SSL\TLS provides two lovely features we can’t get enough of these days; authentication, and encryption.
The encryption part makes headlines whenever a new vulnerability is discovered in the latest (or oldest) protocols, cipher suites or implementations in use. But on the whole it’s considered “nails” solid. The common way to describe breaking encryption is usually in terms of how many years several PS4’s would need to crunch through a public key.
But with all the power that encryption brings to the table, authentication manages to slip under the radar.
Remember the Superfish fiasco? That started back in 2010, and managed to last almost five years before being shut down. The company behind it choose not to attack hardened encryption algorithms – but rather the weakened, outdated authentication mechanisms SSL\TLS provide.
In short, authentication is provided using a public key infrastructure and x509 certificates, signed by a handful of trusted root certification authorities that somehow got elected to god-like status and become the root of all things secure. There’s a lot of well known ones – VeriSign (now Symantec), Thawte and GeoTrust to name a few.
So do they hold the power? In a way yes. They are required to ensure they only ever sign reputable organisations, and perform stringent tests to ensure the credibility of an applicant, not to mention ensuring they NEVER provide subordinate CA’s outside their organisation.
But you know who really holds the power? The vendors. As we saw when Superfish was uncovered, Lenovo decided to create their own root CA and add it to a selection of new laptops being shipped. it’s not just vendors either, anyone with access to the root certification store can add\remove new certificates.
So who controls the root certificate store? Depends who you’re with. It boils down to:
- Mozilla Foundation
You can probably guess who controls what technology. Mozilla is more popular in the Linux community, and of course Firefox. Google actually uses Microsoft and Apple on their respective OS’s, but maintains its own root CA list on Android.
So remember, that little green padlock is only as good as your vendor is at ensuring rouge CA’s don’t get added to the list.