[TriLUG] CA Cert Usefulness

Mon Jul 5 17:16:55 EDT 2021

On Sun, Jul 4, 2021, at 17:22, Alan Porter via TriLUG wrote:
> Since CAcert.org's site hosts the root certificate files, and because 
> their site uses a CAcert certificate itself, this is the MOTHER OF ALL 
> self-signed certificates!  It's just ASKING for a man-in-the-middle 
> attack.
> 
> Unlike other sites' self-signed certificates, this one not only grants 
> you access to their site, but also to any site signed by that root 
> certificate, since you're installing it directly into your browser's 
> root cert store.
> 
> This seems to me like a Supremely Bad Idea™.

This is sort of right, but sort of not-right. :)

The not-right part is that this is a problem because the site hosts the root certificate files. The root cert is just a cert (the public half of the key signed with some metadata) so the fact that the site hosts a copy of that cert doesn’t create an issue, since an attacker wouldn’t have access to the private key needed to generate more certificates. We distribute copies of all our root certificates, and you have them built into your browser trust store—that’s how you trust them.

The *right* part of that is that this *does* potentially enable some nasty attacks. The problem is that when you install the root cert, you are accepting CAcert.org as a “certificate introducer”—that is, anyone else who gets a cert from them, you’ll accept that certificate. So in effect, you’re OKing whatever protections or limitations CAcert.org has around issuing certificates. I haven’t checked recently, so I don’t know what limitations they’d place on someone trying to get a certificate from them. In particular:
    - What level of proof do they require to issue me a cert for a particular domain name? What types of authentications do they require to prove you control that domain? That is, if I want a certificate for “abc.jospurvis.org”, how can I prove I own that domain and should have that certificate?
    - Will they issue me wildcard certificates or just single-host certs? (Wildcards can be useful, but allow me to impersonate much larger swaths of hosts at a time.)
    - Is it possible to get a subCA issued by CAcert.org? How hard is that and what limitations do they place on what that subCA can issue?
    - What level of protections does CAcert.org have in place around its own root and subCA to prevent them from being hacked and used to issue malicious certs? How closely do they track that? Have they had those processes audited by anyone else? Who has access to these certificates and how is their use and access monitored?
    - Are certificates issued from CAcert.org registered or publicly tracked via public logs such as Certificate Transparency records?

There’s a bunch of other questions I’d ask before I accepted them as a root provider into my browser, but those would be a good start. Some or all of those may be addressed on their site, but they’re worth checking. And before someone chimes in, yes: those are the same questions we should be asking of *any* major CA provider included in the browser stores by default (which is what Mozilla, Google, Microsoft, Apple, Cisco, Opera, and others employ people to do!). :)

> One would think that for their own site, they would use a certificate 
> that is signed by somebody else -- ANYBODY ELSE -- just to maintain some 
> level of trust for something as important as a root certificate that 
> you're about to install on your browser. 

That would actually be very difficult. Because of the aforementioned questions and lots of security requirements, CAs that are included in browser root stores are *very* reluctant to give you your own subordinated CA (which is what this arrangement would be). For example, if they wanted someone like DigiCert to give them a subCA cert, CAcert.org would effectively have to give DigiCert oversight of everything CAcert.org does, submit to an annual audit by DigiCert and a third party (which CAcert.org would have to pay for), and issue certificates according to the rules maintained by DigiCert. Because that’s complicated and expensive for both parties, it doesn’t happen much—the exception being things like Let’s Encrypt or ZeroSSL that are sponsored by larger players.

Side note: This is kind of what I do all day. (Remember the “…Apple, Cisco, Opera…” above? The “Cisco” in that line is me and my team.) If anyone’s really interested in the behind-the-scenes sausage-making of the contents of your browser trust store, I’d be happy to answer questions on the CA/Browser Forum, the rules of public SSL, how things like Let’s Encrypt work, and so forth. :) Fun stuff!