id: Гость   вход   регистрация
текущее время 17:12 29/03/2024
создать
просмотр
редакции
ссылки

Это старая редакция страницы Библиотека / Статьи / Certified Lies / Protecting Users за 01/04/2010 12:28.


7. Защита пользователей


The major web browsers are currently vulnerable
to the compelled certificate creation attack, and
we do not believe that any of the existing privacy
enhancing browser add-ons can sufficiently protect
users without significantly impacting browser usability. Certainly, none of the existing browser se-
curity add-ons have been designed to address this
specific threat.


In an effort to significantly reduce the impact of

this attack upon end-users, we have created Certlock, a lightweight add-on for the Firefox browser.
Our solution employs a Trust-On-First-Use (TOFU)
policy, reinforced with enforcement that the country of origin for certificate issuing does not change
in the future. Specifically, our solution relies upon
caching CA information, that is then used to empower users to leverage country-level information in
order to make common-sense trust evaluations.

In this section, we will outline the motivations

that impacted the design of our solution, discuss
our belief in the potential for users to make wise
country-level trust decisions, and then explore the
technical implementation details of our prototype
add-on.


7.1 Design Motivations
The compelled certificate creation attack is a classic
example of a low probability, high impact event [32].
The vast ma jority of users are extremely unlikely to
experience it, but for those who do, very bad things
are afoot. As such, it is vital that any defensive
technique have an extremely low false positive rate,
yet be able to get the attention of users when an
attempted SSL session hijacking is detected.

Most users are unlikely to know that this threat

even exists, and so it is important that any protective system not require configuration, maintenance,
nor introduce any noticeable latency to users' connections. Given the low likelihood of falling victim
to this attack, most rational users will avoid any
protective technology that requires configuration or
slows down their Web browsing [33].

Furthermore, to achieve widespread adoption

(even moreso if the browser vendors are to add similar functionality to their own products), any protective technology must not sacrifice user privacy for
security. Information regarding users' web browsing habits should not be leaked to any third party,
even if that party is `trusted' or if it is done so
anonymously. The solution must therefore be selfcontained, and capable of protecting the user with-
out contacting any remote servers.

We believe that most consumers have no idea

how SSL functions, what a CA is, the role it performs, nor how many companies are trusted by their
browser to issue certificates. Expecting consumers
to learn about this process, or to spend their time
evaluating the business practices and trustworthiness of these hundreds of firms is hopelessly unrea-
sonable. Nevertheless, the security of the current
system requires each user to make trust decisions
that that they are ill equipped (nor willing) to perform.

We also believe that consumers do not directly

trust CAs. Aside from the biggest CAs such as
VeriSign and large telecommunications firms local
to their country,12


12

For example, Verizon in the United States, Deutsche

Telekom in Germany or Swisscom in Switzerland.


it is unlikely that consumers have
ever heard of the vast ma jority of the hundreds of
companies entrusted by their web browser to issue
certificates. Thus, it is just as unreasonable to expect an American consumer to make a reasonable
trust decision regarding a certificate issued by Polish technology firm Unizeto Technologies as it is to
expect a Japanese consumer to evaluate a certificate
issued by Bermuda based QuoVadis. However, both
of these CAs are trusted by the ma jor browsers, by
default.

Consumers are simply told to look for the lock

icon. What happens in the browser to produce that
lock icon, is for all practical purposes magic. We
believe that it is our responsibility as security technologists to make sure that what happens behind
the scenes does in fact protect the average users'
privacy and security.

This is not to say that we think that users are

clueless — merely that browsers currently provide
them with little to no useful contextual information
without which such complex decisions are extremely
difficult.
7.2 Country-Based Trust
We believe that many consumers are quite capable
of making basic trust decisions based on countrylevel information.13


13
However, the number of American fraud victims who continue to be tricked into sending money to scammers in Nigeria

seems to suggest that not all consumers are equipped to evaluate trust based on country information.


That is, a US consumer whose
banking sessions are normally encrypted by a server
presenting a certificates signed by a US based CA
might become suspicious if told that her US based
bank is now using a certificate signed by a Tunisian,
Latvian or Serbian CA.

To make this trust evaluation, she doesn't have

to study the detailed business policies of the foreign
CA, she can instead rely on common sense, and ask
herself why her Iowa based bank is suddenly doing business in Eastern Europe. In order to em-
power users to make such country-level evaluations
of trust, CertLock leverages the wealth of historical
browsing data kept by the browser.

Individuals living in countries with laws that protect their privacy from unreasonable invasion have

good reason to avoid trusting foreign governments
(or foreign companies) to protect their private data.
This is because individuals often receive the greatest legal protection from their own governments, and
little to none from other countries. For example, US
law strictly regulates the ability of the US government to collect information on US persons. How-
ever, the government can freely spy on foreigners
around the world, as long as the surveillance is performed outside the US. Thus, Canadians, Swedes
and Russians located outside the United States have
absolutely no reason to trust the US government to
protect their privacy.

