{"id":911,"date":"2024-12-01T19:26:39","date_gmt":"2024-12-02T03:26:39","guid":{"rendered":"https:\/\/unmitigatedrisk.com\/?p=911"},"modified":"2024-12-02T09:37:25","modified_gmt":"2024-12-02T17:37:25","slug":"government-cas-and-the-webpki-trust-is-often-the-opposite-of-security","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=911","title":{"rendered":"Government CAs and the WebPKI: Trust is Often the Opposite of Security"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Following my <a href=\"https:\/\/unmitigatedrisk.com\/?p=908\">recent post about another CA failing the \u201cTuring test\u201d<\/a> with a likely MITM certificate issuance, let\u2019s examine a troubling pattern: the role of government-run and government-affiliated CAs in the WebPKI ecosystem. This incident brings attention to Microsoft\u2019s root program, what is clear is a fundamental contradiction persists: we\u2019re trusting entities whose institutional incentives often directly conflict with the security goals of the WebPKI.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Value Proposition<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let me be clear\u2014CAs and root programs serve critical functions in the WebPKI. As I discussed in my <a href=\"https:\/\/unmitigatedrisk.com\/?p=181\">article about Trust On First Use<\/a>, attempting to build trust without them leads to even worse security outcomes. The issue isn\u2019t whether we need CAs\u2014we absolutely do. The question is whether our current trust model, which treats all CAs as equally trustworthy regardless of their incentives and constraints, actually serves our security goals.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Core Contradiction<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">History has repeatedly shown that the temptation to abuse these capabilities is simply too great. Whether it\u2019s decision-makers acting in their perceived national interest or CAs that fail to understand\u2014or choose to ignore\u2014the consequences of their actions, we keep seeing the same patterns play out.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Consider that a CA under government oversight faces fundamentally different pressures than one operating purely as a business. While both might fail, the failure modes and their implications for users differ dramatically. Yet our root programs largely pretend these differences don\u2019t exist.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The DarkMatter Paradox<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The removal of DarkMatter as a CA due to its affiliation with the UAE government, despite its clean record in this context, starkly contrasts with the continued trust granted to other government-affiliated CAs with documented failures. This inconsistency highlights a deeper flaw in root programs: Rules are often applied reactively, addressing incidents after they occur, rather than through proactive, continuous, and consistent enforcement.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>A History of Predictable Failures<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you read <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1934361\">yesterday&#8217;s post<\/a>, you may recall my <a href=\"https:\/\/unmitigatedrisk.com\/?p=181#:~:text=Government%20of%20Brazil%2C%20Autoridade%20Certificadora%20Raiz%\" data-type=\"link\" data-id=\"https:\/\/unmitigatedrisk.com\/?p=181#:~:text=Government%20of%20Brazil%2C%20Autoridade%20Certificadora%20Raiz%\">2011 post<\/a> on the number of government-run or affiliated CAs. The intervening years have given us a clear pattern of failures. Whether through compromise, willful action, or \u201caccidents\u201d (take that as you will), here are just the incidents I can recall off the top of my head\u2014I\u2019m sure there are more:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DigiNotar (2011)<\/strong>: <a href=\"https:\/\/security.googleblog.com\/2011\/08\/update-on-attempted-man-in-middle.html\">Complete compromise leading to rogue certificates for Google and demonstrated MITM attacks against Iranian users<\/a><\/li>\n\n\n\n<li><strong>TURKTRUST (2013)<\/strong>: <a href=\"https:\/\/security.googleblog.com\/2013\/01\/enhancing-digital-certificate-security.html\">\u201cAccidental\u201d intermediate certificates<\/a><\/li>\n\n\n\n<li><strong>China\u2019s Great Firewall<\/strong>: Systematic exploitation of trust through encouraging domestic browsers not to validate certificates to enable MiTM<\/li>\n\n\n\n<li><strong>CNNIC (2015)<\/strong>: <a href=\"https:\/\/security.googleblog.com\/2015\/03\/maintaining-digital-certificate-security.html\">Unauthorized intermediate issuance<\/a><\/li>\n\n\n\n<li><strong>ANSSI (2015)<\/strong>: <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1125025\">Deliberate MITM certificates<\/a><\/li>\n\n\n\n<li><strong>Kazakhstan Government CA (2019)<\/strong>: <a href=\"https:\/\/security.googleblog.com\/2019\/08\/protecting-chrome-users-in-kazakhstan.html\">Attempted forced root installation<\/a><\/li>\n\n\n\n<li><strong>Telecom Egypt (2019)<\/strong>: <a href=\"https:\/\/blog.mozilla.org\/security\/2019\/10\/09\/removing-old-root-certificates-in-firefox-69\/\">Systematic traffic interception<\/a><\/li>\n\n\n\n<li><strong>ICP-Brasil (2024)<\/strong>: <a href=\"https:\/\/repositorio.iti.gov.br\/resolucoes\/Resolucao209_descontinuidade_SSL.htm\">Announced end of SSL issuance in August<\/a>, issued likely MiTM <a href=\"http:\/\/google.com\/\">google.com<\/a> certificate in November<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Economics of (In)Security<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The fundamental problem isn\u2019t just technical\u2014it\u2019s economic. While some root programs genuinely prioritize security, inconsistencies across the ecosystem remain a critical challenge. The broader issue is not simply about convenience but about conflicting incentives\u2014balancing compatibility, regulatory pressures, and market demands often at the expense of doing what is best for end users.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>CAs face strong incentives to maintain their trusted status but relatively weak incentives to uphold the rigorous security practices users expect. The cost of their security failure is largely borne by users, while the benefits of looser practices accrue directly to the CA. Audits, much like those in <a href=\"https:\/\/unmitigatedrisk.com\/?p=717\">financial scandals such as Wirecard or Enron<\/a>, often serve as window dressing. With CAs selecting and paying their auditors, incentives rarely align with rigorous enforcement.