For a long time, I have felt that SSL/TLS – the protocol that secures your communications with Web sites, mail servers and most everything across the Internet – is broken. It is broken to the point that it is fundamentally insecure, except for the most technically-aware and security-alert individuals, who also have the time to check the certificate for each and every Web site.
SSL is supposed to provide three guarantees:
Confidentiality answers, “how do I, as the sender of a message, know that no one but the intended recipient can read it?”
SSL uses cryptography quite well to do this job. It was a core part of the design, and ensures that when you send your password to the your bank – or your update to Facebook – that no one on the way can read it. That includes not only the owner of the coffee shop WiFi, but also their ISP, the core networks it runs through, your bank’s ISP, malicious actors spying on the way, and hopefully even government entities like NSA and GCHQ.
Integrity answers, “how do I, as the recipient of the message, know that this is the exact, unmodified message the recipient sent?”
SSL uses cryptography quite well to do this job. It, too, was a core part of the design, and ensures that when you send your bank a transfer request of $500 – or that super-important Facebook update – that is precisely what you sent them, and no one on the way could have changed it without Facebook knowing. That includes all of the same innocent and not-so-innocent actors as before.
Authenticity answers, “how do I, as the person sending a message, know that the recipient really is the one I intended?”
Put in other terms, “how do I know that the Website to which I am connecting is my bank, and not someone who just copied their Web site, will steal my credentials, and log into the real one to steal my money?”
In security circles, this is known as a “man-in-the-middle” , or MITM, attack.
Here lies the problem.
Apparently, when SSL was first being created, the focus was on Confidentiality and Integrity. Authenticity was added at the last second, very much an afterthought. We might think this strange, but we are living with 20 years of public Internet. At the time of SSL creation, all of this was very new indeed.
How did they solve the authenticity problem?
They created “Certificate Authorities“, or CAs.
CAs basically are entities we trust implicitly. Their signature is embedded in every browser we use: Safari, Chrome, Brave, IE, Firefox, you name it. When someone, say Barclays Bank, wants to have a Web site others will trust really is Barclays, they go to a CA and say, “please sign a certificate saying this certificate comes from Barclays.”
When we connect securely to www.barclays.com, they present the certificate, signed by their CA, for Verisign (hence the name, “Verisign”). And, yes, I checked; they really do use Verisign. Since Verisign’s certificate is installed on our browsers – it ships with just about every operating system and browser out there – we say, “I trust Verisign, Verisign trusts that this certificate came from Barclays, therefore, I trust that this is Barclays.”
In theory, that works great.
The problem? There are a lot of CAs.
In principle, this is a very good thing. After all, we want competition. When Verisign started, the cost of a certificate was prohibitive. Nowadays, you can get one for free at letsencrypt.org.
However, since there are many, if someone from a different CA also signs a certificate claiming to represent barclays.com, then if that site presents the certificate to us, we will believe it is them and never know it!
Think it doesn’t happen?
Repressive countries like China and Iran and Russia have CAs, many of which are in your browsers. All one of them would have to do, especially when in their borders, is intercept your connection to barclays.com and present a certificate signed by their CA. Unless you know how to read certificates and remember to do so, you will be none the wiser.
CAs as authenticity are broken… fundamentally.
Why haven’t people fixed it? I am hardly the only one to notice it.
The problem isn’t a technology problem. There are many proposed solutions, some better than others.
The problem is a market problem. There are, literally, billions of devices out there, all with the SSL CA-based trust algorithm baked right in. Any new solution requires replacing billions of legacy devices.
Will it ever be fixed? Definitely. Eventually someone big enough, with enough heft to hit the massive legacy problem, will do it. It will be difficult, but it will happen.
Until then, “Houston, we have a (security) problem.”