Likewise, individuals located in countries with oppressive governments may wish to know if their com-

munications with servers located in foreign democracies are suddenly being facilitated by a domestic
(or state controlled) CA. Thus, for example, users
in China told that their encrypted session to Google
Mail is suddenly using a certificate provided by a
Chinese CA are quite likely to realize that something is wrong.
7.3 Avoiding False Positives
A simplistic defensive add-on aimed at protecting
users from compelled certificate creation attacks
could simply cache all certificates encountered during browsing sessions, and then warn the user any
time they encounter a certificate that has changed.
In fact, such an add-on already exists [34].

The problem with such an approach is that it is

likely to suffer from an extremely high false positive rate. Each time a website legitimately changes
its certificate, the browser displays a warning that
will needlessly scare and soon desensitize users.
There are many legitimate scenarios where certificates change. For example: Old certificates expire;
certificates are abandoned and or revoked after a
data breach that exposed the server private key; and
many large enterprises that have multiple SSL accelerator appliances serving content for the same do-
main use a different certificate for each device [35].

By adopting a Trust-On-First-Use policy, we assume that if a website starts using a different certifi-

cate issued by the same CA that issued its previous
certificate, there is no reason to warn the user. This
approach enables us to significantly reduce the false
positive rate, while having little impact on our ability to protect users from a variety of threats.

We also believe that there is little reason to warn

users if a website switches CAs within the same
country. As our threat model is focused on a government adversary with the power to compel any
domestic CA into issuing certificates at will, CAs
within a country can essentially be seen as equals.
That is, a government agency able to compel a new
CA into issuing a certificate could just as easily compel the original CA into issuing a new certificate for
the same site. Since we have already opted to not
warn users in that scenario (described above), there
is no need to warn users in the event of a samecountry CA change.

By limiting the trigger of the warnings to countrylevel changes, we believe that we have struck a balance that will work in most situations.

7.4 Implementation Details
Our Certlock solution is currently implemented as
an add-on to the Firefox browser.

The Firefox browser already retains history data

for all visited websites. We have simply modified
the browser to cause it to retain slightly more information. Thus, for each new SSL protected website
that the user visits, a Certlock enabled browser also
caches the following additional certificate information:

A hash of the certificate.
The country of the issuing CA.
The name of the CA.
The country of the website.
The name of the website.
The entire chain of trust up to the root CA.

A hash of the certificate.
The country of the issuing CA.
The name of the CA.
The country of the website.
The name of the website.
The entire chain of trust up to the root CA.

When a user re-visits a SSL protected website,

Certlock first calculates the hash of the site's certificate and compares it to the stored hash from previous visits. If it hasn't changed, the page is loaded
without warning. If the certificate has changed, the
CAs that issued the old and new certificates are
compared. If the CAs are the same, or from the
same country, the page is loaded without any warning. If, on the other hand, the CAs' countries differ,
then the user will see a warning (See Figure 3).



The warning displayed to users of Certlock. (130 Кб)



At a high level, this algorithm is quite simple.

However, there are a few subtle areas where some
complexity is required.

Because governments can compel CAs to create

both regular site certificates as well as intermediate CA certificates, any evaluation of a changed site
certificate must consider the type of CA that issued
it.

While the web browser vendors do not vouch for

the trustworthiness of any of the root CAs that they
include, we believe it is reasonable to assume that
the browser vendors do at least verify the country
information listed in each of their root CAs. Therefore, we are able to trust this information as we evaluate changed certificates.

When Certlock detects a changed certificate, it

must also determine the type of CA that issued the
new certificate. If the new certificate was issued by
a root CA, then Certlock can easily compare the
country of the old certificate's CA to the country
of the new root CA. However, if the new certificate
was issued by an intermediate CA, then we have


Figure 3: The warning displayed to users of Certlock.


no way of verifying that the issuing CA's country
information is accurate.

As an example, the Israeli government could compel StartCom, an Israeli CA to issue an intermediate

CA certificate that falsely listed the country of the
intermediate CA as the United States. This rogue
intermediate CA would then be used to issue site
certificates for subsequent surveillance activities. In
this hypothetical scenario, let us imagine that the
rogue CA issued a certificate for Bank Of America, whose actual certificate was issued by VeriSign
in the United States. Were CertLock to simply
evaluate the issuing CA's country of the previously
seen Bank of America certificate, and compare it
to the issuing country of the rogue intermediate CA
(falsely listed as the United States), CertLock would
not detect the hijacking attempt. In order to detect
such rogue intermediate CAs, a more thorough comparison must be conducted.

Thus, in the event that a new certificate has been

issued by an intermediate CA, Certlock follows the
chain of trust up to the root CA, noting the country of every CA along the path. If any one of these
intermediate CAs (or the root CA itself ) has a different country than the CA that issued the original
certificate, then the user is warned.


Назад | Оглавление | Дальше