Creation Museum, Petersburg, KY, October 6, 2015

Authority, but not for Certificates

Governments should not be running our online security. We should be.

A little while ago I submitted a bug to Mozilla to suggest a revocation of trust for the “Staat der Nederlanden” CA. This suggestion was picked up by some (tech) media outlets and I got to read many opinions from both ends of the spectrum.

One, fairly prevalent, opinion seemed to be that the ticket was submitted “as a political statement,” or “to try to incovenience the government.” As someone who does not support the current government I won’t deny that those things factored in. That said, there is a very real concern regarding the simple matter of trust. That remains the primary motivation.

First, let’s do a quick recap on how the green lock really works first. We all know to look for it when online banking because it means “this website is secure”. But why does it?

The first reason is encryption. The green lock signifies that some sort of encryption is being used between you and the website. Of course, not all encryption is created equal while all green lock icons are, but that’s a different story.

The second is the issue at stake here. Your computer, and/or your web browser, comes preloaded with a set of certificates known as “trust anchors,” or, more commonly, as “root certificates.” Right now there are around 174 of these certificates.

Typically, these certificates are (supposed to be) kept in a secure, usually offline, location. They are usually used to certify another entity, an “intermediate.” This intermediate can be owned by the same person who owns the Root CA, or by a completely different person or entity altogether. Either way, as long as the Root CA has signed, and certified, the intermediate, a “chain of trust” was formed.

The intermediate will then typically continue to do the same thing for end- users (or, your bank). It will (or should) do some validation to ensure that hsbc.com is, in fact, owned and operated by the person requesting the end-user (or “green lock icon”) certificate. After that validation has been done a brand-new certificate is issued and your browser will know that hsbc.com is, in fact, owned by HSBC. It will know this because the intermediate said so, and it will know the intermediate is legit because the Root CA (which is on your computer) said so.

And therein lies the problem. Certificates have been incorrectly issued in the past. Validation wasn’t done correctly and certificates got given to people not affiliated with the domain they were requesting a certificate for. One such case involved Iranians being served a fake certificate for Google1. This allowed unknown attackers (suspected to be the NSA) to intercept and monitor hundreds of thousands of Iranian Google (Mail) users for 2+ months.

Now imagine you control a Root CA. You could certify as many intermediates as you like, and, due to the offline nature of the root certificate, nobody would be able to track this. These intermediates are all seen as “trusted” by, just about, every computer in the world because your Root CA comes pre-installed as a trust anchor.

In case an intermediate gets caught issuing certificates for incorrect domains it is easy to shift the blame to the company or person operating the intermediate. This company may get shut down while the Root CA remains as trust anchor– after all, the Root CA can’t be blamed for another company’s failures.

In case you haven’t been clicking the links above: this has already happened with the Staat der Nederlanden CA. Its intermediate, Diginotar, was “hacked” resulting in the aforementioned monitoring of Iranian (activist) GMail users.

Today the Staat der Nederlanden CA is controlled by the Ministry of the Interior and Kingdom Relations (Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, or BZK). BZK is also responsible for the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst, or AIVD).

It’s easy to see where I’m going with this. The minister of BZK (Kajsa Ollongren, who served as secretary general in the Ministry of General Affairs, placing her close to Prime Minister Rutte) has direct and final authority over both Logius, the Root CA operator, and the AIVD.

There are no (effective) technical measures we can use to prevent BZK from using their Root CA to issue new intermediate certificates, or new end-user certificates. They could issue intermediate certificates for official Dutch government use to Bermudan companies and nobody would be the wiser.

Now this would be fine if we could trust BZK to not issue intermediate certificates to untrustworthy parties. Unfortunately, the new Law for the Intelligence and Security Services (Wet op de inlichtingen- en veiligheidsdiensten 2017, or WiV) was passed. This law has been described as “dystopian,” a typically hyperbolic adjective that I just can’t seem to dismiss in this case. It authorizes the AIVD (under BZK) to, among many other things, break encryption, forge cryptographic material, “hack” computers, and wiretap just about the entire Internet.

From next year BZK will be the ones wiretapping, hacking, forging, and otherwise breaking into and storing our Internet traffic. BZK. The same ministry that operates the Root CA stored, as a trust anchor, on everyone’s computers and in everyone’s browsers. Your laptop, your phone, your Echo, your television, your fridge: they all have this certificate installed and they all trust it unconditionally.

Through the new powers in the WiV, BZK will be able to redirect your Internet traffic (yes, of the 5Tbit/s flowing through the Amsterdam Internet Exchange some will be yours) to their own servers. Through their ownership of the Staat der Nederlanden Root CA they will be able to trick your computer, and you, via the green lock icon, into thinking it’s talking to any “secure” website.

GMail, Office 365, Amazon, Facebook, Reddit, private mail servers, banks, insurance companies, medical companies, etc., are all relying on this construct to keep their data secure and private. It will no longer be either of those things when BZK starts issuing certificates for the purpose of intercepting traffic.

While there are technical means to mitigate the risk they are not widely deployed or implemented by any stretch of the imagination. The solutions we (almost) have, like CT, are inadequate for the forseeable future. We are basically still relying on a very basic, unenforceable, trust model based on promises between people and companies.

The question then comes down to: do you trust BZK in the context of the new WiV? I know that I personally can answer with an unequivocal hard ‘no’ there. Now of course other Root CAs aren’t necessarily more trustworthy, but the Staat der Nederlanden CA is in the unique position of being controlled by a group which is explicitly mandated to break in to the secure and private communications of Internet users.

I hope Mozilla, and others who include trust anchors with their products, will agree with that assessment and revoke trust in this CA.

  1. Fun fact: that certificate was issued by the Dutch CA Diginotar.