Do you trust certificates? You probably shouldn’t.
For the Annual Security Report we investigated the public key infrastructure (PKI) on which everyday internet activities are based: e-commerce, internet banking, instant messaging and confidential e-mail. In blissful ignorance we accept it simply works. But does it?
The PKI and digital trust
We have analyzed the fundamental building-blocks of PKI to understand who we actually trust when using encrypted data transmission, such as secure hypertext transfer protocol or HTTPS for short.
What we found is alarming: digital trust is not only distributed very unevenly in a geographical sense (it is largely fixed in the US), but you also trust countries you would probably be concerned about.
Apparently, the basis of secure online communication is our trust in largely unmonitored, intransparent private organizations. And no one ever even thinks about it.
Allowing parties to identify one another with digital certificates is the basis for reliable communication, providing confidentiality through the use of encryption, data integrity and a reasonable foundation for nonrepudiation.
When trusting digital certificates, we rely upon independent CA’s who distribute them. We trust they meet certain principles and criteria to become a CA. We (end-users) play no part in the selection of CA’s and rely upon the digital certificate subscriber (owner) to choose an appropriate CA when we use their product or service for our communication. The devices we use and the software we choose come preloaded with CA’s ready to establish trust on our behalf, displaying the padlock to indicate trusted and secure communications.
So, who do you implicitly trust? And what does this mean for secure business communication?
The implications of enforcing trust
A PKI consists of all the roles, policies and procedures needed to manage (create, distribute, store and revoke) digital certificates. The implementation of these is usually governed by a territory or region, often fracturing their very principles.
Trust, however, requires reliability, consistency and transparency: the direct opposite of the evolving PKI implementation. This conflict, this real issue, is a conceptual dilemma rather than a technical flaw in the PKI, which makes it incomparably harder to fix.
CA’s are at the root of this problem. Certificates are the ID cards of the internet. But, imagine what would happen if ID cards were not issued exclusively by trustworthy government organizations, but instead by a non-transparent set of private institutions, each according to their own set of rules and agenda?
Some of them might not even exist as separate legal entities anymore, but their ID cards would still be commonly used. What would be the impact on the trustworthiness of ID cards? Would it be wise to trust a messenger with business-critical information, who relies on such an ID?
Yet this is pretty much how the PKI works today.
To investigate who we actually trust we connected to, and downloaded the full certificate chain, of every site on “The List” (top ~1 million provided by Amazon’s Alexa Traffic Ranking) by using a proprietary tool.
Trust store utilization
So, which automatically trusted CA’s are actually in use? We analyzed the percentage of each trust store utilized in The List. In the below chart, green indicates which trust store has been observed in The List. To determine the trust store utilization, we compared two values:
- A list of trusted CA’s and Root CA’s available in the vendors implemented Trust Store
- The CA’s and Root CA’s we identified as “used” after analyzing the The List
“Orphaned” CAs lingering in the system
We found that large amounts of the trusted CA’s actually are unused. Every additional CA is a potential source of risk, so this is somewhat disturbing. Microsoft, for example, hasn’t used about 72% of its trust store.
In contrast, the vendor whose trust store has the highest use percentage from The List, is Android with only 37% left unused. This is still a significantly high percentage.
Trust store certificate distribution by geolocation
The map above was produced by looking at the trust store for all sources and grouping the certificates by the country code (attribute C) defined within the certificate itself. Each country was mapped to a coordinate and drawn on the map with a circle size that proportionally represents the number of certificates in
Who is behind the CA’s?
As previously mentioned, the root certificates that identify CA’s are privately owned. Apparently, there is no regulatory instance deciding which CA’s can be trusted. While the certificates themselves are subject to a defined standard (X.509 [6.1]), the means by which a public CA authenticates its users is not. These means can vary substantially[6.2]. Two common types of verification are basic domain validation, which only verifies domain ownership. Extended validation would provide more trustworthiness, and digs deeper into the actual company that offers a website or service via HTTPS, but it is rarely used. The only instance that actually provides some kind of control over these practices, and the trustworthiness of CAs are the big four browsers: Google/Chrome, Mozilla/Firefox, Apple/Safari and Microsoft/Edge.
Adding to the intransparency, is the fact that CA’s can (and do) transfer their authority to issue certificates to subordinate CA’s (which in turn may pass it on to subsidiaries), resulting in a certificate chain. This results in a certificate chain, which can be traced back to the root. However, it does not exactly make it easier to find out if the issued certificates were actually verified to an extent that justifies the trust we place in them. Being private organizations it would also be interesting to know who actually owns them.
To illustrate the extent of obfuscation we face in that regard, we tried to investigate which company is actually behind AddTrust, the root-CA behind every third certificate we came across in The List (see the result in the full report).
Clearly there is something wrong with the infrastructure we entrust our data connections to use.
More than anything, it is obvious that it is hard to gauge who and what you are actually trusting, even if you were to look into it. You implicitly trust CA’s from geolocations you might hesitate to trust, if you had known.
CA’s themselves are organizations who may or may not reliably verify who they issue certificates to, but there is no common control authority beside the major browsers; and they simply use the power of their market-dominance to drop support for dubious CAs. Is this enough, given the critical role certificates play in secure communication?
The core of the problem is that it is highly intransparent to end users who they actually trust at all.
For example, when we trust AddTrust, one of the most common CA’s, we trust in an authority which doesn’t even exist as an organization anymore. Those root certificates were bought by Comodo, now called Sectigo. This perfectly illustrates the intransparency of the PKI.
This is most likely just the tip of the iceberg.