Thursday, January 3, 2013

Fraudulent Google Certificate Issued by TURKTRUST - a CA you can safely delete

Firefox's default list of trusted certificate authorities

I'll point you here for the full story, and add my two cents below.

Sadly I don't have time to get into the rabbit hole of explaining certificates and SSL, so this will have to be directed at those already in the know.

Here's the overview. A root certificate authority, TURKTRUST (yes, they're Turkish), somehow issued two certificates in 2011 that allowed their owners to impersonate any * site. And I'm here to let you know you can go right ahead and delete TURKTRUST from your browser without worrying you'll ever need it.

This useful bit of information is courtesy of "Nasko" at, who did a survey in 2010 of the most commonly used certificate authorities on the web. This was in order to reduce his attack surface, since we've seen a steady stream of CA (certificate authority) compromises over the years, and if you don't trust a CA in the first place, you can't be fooled by their fraudulent certificates.

His surprising results were that you only need about 25 CA's out of the hundreds that browsers trust by default. His survey queried the top 1 million most popular sites according to Alexa, so you can be pretty sure he didn't miss much of the web.

What's more, I actually implemented his findings, deleting all but the those 25 from my own browser. And after several months of (heavy) browsing, I can tell you I've never once run into a problem.

After the jump, my revelations on the bigger picture I learned through this experiment.

Are you here? Okay. Here's the big secret. All the website SSL certificates out there being sold publicly are from just a handful of root CA's. The vast majority of those installed in browsers are specialty CA's that aren't even intended for public web traffic. I think they're mostly for internal use at large companies or government agencies, or for email validation only.

Because browsers can't be seen as capricious or prejudiced in their decisions of which CA's to include, they develop standardized criteria and adopt the policy that any organization who applies and passes these tests and audits will be accepted as a root CA. Well, at least I know Mozilla does. And we all know how fallible audits are. Also, audits can't answer the more abstract questions like whether to trust CNNIC, given that it's China's main Internet agency. And we know the sorts of things China's Internet overlords think are cool.

Anyway, I think this leads to the inclusion of lots of organizations who are able to technically fulfil the requirements, but whose presence in our browser's list of Extremely Trusted Entities we might seriously question. For instance, do I really need to give full power to seamlessly impersonate any website on the planet to "Agència Catalana de Certificació" (apparently an obscure Catalonian government agency*)? Should I be giving the ability to man-in-the-middle my most trusted communications to "Netlock Halozatbiztonsagi Kft." (some Hungarian tech company, also barely existent on the web)? Not to single out the funny-sounding foreign ones. I have almost as many misgivings about "Microsoft Internet Authority" and even "Wells Fargo Root Certificate Authority," for various reasons.

The bottom line is that browsers, for political reasons, are unable to deny the inclusion of all these organizations who feel the need to put the entire world at risk just because they want their employees to use their own in-house (and likely awful) email authentication system.

But while the browsers can't say no, you can.

* There is hardly any information out there on this agency's existence, but according to Google's translation of its Catalonian Wikipedia page, it "seeks to manage digital certificates and provide services related to electronic signatures and identification processes required in the scope of the Catalan public administrations." This seems to support my theory that many of these CA's aren't even intended for wide use on the web. This has more to do with internal administrative activities for this one small government agency.

No comments:

Post a Comment