Certificate authority GlobalSign, who was implicated as having suffered a security breach by the infamous “ComodoHacker”, have released their final report on the incident.
Not only is the report thorough and convincing, but it appears that GlobalSign took every action, exactly as they should have, both during and after the incident.
The report’s conclusion? At no time was any of their certificate signing infrastructure compromised by an attacker.
A peripheral web server that was not a part of their signing infrastructure was hacked into and it potentially put their own SSL certificate at risk, which they immediately revoked.
As soon as there was a credible threat they shut down signing operations. Then, in parallel with their investigation into whether the compromise was more involved than just the web server, they proceeded to strengthen their existing controls to be sure a future attack would fail as well.
What is this you say? Chester is saying nice things about a certificate authority? Yes, within reason.
If all certificate authorities cared about the integrity of the system the way GlobalSign has, we would have a lot less to worry about when using SSL/TLS.
The problem isn’t with GlobalSign, the problem is that we expect the other 600+ signing authorities to behave in a similar manner. Time and again it has been proven that they don’t, which leads me to some related initiatives from Google and the Electronic Frontier Foundation (EFF).
If I were a certificate authority facing the angry security mob demanding they be made redundant, I would be getting behind one of these alternative proposals that still sees value in their participation.
Unlike Moxie Marlinspike (and to a degree, me), Google and the EFF think the existing system can be fixed, but it is in need of some fundamental changes.
The EFF’s proposal is called Sovereign Keys and builds upon the existing security imparted through the use of Public Key Infrastructure (PKI).
Web surfers would not be forced to trust every certificate authority absolutely, but rather could check with multiple mirrors that possess an append-only log of valid, signed keys/certificates.
These “sovereign keys” could be obtained through DNSSEC or from traditional certificate authorities.
Google’s Ben Laurie and Adam Langley published their proposal “Certificate Authority Transparency and Auditability” (CATA) which is similar to the EFF’s proposal, but would likely be easier to implement transitionally.
CATA also utilizes an append-only database to allow clients to verify audit proofs provided by web servers to check them against a log of valid certificates.
Unlike the EFF’s Sovereign Keys, CATA would work largely like the current system without the option for DNSSEC.
Audit proofs could be issued by supporting web servers without breaking existing client implementations.
It’s great to finally see some sensible proposals and so many great minds working on this vexing problem. It may not be easy to fix, but the future of security and privacy on the internet depend on it.