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>The long tail of rarely-discussed CAs is particularly concerning. Many root certificates in browser trust stores belong to CAs that issue only dozens to hundreds of certificates annually, not the thousands or millions that major CAs produce. Some haven\u2019t issued a certificate in ages but retain the capability to do so\u2014and with it, the ability to compromise security for months or longer. It wouldn&#8217;t be unreasonable to say these low-volume CAs pose risks far outweighing their utility.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Certificate Transparency: Necessary but Not Sufficient<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While <a href=\"https:\/\/certificate.transparency.dev\/\">Certificate Transparency<\/a> has been invaluable in helping identify incidents (including the latest ICP-Brasil case), it\u2019s not a complete solution. Its limitations include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reactive nature<\/strong>: Violations are identified only after they occur.<\/li>\n\n\n\n<li><strong>Monitoring challenges<\/strong>: Effective oversight is resource-intensive and depends on a small community of volunteers.<\/li>\n\n\n\n<li><strong>Incomplete coverage<\/strong>: Not all certificates are logged, leaving gaps in visibility.<\/li>\n\n\n\n<li><strong>Poorly funded<\/strong>: We have too few logs and monitors to have confidence about the long-term survivability of the ecosystem.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Limits of Technical Controls<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Some browsers have implemented technical guardrails for some CA mistakes in their validation logic, such as basic certificate linting and rules, to reject certificates that don&#8217;t pass basic checks but nothing more granular. There have been discussions about imposing additional restrictions on CAs based on their relationship to government oversight or regulatory jurisdictions. However, these proposals face significant pushback, partly due to the political consequences for browser vendors and partly due to concerns about basing trust decisions on \u201cfuture crime\u201d scenarios. As a result, the WebPKI remains stuck with a one-size-fits-all approach to CA trust.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Monitoring Gap<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The challenges extend beyond malicious behavior to include operational oversight. For instance, in August 2024, ICP-Brasil formally announced they would cease issuing publicly trusted SSL\/TLS certificates. Yet by November, they issued a rogue certificate for <a href=\"http:\/\/google.com\/\">google.com<\/a>. This outcome was predictable\u2014public CT logs in 2020 revealed their consistent inability to handle basic operational and issuance requirements, including issuing certificates with invalid DNS names and malformed URLs. Despite these red flags, they remained trusted.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>How many other CAs operate outside their stated parameters without detection? Patterns of technical incompetence frequently precede security incidents, but warnings are often ignored.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Required Reforms<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To address these systemic issues, root programs must adopt the following measures:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Consistent Standards<\/strong>: Apply appropriate scrutiny to CAs based on their operational and institutional context.<\/li>\n\n\n\n<li><strong>Swift Response Times<\/strong>: Minimize delays between discovery and action.<\/li>\n\n\n\n<li><strong>Proactive Enforcement<\/strong>: Treat red flags as early warnings, not just post-incident justifications.<\/li>\n\n\n\n<li><strong>Technical Controls<\/strong>: Implement meaningful restrictions to limit the scope of certificate issuance.<\/li>\n\n\n\n<li><strong>Automated Compliance<\/strong>: Require CAs to report security incidents, and operational, and ongoing compliance while continuingly to monitor them via automated checks for compliance.<\/li>\n\n\n\n<li><strong>Value Assessment<\/strong>: Regularly evaluate whether each CA\u2019s utility justifies its risks and remove those that do not.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Protecting Yourself<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Until the ecosystem adopts consistent and enforceable security measures:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows users should monitor Microsoft\u2019s root program decisions.<\/li>\n\n\n\n<li>Enterprises should use the Microsoft distrust store and group policies.<\/li>\n\n\n\n<li>Everyone should stay informed about CA incidents and their handling.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>When Will We Learn?<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The &#8220;Turing Test&#8221; reference in my previous post was somewhat tongue-in-cheek, but it points to serious questions: How many more failures will it take before we fundamentally reform the WebPKI? Even if we know what&#8217;s needed, can we realistically create a system that treats government-affiliated CAs differently &#8211; or even reliably identify such affiliations &#8211; given the complex web of international relations, corporate structures and potential diplomatic fallout?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With regulatory frameworks like eIDAS 2.0 potentially constraining security measures browsers can take, vigilance from the security community is more critical than ever. Stay vigilant, and keep watching those CT logs. Someone has to.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Following my recent post about another CA failing the \u201cTuring test\u201d with a likely MITM certificate issuance, let\u2019s examine a troubling pattern: the role of government-run and government-affiliated CAs in the WebPKI ecosystem. This incident brings attention to Microsoft\u2019s root program, what is clear is a fundamental contradiction persists: we\u2019re trusting entities whose institutional incentives [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[217,3,4],"tags":[],"class_list":["post-911","post","type-post","status-publish","format-standard","hentry","category-certificates","category-security","category-thoughts"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=911"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/911\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}