[cryptography] this house believes that user's control over the root list is a placebo

Ian G iang at iang.org
Sat Jun 25 16:48:15 EDT 2011


On 21/06/11 4:15 PM, Marsh Ray wrote:
> On 06/21/2011 12:18 PM, Ian G wrote:
>> On 18/06/11 8:16 PM, Marsh Ray wrote:
>>> On 06/18/2011 03:08 PM, slinky wrote:
>>
>>> .... But we know there are still hundreds of
>>> "trusted" root CAs, many from governments, that will silently install
>>> themselves into Windows at the request of any website. Some of these
>>> even have code signing capabilities.
>>
>> Hmmm... I'm currently working on a risk analysis of this sort of thing.
>> Can you say more about this threat scenario?
>
> I did a blog post about it a while back: http://extendedsubset.com/?p=33
>
> This was about the CNNIC situation,

Ah, the "I'm not in control of my own root list" threat scenario.

See, the thing there is that CNNIC has a dirty reputation.  But CNNIC 
passed the test to get into the root lists.

Which do you want?  A CA gets into a root list because it is nice and 
pretty and bribes its way in?  This was the old way, pre 1995.  Or there 
is an objective test that all CAs have an equivalent hurdle in passing? 
  This was the post 1995 way.

There's no easy answer to this.  Really, the question being asked is 
wrong.  The question really should be something like "do we need a 
centralised root list?"


> since then we've seen Tunisia MITM
> its citizens and they have a national CA as well.

Yup.

> Basically, MS Windows has a list of "Trusted Root CAs". But the list
> displayed there is actually just a subset of the CAs that are
> effectively trusted. When you browse to a site with a CA not in this
> list, Windows can contact Microsoft and on-the-fly add that cert to your
> trusted root store. Innovative, huh?


This is the geek's realisation that they cannot control their list of 
"trusted" CAs.  Their judgement is undermined, as MS Windows' root list 
has gone the next step to dynamic control, which means that the users' 
ability to verify the root is undermined a bit more by not having an 
ability to stop the future dynamic enhancements.

In practice, if we assume a centralised root list, this is probably the 
better result.

It works quite simply:  1 billion users don't check the root list, at 
all.  They rely entirely on the ueber-CA to generate a good root list. 
A tiny fraction of that number (under 1 million, or 0.1%) know about 
something called a root list, something perversely called "trust" bits, 
and the ability to fiddle those bits.  They do that, and imagine that 
they have achieved some higher level of security.  But, this technique 
has difficulty establishing itself as anything more than a placebo.

Any model that offers a security feature to a trivially tiny minority, 
to the expense of the dominant majority, is daft.  The logical 
conclusion of 1.5 decades worth of experience with centralised root 
lists is that we, in the aggregate, may as well trust Microsoft and the 
other root vendors' root list entirely.

Or: find another model.  Change the assumptions.  Re-do the security 
engineering.

iang



More information about the cryptography mailing list