Trust the PKI or it's anarchy on the Internet

Trust the PKI or it's anarchy on the Internet

Summary: When Microsoft automatically updates your Windows trusted root certificates, are they inserting secret backdoors for the NSA to spy on you? No, but even if they were, you'd still have to trust them.

TOPICS: Security, Browser

The PKI (Public Key Infrastructure) is an imperfect system, requiring trust in organizations that not everyone trusts. Even so, nearly everyone on the Internet is dependent for their security, to some degree, on the system of digital certificates and the software which employs them. 

The system fails now and then and, when it does, it rightly attracts a lot of attention. It works 99.(some very large number) percent of the time, but the only way it works is if we submit to it. We have to put our trust in the certificates issued by Symantec and Comodo and their ilk. And it's not just them, it's also Apple and Microsoft and many large telecom companies and, in many countries, the government. (Of course, we now know that, even in the US, if you trust Microsoft and Apple you implicitly trust the US government.) 

There's really no choice. Even for those who know what's going on with their SSL and certificates, it's impractical to try to trust the system just a little or to pick and choose. The vast bulk of the Internet population wouldn't even know what to do. 

So it's unhelpful to complain, as German magazine C'T does, that Microsoft's automatic updating of root certificates lacks transparency. (That article is in German; I can't find an official English translation and I'm mostly relying on the account of Johannes Ullrich, who discussed the article in his daily ISC StormCast on July 31.)

Windows includes many trusted root certificates, possibly some from the US government.

Trusted root certificates are digital certificates that are trusted inherently in the system. Individual certificates for sites cannot be trusted on their own, so they refer up a certificate chain of issuers which the client can verify up to the root. The issuers of these roots  - generally Certificate Authorities - are the ones you have to trust. Below is a screen grab of the Windows 7 trusted root certificate list. 

C'T's complaint is that Microsoft automatically issues updates to their root certificate list without user interaction or any clear indication that it has made any changes. 

The implication, and based on Google Translate I think C'T says this out loud, is that Microsoft could issue a root certificate at the behest of the NSA or some other shadowy agency to assist them in compromising your computer and accounts.

Yes, of course they could do this. We're talking about Microsoft, the people who write the operating system. They could put code to compromise your computer right into the operating system. But the government doesn't need to use Microsoft to issue malicious root certificates; as the screen grab above shows, the US government has its own certificates in the list. (Of course, if you don't trust Microsoft, why should you trust that the list itself is accurate?) 

Automatic updating of root certificates is essential to the proper functioning of the PKI. At times the list changes: root certificates are issued and revoked, or they may even expire. In the case of a root certificate revocation it's essential that the update go out quickly in order to protect users. In that same Certificates manager in the screen grab you can find the "Untrusted Publishers" tab; several of those certificates are root certificates.

Too many users ignore updates to let this go unaddressed. Incidentally, it's not just Internet Explorer; Google Chrome, Apple Safari and a lot of other software - basically any software which uses the Windows CryptoAPI - relies on the Windows Certificate Store, which is the database displayed in the Certificates list in the image above.

Mozilla software, including Firefox, is the exception. They have their own crypto code and their own certificate store, and they update it too, although they do so through documented updates such as this one.  Microsoft doesn't announce their root certificate updates (that I've found), but they do provide the updates separately in the Download Center so you could look them up there.  And there's nothing new about this practice by Microsoft. C'T links to a Technet article on how Windows Server 2003 performs this function. .

Microsoft provides ways for you to turn off the updates using registry hacks or group policy, but it would be a bad idea to do so. If you do, you can expect errors in the browser (IE, Safari, Chrome) and elsewhere indicating certificates being signed by untrusted authorities.

Ullrich says that automatic updating is "kind of a good thing," but I wouldn't qualify it the way he does. It's an obviously good thing, and the counterarguments are petty. Ullrich points out that the only real alternative, unless you reject the PKI entirely, is to create your own list of trusted root certificates and install it manually. Almost nobody does this; it's completely impractical.

What are the checks and balances on the software companies and CAs? One is the market; if a CA gets a bad rep they may lose customers to their numerous competitors. The CAs know that their business depends on their reputation. In theory the market also applies to the software companies in this way, but it's hard to see certificate management being a major factor in customers shifting between operating systems or even browsers. The companies, like Microsoft and Mozilla, that manage certificate stores, also have policies for inclusion of root certificates that could result in a certificate being removed for insecure practices of the organization.

But the main check is the research community. These are the hackers, like Moxie Marlinspike, who focus on the weaknesses in the CA system and put pressure on them to work as best they can, even if, as Moxie would argue, the system itself is fundamentally flawed. Like I said, CAs need to have a good reputation, and hacker exposés are bad for business.

There are experiments going on for how to replace the CAs as part of the PKI, but they are clearly not ready for prime time, and it's not at all clear that they will scale to Internet levels of demand. The best-known is TACK (Trust Assertions for Certificate Keys) by Marlinspike and others, but the standards draft they wrote has a lot of dust on it and I see no evidence the IETF is interested.

No, your choices are to trust all those big, bad corporations or anarchy. I don't think that's hyperbole; an Internet without a CA system today would be anarchy. Nobody could perform any sensitive operations like banking and you'd be nuts even to do email on it. So just accept that you have to trust Microsoft and Symantec and, for what it's worth, the NSA. 

