Windows better protects apps, users from rogue DigiNotar certificates
It's received wisdom in software development generally that you don't write your own code when a perfectly good implementation is there for the taking. It's the old saw about reinventing the wheel. But it's especially true of cryptographic code. Windows programs that utilized the OS standard crypto functions got fast and automatic protection from the rogue certificates distributed during the DigiNotar scandal.
Over the last couple weeks, as stories about the hacking of certificate authority DigiNotar increased, various companies retracted their trust and the Dutch government stepped in. Given that the criminal who did the hacking announced the fact, it was potentially too late for anyone to protect themselves, but still time is of the essence in such matters.
Mozilla issued updates to the supported versions of their products to remove DigiNotar from the trust lists. So did Adobe and, eventually, Apple, although only for OS X and not yet (as of Sunday night) for iOS, so iPhones and iPads remain trusting -- and that means of some rogue certificates; more than 500 were issued.
But Microsoft moved fastest, and the scope of its fix was much wider than is generally appreciated. "On August 29, 2011, Microsoft removed the trust from one DigiNotar root certificate by updating the Microsoft CTL." The Microsoft CTL or Certificate Trust List is a list of trusted and untrusted certificates maintained online by Microsoft. It acts as a backup certificate trust check to the rules in the Windows Certificate applet.
All Windows apps on Vista, Windows 7, Windows Server 2008 and 2008 R2 that use standard Windows APIs for cryptography get checks against the CTL for free. The list is dynamically fetched under a number of circumstances, mostly when a new root certificate is encountered while checking a server certificate, but also once per week by default. This means that users Windows crypto apps on those systems were protected as soon as Microsoft made this change on their list. Automatically. Microsoft later issued an actual update to Windows systems to mark the DigiNotar certificates as Untrusted to cover Windows XP and Windows Server 2003 users and on later Windows versions just as another defense-in-depth measure.
The CTL change protected Internet Explorer users, but it also protected a lot of third-party apps. Google Chrome and Apple Safari on Windows were both protected earlier on Windows (Vista/7) than on any other platform.
I asked Alun Jones of Texas Imperial Software, which creates and sells secure Windows software, mostly secure FTP, about crypto programming for Windows. Jones chose SChannel (COM interfaces for TLS/SSL) for WFTPD Pro rather than OpenSSL for a few reasons:
* He doesn't have to keep supplying updated libraries to his users (if they stay up to date with Windows they are up to date with SChannel).
* The certificate store is controlled by Group Policy and is global to the computer, rather than specific to his application.
* The CryptoAPI and SChannel was (at the time) slightly better documented than OpenSSL. Now, of course, their documentation is much better than OpenSSL's.
I have to say that the one time I tried to do something non-trivial with OpenSSL I was dismayed by the documentation. I suspect that most developers have to go ask questions on mailing lists and such to do complex things. But don't read this praise of Windows Crypto as condemnation of OpenSSL. It's high-quality software depended on by many respectable companies; in fact, indirectly at least, almost everyone on the Internet relies on OpenSSL.
And using standard libraries is no guarantee of bug-free crypto code; you can still make your own SSL-related mistakes. According to Jones "a relatively recent example is the renegotiation attacks against web servers (including IIS), where the web server would treat some information sent before the SSL renegotiation as if it was authenticated by SSL."
If major web servers were making these mistakes then surely less-experienced developers do it all the time. But certainly your code will be safer using standard crypto libraries, especially those on Windows.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.