very prominent countries there are laws with extreme consequences which not only prevent companies from contesting and not complying, but even prevent them ever disclosing such requests.
replies(1): >>38126850 #
11. ExoticPearTree ◴[03 Nov 23 10:54 UTC] No.38126850{6}[source]
True, but then they will be found out and distrusted. So basically they'll lose business because of the government of the country they are established in.
12. jrmg ◴[03 Nov 23 13:43 UTC] No.38128643[source]
It looks like the Symantec distrusting was done with the cooperation of Symantec, which agreed to wind things down and transfer clients to a new provider in an orderly fashion?