Gmail and SSL

Steven Bellovin smb at cs.columbia.edu
Wed Jan 2 16:36:13 UTC 2013


On Jan 2, 2013, at 7:53 AM, valdis.kletnieks at vt.edu wrote:

> On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
> 
>> I would say those claiming certificates from a public CA provide no
>> assurance of authentication of server identity greater than that of a
>> self-signed one would have the burden of proof to show that it is no
>> less likely for an attempted forger to be able to obtain a false
>> "bought" certificate from a public trusted CA that has audited
>> certification practices statement,  a certificate improperly issued
>> contrary to their CPS,  than to have created a self-issued false
>> self-signed certificate.
> 
> There's a bit more trust (not much, but a bit) to be attached to a
> cert signed by a reputable CA over and above that you should attach
> to a self-signed cert you've never seen before.
> 
> However, if you trust a CA-signed cert more than you trust a self-signed
> cert *that you yourself created*, there's probably a problem there someplace.
> 
> (In other words, you should be able to tell Gmail "yes, you should expect
> to see a self-signed cert with fingerprint 'foo' - only complain if you
> see some *other* fingerprint".  To the best of my knowledge, there's no
> currently known attack that allows the forging of a certificate with a
> pre-specified fingerprint.  Though I'm sure Steve Bellovin will correct
> me if I'm wrong... :)


No, you're quite correct.  Depending on what you assume, that would take
a preimage or second preimage attack.  None are known for any current hash
functions, even MD5.

I think, though, that that isn't the real issue.  We're talking about a
feature that would be used by about .0001% of gmail users.  Apart from
code development and database maintenance by Google -- and even for Google,
neither is free -- it requires a UI that is comprehensible, robust, and
doesn't confuse the 99.9999% of people who think that a certificate is
something you hang on the wall.  (Aside: do you remember how Netscape
displayed certs -- in a frame with a curlicue border?  These are *certificates*;
they should look the part, right?  I'm just glad that the signature wasn't
denoted by 3-D shadowing on a "raised" seal....) Furthermore, the UI has
to have a gentle way of telling people that the cert has changed, which
may be correct.  (Recall that for some of these users, they didn't create
the cert; it was done by the admin of a site they use.) Do you run Cert
Patrol (a Firefox extension) in your browser?  It's amazing how much churn
there is among certificates used by big sites (including Google itself).
Certificate pinning is a great idea for experts, but it requires expert
maintenance.  I haven't yet seen a scalable, comprehensible version.

I wish Google did support this, but I don't think it's unreasonable of
them not to.  Recall that they've been targeted by governments around the
world, precisely the sort of adversary who can launch active attacks.  Now,
if you want to say that these adversaries can also corrupt CAs, whether
they do it technically, procedurally, financially, or by sending around
several large visitors who know where the CEO's kids go to school -- well,
I won't argue; I certainly remember the Diginotar case.  There may even
be a lesser threat from using self-signed certs, since these large
individuals operate on a human time frame, so it's more scalable to hit
a few large CAs than a few thousand dissidents or other targets of
interest.  I think, though, that there are arguments on both sides.

(The issue of you yourself accepting your own certs is quite different, of
course.)


		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the NANOG mailing list