Several months ago in Syria, a Facebook user noticed that Facebook’s IP address resolved strangely. He was also getting an untrusted https certificate warning. A certificate is a piece of text that sits in your browser. You can view yours by going to Tools –> Options –> Advanced –> Encryption and clicking the “View Certificates” button. The server you connect to must verify that it is who it says it is by authenticating against that certificate. Apparently, the Syrian authorities tried to set themselves up to eavesdrop on citizens communications with Facebook and to fake the Facebook certificate. Here an image of the fake certificate next to the real one(on the right).
Syria did not do a very good job. While they were able to set up a Man in The Middle (MITM) they didn’t bother to issue a realistic fake certificate. A browser will warn the user that an unknown certificate is presented by a web server (the fake one wasn’t found in that user’s list of certificates). Unfortunately, many users just click past whatever warnings they need to click to get to the site they want.
Much more effective and scary is the recent attack by Iran doing almost the same thing but issuing a real certificate through an authority that browsers trust. In this case, the browser will NOT warn the user that the certificate is bogus.
A security company named psyced sought to address this problem. According to them:
Your web browser trusts a lot of certification authorities and chained sub-authority, and it does so blindly. Subordinate or intermediate certification authorities are a little known device: The root CAs in your browser can delegate permission to issue certificates to an unlimited amount of subordinate CAs just by signing their certificate, not by borrowing their precious private key to them. It is unclear how many intermediate certification authorities really exist, and yet each of them has God-like power to impersonate any https site.
Once a subordinate gains this trust, it can issue any “valid” certificate it can think of, even for a domain they have no business signing. This means that these subordinates can change the country of the cert and change the domain, becoming the trusted certificate authority for, say, Bank of America.
Firefox Certificate Patrol to the Rescue. This neat little add-on warns you when a certificate trusted by your browser changes. This extension would warn you if a subordinate certificate authority suddenly got delusions of grandeur and decided it was a major US bank. It keeps a database of all the https certificates it knows about, and if one changes, it warns you.
Installing this product into Firefox, I don’t find it very intrusive or confusing. When it finds a certificate it hasn’t encountered before, it positions a yellow notice in the top of your browser that disappears after a short time. Now that It has shown me one for Twitter, for example, it won’t show me one again until it changes, indicating that either Twitter has changed its provider (unlikely) or that a subordinate certificate authority has been compromised and made to look like Twitter.
Here is an academic-looking paper about such attacks. The paper does a nice job of describing the problem and plausible scenarios where a CA is “compelled” by a government to issue subordinate certificates that may be easily falsified. It promotes a way of warning users only when the country of the certificate authority changes. This is helpful because it can let the user know if their bank’s certificate authority suddenly switched to being issued in Russia. The paper’s promised product, CertLock seems to have never been released, though.
The paper says,
We also believe that there is little reason to warn users if a website switches CAs within the same country. As our threat model is focused on a government adversary with the power to compel any domestic CA into issuing certificates at will, we consider CAs within a country to be equals. That is, a government agency able to compel a new CA into issuing a certificate could just as easily compel the original CA into issuing a new certificate for the same site. Since we have already opted to not warn users in that scenario (described above), there is no need to warn users in the event of a same-country CA change.
Fortunately, Certificate Patrol has opted to warn users in that scenario and many others. Even if the government compels the same CA into issuing a new certificate, you will be warned. It may not be possible in all cases for you to figure out if something funny is going on, but you will be warned. You may wish to combine this warning with a search in the EFF’s SSL Observatory for further research.
While Security Patrol is a great product, it is kind of a band-aid. It seems like we need a new approach to the CA system and I don’t know what that is.
They say that Firefox security patrol is for users that will not be befuddled by more alerts in their browsers. They also say that “only by getting familiar with this will really help you get in control.” I say that our privacy and security depends on understanding this stuff.
A great real-life example how this works is related in this forum post. The browser in question there is Google Chrome and Google has a slightly different approach to this problem., but the warning would be similar.