[liberationtech] self signing certs by default

Julian Oliver julian at julianoliver.com
Fri Mar 14 11:56:13 PDT 2014 

..on Fri, Mar 14, 2014 at 10:46:30AM -0700, Lucas Gonze wrote:
> Let's say web servers auto generated self-signed certificates for any
> domain that didn't supply its own certificate, likely one from an authority.
> 
> What that would accomplish is to make the stream unreadable over the wire,
> unless the attacker was willing and able to do an MITM with their own auto
> generated self-signed certificate.
> 
> It would not be hard to do that MITM, but it would be orders of magnitude
> more expensive than copying unencrypted bytes off the router. It would not
> be practical to do the MITM against a large portion of traffic. The
> attacker would have to pick their targets.

> 
> Thoughts?

I see several problems with this. Firstly it would be far too trivial for an
attacker to listen for requests for resources at 443 and, using a variety of
methods (DNS spoofing, click-jacking, XSS, phishing, ARP cache spoofing at LAN
level, DHCP race), become MiTM and start serving certs to the client, which the
client then has no reason to distrust any more than certs from the desired host.
Then, the MiTM brokers the real HTTP traffic to the client, effectively
reimplementing Moxie's 'SSL-stripping'.

But yes, something ought to be done. Many large CAs have proved to breach
user-trust, with government clients on the side holding private keys. Much of
the time those complaining about the cost of SSL/TLS to bandwidth are serving
veritable books worth of javascript and lots of poorly compressed image data.
Self-signed certs won't be more popular however as long as browsers represent
them as The Black Death (or well, at least something frightening). That aside I
think that there's no reason to not use SSL/TLS these days where data integrity
is needed on the WWW. 

It would be good if Debian and other popular GNU/Linux LAMP distributions made
OpenSSL/TLS key generation (and set up of a VirtualHost template for :443) an
encouraged option during an Apache installation (OpenSSL is a dependency
anyway). It could be a simple walkthrough with Qs for CN and admin email,
abstracting over the classic and ungainly: 

    openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key

Afterall, there are far too many bad HOWTOs out there for setting up SSL, some
of which don't even include chmodding down keys to 600 or lower once generated!

Moxie's words on the matter are indispensable here, especially his thoughts on
'Trust Agility':

    http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/

His Convergence project is certainly worth a look, too:

    http://convergence.io/

Shame it didn't catch on. AFAIK it needs a certain critical mass of 'Trust
Notaries'.

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
PGP key: https://julianoliver.com/key.asc
Beware the auto-complete life.

More information about the liberationtech mailing list