November 23, 2003

Trusting Certification Authorities

Today joat talked about CACert.org and the fact they are an issuer of free SSL certificates. This is a topic that drives me batty, because anyone with a Linux box and OpenSSL can build their own root certificate and then blast out certs till they are blue in the face. Arc does this for ufies.org, which isn't a bad thing. Just pointless. No one outside of the ufies community will trust his root cert. But for his application and use, he doesn't care. Nor should he. It is an effective way to use OpenSSL and generate trust amoungst that community.

The problem about this sort of approach is trust. If you want to be your own CA, all the power to ya. If you admin the machines, you can add your own root server during install and have the level of trust that you want. Hopefully you have enough common sense to properly protect the private cert (you lose that and the whole chain of trust is toast) However, this isn't practical for most people that use digital certificates. Especially when driving ecommerce or secure web traffic (HTTPS).

Verisign has made big bucks on web identity trust. As they should... they cornered a market way back when and are now branded as the "SSL Cert Provider". What people don't realize is that there ARE alternatives that are just as trustworthy. Especially with the recent business practices Verisign has tried to do. Maybe you heard about it?

One of the Certificate Authorities I believe isn't getting the credit they deserve is The Comodo Group. They have earned the WebTrust Seal with auditors of KPMG, and have a root cert in almost every browser currently on the market, which means they have over 99.3% browser coverage. This result is that for almost every customer you will NOT have to install a root cert which is inherently untrusted... and makes a more seamless experience for your customers/employees.

Further to the fact you can trust this root cert more than home grown CAs, and the fact that it is ALREADY in the root cert pool in almost all your software, they come in at a reasonable cost. You can get a 2 year cert for $139. Compare that to the $1,595 you would pay Verisign (I am using a 2 year, 128bit SSL cert for a fair comparision)... you can significantly see the ROI by doing your homework. What is more interesting is that because Comodo automates a lot of the cert publication itself, you can further get that reduced if you know about their reseller program.

If you search around, you will find you can get a 1 year cert from places like InstantSSL for $49 a year. This is a 128bit SSL cert signed by Comodo, and is trusted in over 99.3% of the browsers currently on the market. It does not include the Site seal, but you can get that for another $20. I found a good price comparision chart to show their different services with costing... just so you can verify it for yourself.

So don't fret about Verisign gouging you... and don't trust weak certificate authorties like CACert. Spend some time, do the research and find a provider that is in the current root cert pool and check their credentials. After all, a CA is all about trust... you can't leave that to other people blindly.

Now, before I get bombarded with nastygrams from CACert lovers, let me be clear. I like what they stand for. And I appreciate the efforts. But as a security professional I must state that trust has to be earned and verified. Until you are vetting through an authority I will trust (start by gaining Browser vendor's trust by getting added as a root cert) I can't seriously recommend you as a service. Lets forget about the debacle on the front of your website where you do not trust your own content on your website and are telling everyone that because you can't trust your own stuff, you are taking it down. How can I trust you if you can't trust yourself? It is nice to see you take those actions (which was the responsible thing to do)... but they shouldn't have gotten there in the first place.

All and all, if you need a digital certificate, consider checking out Comodo. It's fast, secure, cost effective and above all... trusted.

Posted by SilverStr at November 23, 2003 09:15 AM | TrackBack
Comments

I agree that trust is the issue. All parties involved have to trust the CA. Most roll-your-own CA's cannot be trusted in that they either run an insecure organization or have nothing to lose if a certificate is compromised.

The roll your own approach is valuable if you need to provide encryption for a small organization or group of people, including user-level certs for authentication.

Posted by: joat at November 23, 2003 01:40 PM

What you failed to mention is most of the commercial CAs paid up to US$250,000 to be included and had some fancy documentation written up, this doesn't make them trust worthy, just has a bigger bank account... Even verisign have stuffed up in the past issuing certificates for microsoft to a social engineer...

Posted by: Duane at January 3, 2004 07:06 AM

Hey Duane,

Trust is earned, not given. Having a bigger bank isn't what makes them trustworthy. Yet having the money DOES indeed make a difference. Here is why:

1) Money can be spent on auditing the integrity of the organization, the safeguards they use and the procedures they follow for cert management (Something required by KPMG WebTrust)

2) Stability. We know that the root cert won't be folding tomorrow. Running a non-profit off of donations is nice, but what ensures you will keep the lights on tomorrow?

3) Guidelines for addition to root cert pools isn't just about submitting a wad of money and getting added. There are procedures you must follow and levels of trust established between the root cert providers and the browser/OS vendors to ensure that the providers are legit, and have policies in place for cert issuance and revocation that meet the standards of that vendor. Although I don't put HUGE faith in this... this is a single step that weeds out a lot of the bad eggs.

I agree with you though that its not perfect, including Verisign (of course, I don't recommend Verisign anyways). Versign isn't the only one to screw up due to social engineering. Hopefully you guys over at cacert.org won't be another social engineering nightmare.

Good luck to you. I wish you guys the very best.

Posted by: SilverStr at January 3, 2004 01:33 PM

Well it seems as though Mozilla guys will add our certificate into their browser, and as noted in discussions on bugzilla, the initial auditing may be a moot point if the organisations screw up and there is no repercussions for that. Toothless tiger if you will, lie through your teeth, get accepted then run a muck cause nothing will happen... Where as respect and real trust mean a lot more to us... as for the lights on thing, currently we're self sufficent (money wise), and an legal entity that can only be disbanded by a 100% vote of the membership...

Posted by: Duane at February 10, 2004 04:46 AM

Congratulations on the Mozilla addition Duane.

I'm curious, what was the process you spent with Mozilla to be added as a root cert?

Posted by: SilverStr at February 10, 2004 08:24 AM

I've this email to CAcert:

"Who are you? Why should I trust you?"

I have yet to receive a response...

Posted by: Panos Stokas at March 6, 2004 02:27 AM