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is again another biased article from ZD

    1) It starts with the summary - why mention MSFT when other OS companies do also update the Certificate Store ?
    2) Mention with discretion Apple and make some typo to dilute the case of Apple
    3) Conclude that we need to trust the Government, Microsoft and Symantec is a little lightweight - and certainly neither Symantec or MSFT are the only responsible

    This is again another article to bash on MSFT
    • Bashing Microsoft?

      I thought of it as the opposite. I criticized someone else for bashing Microsoft. The article focuses on Microsoft because it was the focus of criticism I addressed and because the Windows certificate store is the most important one out there; even Microsoft would agree with this. I do point out that Mozilla, for example, does their own certificate management.

      Thanks for pointing out the typo. Oops.
      Larry Seltzer
      • Good article

        It all boils down to the software and hardware you run. Windows having 50 M lines of code. You'll have to trust them or write your own OS and run it on hardware you completely built. Then write millions more lines of code for all the other software you give admin rights to.
        • Another option...

 Linux and open source software. You don't have to write a 50 M line operating system yourself or all of your software to know that it's safe if the code is open, things are transparent, and you, not Redmond or Cupertino, controls everything that happens on your machine.
          • Commuication on the Internet

            Okay, so you download your favorite distro, install it and the first thing you are asked to do (in some cases) is to update your new OS. What browser do you think will be free of NSA's influence? Sure, your OS is "clean" but your browser isn't. Do you really think Firefox is going to be free of intrusive software? I know this wasn't mentioned, but can you imagine someone not following the pack? Is it just me, or can you imagine some horrific event not occurring with the "Black Sheep"?
          • So go distro-compiled, then!

            You mean... like Iceweasel, which is built from FF sources(with mods) on Debian? A bit harder to 'hide' something in there when it's in the sources. Yes, you're trusting the debian packager, but you're doing the same thing with the rest of the OS... but it's likely a darned sight better than MS or Apple or Google.
            Chromium as well - built from sources, without some of the extra (closed) bits included with Chrome.

            Also, even if you have to use Firefox, I think there's a much better chance it is 'clean' than Chrome or Internet Explorer, considering the fact that the current shenanigans with Tor and the NSA-contractor built exploite code had to use a variety of hacks(instead of simply calling some form of (hopefully undetectable) built-in backdoor.
  • Even PKI needs to be looked at. Trust no one..

    ask yourself, when you create your private key, do you just imagine in your brain? or you use a vendor tool creates that? If a tool creates it then security is not guaranteed. and you must start that same ole trust stuff.. if only you think of it in your own head and don't mention to any vendor even the certificate publisher :) then ... interesting.. I don't think there is anybody beyond the reach of big dudes. like it or not..
    • Private key generation

      If you use OpenSSL or similar OSS software to generate your private keys you can be moderately sure the eyes of many people have been on the code.

      Of course this won't help if your machine is compromised is some other fashion but one simple way to make you feel a little more secure.
      • Which is amusing...

        That those many eyes that glazed over and missed that somebody commented out the line that guaranteed entropy because it was throwing compiler warnings about an uninitialized variable and we had a period of time where OpenSSL was less than secure.

        It was fixed quickly, but during that period, the keys generated were as secure as WiFi WEP.
  • Of course, there is choice

    The Internet already has it's own PKI, DNSSEC -- and there is a technology known as DANE to just what is needed to properly authorize certificate usage.

    After all, in order to access an Internet site, you do need both Internet and DNS, so you can always do the required checks and the data is never stale -- but the old style external PKI is just not necessary.

    DANE completely removes the need to update CA certificates all the time via unsecured channels and if you don't trust the DNS root, you can of course decide what to trust.
  • US to rejoin British Commonwealth!

    Now that we've gotten rid of the pesky little things that were keeping us apart like police needing warrants, gun ownership and those nasty Rights, it's an ideal time to rejoin the world's Largest Empire!
    Tony Burzio
    • Except

      Except the American practice is now LESS respectful of individual rights than the British; they may not WANT us back any more!
  • Paranoia

    I think a little bit of paranoia is a good thing personally.

    "Just because you're paranoid doesn't mean they aren't out to get you."
  • Too much fuss, so just give up already?

    Actual trust requires work so just give up already? I think not. Check out initiatives like
    • not the same

      CACERT is just a free CA, it doesn't mean you can stop trusting all the other CAs.
      Larry Seltzer
  • How DARE You

    Even thou carefully worded You have ignited a destructive, harmfull idea about a great service that I consider not only harmfull, but criminal !
  • Define "announce"

    "Microsoft doesn't announce their root certificate updates (that I've found)"

    Define "announce," because you've actually listed ways they announce it.

    "No, your choices are to trust all those big, bad corporations or anarchy."

    Maybe, maybe not. We haven't really tried any third party services on a large scale, so honestly we can't say truthfully that we know this.
    • slight rephrase

      "We haven't really tried any third party services on a large scale"

      erm, slight rephrase: We haven't really tried any alternatives on a large scale.

      Want my edit button back, ZDNet.
      • announcements

        These updates go through the Windows Update service so they could announce them as security updates through the usual Technet channels. This would be similar to the way Mozilla does their updates. The updates I'm thinking of are vulnerability notifications, so perhaps it's not quite appropriate there, but they could make something that works.
        Larry Seltzer
        • Root Certs are announced on PAtch tuesday

          I used to, until recently, administer Our WSUs Infratstructure and Microsoft clearly labels the Root Certs updates. It is also in the Patch notes for Patch Tuesday.
          What they don't do is label it as Critical or even important! it just another Extra updates that you specifically have to approve to push it out.