Mozilla raises specter of death sentence on insecure CAs
The security requirements for certificate authorities have, so far been, well, there haven't been any. Mozilla is attempting now to impose some and giving CAs precious-little time to come up to standard. Could the Mozilla "death sentence" be imposed?
Moailla's letter to certificate authorities demands some significant information by September 16, 2011, the end of next week. While it shows nothing about breaches, we know from the EFF's SSL Observatory project that many certificate authorities aren't sticklers for detail when it comes to security issues.
If a CA were not to respond in time or not meet Mozilla's demands, could they receive the Mozilla Death Sentence -- removal from the collection of trusted roots? Such a fate would mean that Mozilla users who visited an HTTPS site with that CA's certificate would get a big, ugly warning that the site isn't protected by a trusted authority. Mozilla doesn't make this threat explicitly, but does say: "Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe".
Some of Mozilla's demands could be problematic to implement in a week. The one that really sticks out for me is: "Confirm that multi-factor authentication is required for all accounts capable of directly causing certificate issuance". I have a story related to this.
As I pointed out in my recent piece on the DigiNotar hack, the hacker names himself COMODOHACKER and appears to be the same guy who hacked a subsidiary of Comodo back in June. The details of that hack made it clear that the subsidiary had just single-factor authentication—a username and password -- to gain access to an account with certificate issuance privileges.
I happened to meet with a senior Comodo exec right about then and suggested that maybe two-factor authentication would be a good idea for such powerful accounts, but the exec dismissed the idea. The problem lay elsewhere he said, in the insecurity of the DNS (a problem for which his company just happened to be working on a great solution!). So anyway, I'm sure Comodo subsidiaries aren't the only ones who don't meet these standards.
Some of Mozilla's other demands aren't, or at least shouldn't be, that hard. For instance, a complete list of subsidiary CAs is something you'd hope they'd have easy access to. If not, they could steal the data off of the Observatory map of all CAs on the IPv4 Internet.
This example of cheating on the audit raises the fact that Mozilla's audit is a self-reported affair, kind of like PCI compliance audits. Mozilla's only knowledge of whether a CA uses two-factor authentication may come from the CA. If the CA lies about it there may be no way of finding out.
Another potentially tough one is "Confirm that you have automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year). Please further confirm your process for manually verifying such requests, when blocked". You'd think any CA would be smart enough to do this, but you'd also think they would use two-factor authentication.
I do know that many large CAs (Symantec for example, for whom I have done paid consulting work) have long bragged of their strenuous security measures for protecting the certificate issuance process. It's reasonable to believe that they can afford this better than the el-cheapo $11.95/year domain-validated SSL certificate vendors, although all of them are in Mozilla's and other browsers' roots. Perhaps that's where the problems will be concentrated.
I have to think that a large number of CAs will either be failing this test or lying on it. If you do lie and get caught, it's reasonable to believe that you'll get the death sentence, but if you just don't make the grade? My guess is that Mozilla will see what the results are and work with CAs to shape up quickly or ship out of the root database.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.