SSL still sucks

In a fit of madness I decided to replace the self signed SSL certificate I use with a proper one. The self signed one I made was good for 10 years so I didn't have to deal with renewal nonsense. Various clients did whine a bit, but usually there was some setting to tell them it was ok. The biggest problem with a self signed cert is you generally can't tell the difference between it and a middleman intercepting your connection.

SSL certificates are a curious business. Just like with the credit rating agencies and the banking crisis, the incentives and payments are all wrong. The certificate is analogous to an identity document like a drivers license or a passport. Identity documents are trusted not because of the information on them, but rather who issued them. My British passport is only trusted around the world because the British government is trusted as the issuer. A self signed SSL certificate is analogous to printing your own passport saying it comes from the Republic of You.

To get a SSL certificate you engage with a certificate authority. They will verify your identity information to some degree, accept your money and issue the certificate. But the people who care about your identity are the ones connecting to your site, and they haven't been involved in this process. The browser and operating system manufacturers handily include a list of trusted certificate authorities, but the way it works is that any name will be accepted providing any of those authorities issued it!

Here is the start of the long list of trusted authorities:

image0

If any of those issued a certificate for my site, your browser would trust it, or for amazon.com or microsoft.com [1] for that matter. For the certificate authority businesses to operate, they need to remain in those trusted lists, but also need to make it easy to exchange money for certificates.

Their solution is multiple "classes" - they create intermediate certificate authorities [2] and each of those then has different requirements. For example a class 1 might check there is a working email address associated with the site, while class 3 may involve people doing strong verification including getting business documents and making phone calls. They charge more for the latter.

But it is rather pointless. Your browser accepts class 1 [3] certificates that cost $20 with minimal verification as well as class 3 that cost the site thousands. As an end user, you could check the certificate for each site you visit, determine if you trust the certificate authority, go to their web site to read up what their statements are for that class and decide if it acceptable risk to you. You'll also notice they'll have some legalese disclaiming any liability, making it essentially worthless.

This is all a long winded way of saying that it doesn't really matter who issues your certificates, there are no real assurances behind them any way, and nobody checks. They wouldn't be too different from real world passports printed on tissue paper that only machines ever look at. Consequently I used the free StartSSL certificate authority.

The sign up process is annoying and tedious, largely to try to give the appearance of value and security. New certificate in hand, I then had to replace my self signed certificate. This was more complicated because I also had to include the intermediary authority information.

The various applications I tried all worked perfectly, except those from Mozilla. In the olden days they would give detailed information about SSL issues, but it was gobbeldy gook, so naturally most users clicked whatever they could to get them to the site as quickly as possible. It is virtually impossible to tell the difference between misconfiguration and security breaches. The solution was to hide all that and try to show the minimum amount. Which leads us to today.

Thunderbird doesn't like the certificate for reasons I can't determine. It doesn't even show an error, so it looks like it is working but in reality it is repeatedly hanging up on the server. When using a self signed certificate it at least puts up an error dialog where you can say to permanently accept the certificate. In this case the behaviour for a legitimate certificate is far worse! Going through several arcane menu sequences you can finally make it work, but this is ridiculous.

Firefox initially worked and then stopped. In the end I worked out that it had OCSP issues [4]. I can't really tell who is to blame, and ended up having to turn OCSP off.

Now I have a real certificate, it works providing you go nowhere near Mozilla products, and isn't worth anything anyway. Madness indeed.

[1] There are some minimally deployed attempts to fix this like certificate pinning.
[2] SSL provides a chain of certifying authorities. It would be analogous to getting a passport from England that is then stamped by the British government. You trust the England intermediary because you trust the British government.
[3] The classes are made up by each certificate authority.
[4] OCSP allows checking if a certificate has been revoked. If you lost the private part, someone could impersonate your site or read the traffic, so you would ask the issuer to add it to a list of certificates not to be trusted.

Comments

Comments powered by Disqus