certificates

🟡 INTRODUCTION/BACKGROUND
It has become *way too easy* and cheap, to anonymously (or lying about identity) register a domain name, hire or hack a server and obtain a valid DV (Domain Validated) server certificate.

Furthermore, possibly *stimulated* by the fact that most servers now use DV-certificates, (web) browsers have made it increasingly hard for internet users to view certificate details, without providing any alternatives for those users to distinguish between misleading fake and real (authentic) setvers.

A steadily increasing number of internet servers is now *anonymous* (it has been *deliberately* made impossible to reliably find out who is responsible), which has lead, and still leads, to huge amounts of unneccesary victims of phishing.

This causes enormous financial losses to individuals, companies, governmental and healthcare organizations - while most of that money flows into the pockets of criminals who often operate from regimes that are our enemies. Thereby, indirectly or directly, enriching those regimes (the rest of the stolen money flows into the pockets of hosting-, cloud- and CDN providers, as well as DNS registrars and domain name parking services).

Note: a server certificate never directly warants reliability of the owner of a domain name. However, in order to distinguish between fake and real servers or websites, it is essential that users know who is *responsible* and in which country they are established or live. Eventually, if neccessary, to be able to sue them.

🟡 From https://www.theregister.com/2024/09/03/white_house_bgp_security/:
«
White House thinks it's time to fix the insecure glue of the internet: Yup, BGP
3 Sep 2024, 22:34 utc - Thomas Claburn
[...]
"As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face," the report (https://whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf) [PDF] says. "Concerns about fundamental vulnerabilities have been expressed for more than 25 years."
»

🟡 IMO, to not *first* fix WebPKI is plain *stupid* because:

➡️ If the *combination* of:
🔸 A *decent* WebPKI {1}, *and*
🔸 Improved browsers {2}, *and*
🔸 User education {3},
*enables* internet users to reliably distinguish between fake and real (authentic) servers, then the necessity for RPKI decreases enormously {4};

➡️ Apart from the fact that RPKI is fully hidden for internet users (they *neither* know whether it's used for their current IP-connections, and if that happens to be the case, *nor* how reliable the authentication of the parties involved took place), RPKI does *not* solve a much bigger problem: DNS-hijacks.

➡️ A decent WebPKI effectively mitigates the following vulnerabilities (in the order of most to least occuring):
🔸 People not knowing who is responsible for a given (often misleading) domain name;
🔸 DNS hijacks/attacks;
🔸 BGP hijacks;
🔸 AitM's {5} "near" the real server who unrightfully obtain DV-certificates.

Edited to add 2024-09-05 21:59 {
WebAuthn (as used by FIDO2 hardware keys and by passkeys) *ONLY* protects against the first vulnerability (in people who don't know that a given domain name does not belong to the apparent owner, but instead to an impostor). WebAuthn's phishing-resistance ceases to exist if a fake website obtains any type of certificate. However, while it's extermely easy for an attacker to obtain a DV-certificate, more trustworthy certificates should make that *a lot* harder.
}

🟡 {1} WHAT IS A DECENT WEBPKI
A *decent* WebPKI means that:

1️⃣ We must get rid of the current (effectively Google owned) CA/B forum, simply because server certificates exist primarily in the interest of *internet users* (not even represented in the CA/B forum) instead of it's current members: *commercial* cloud providers, browser makers, CA's (Certificate Authorities) and/or CSP's (Certificate Service Providers).

2️⃣ The world needs a new, independent, organization that supervises requirements of certificates, CA's and CSP's, as well as all requirements for (web) browsers related to certificates. For easy referencing I'll call it the WPKIF (Web Public Key Infrastructure Forum) in this toot. It is essential that internet users are strongly represented in the WPKIF. The WPKIF must be repeatedly audited by independent auditors (based on clear predefined requirements and/or controls).

3️⃣ Each *critical* server {6} *must* use a server certificate that, more or less reliably, uniquely defines the person, people or organization responsible for the server(s) (and content, security etc.) referenced by the server's domain name(s) included in the certificate.

4️⃣ The layout of server certificates needs an update to better serve internet users. Most of those users are *not* interested in technical details such as long serial numbers or hexadecimal public key values (such data must remain accessible for experienced users). So some sort of split between technical and *human readable" (not "CN=") information must be made.

5️⃣ Each server certificate must also contain a standardized indicator that reveals the *minimum* reliability of the authentication of the person, people or organization responsible for all domain names, and all servers referenced by all domain names (included in the certificate). In short: how certain is it that the owner of a website is who they claim to be.

6️⃣ Each server certificate must also contain a reference to a WPKIF website with a standardized indicator that reveals the *reliability* of the least reliable link in the chain starting at the applicable CA and ending with the CSP (including both ends plus intermediate certificates and their owners). In short: how reliable is the information in the certificate, as determined by the WPKIF.

7️⃣ The WPKIF must immediately and objectively take action against any CA, intermediate or CSP that violates the rules and requirements as defined by the WPKIF. Such by decreasing their reliability rating upto canceling their right to issue certificates.

🟡 {2} Web browsers (and perhaps other clients) must make it a lot easier for users to determine who is responsible for a server or website. IMO, at the very least when an internet user visits a website with a specific domain name *for the first time* (using that browser), *OR* when the server sends a new certificate, the browser should first show full details of the owner of the domain name *before* fetching any content - and let the user decide whether they want to continue and open the website. (Note: I've not given it enough thought how to handle third party websites - where CSS, JavaScript, images and/or analytics stuff is downloaded from).

🟡 {3} Internet users need to be educated about the importance of knowing who owns a domain name (and thus server and/or website). Browsers must play a role by offering tutorials. Current "awareness trainings" are simply insufficient (as notably Google found out, see https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html - more info, in Dutch: https://infosec.exchange/@ErikvanStraten/113045136092456532).

🟡 {4} RPKI vs WebPKI
Increasingly cybercriminals succeed into hijacking cryptocurrency websites, and they may do so by hijacking BGP and subsequently acquiring a DV certificate for their fake server (examples can be found here: https://infosec.exchange/@ErikvanStraten/112914050216821746). However, BGP hijack attacks are not easy to accomplish and often detected soon. In particular it will be hard for the attackers to obtain *trustworthy* server certificates.

🟡 {5} AitM = Attacker in the Middle. A server in a hosting center may be AitM'ed in the same center without touching the actual server itself and without requiring DNS- or BGP hijacks (because the AitM and the real server are both comnected to an internal network), as for example happened to "jabber.ru" in a German hosting center (see https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate, full details in https://notes.valdikss.org.ru/jabber.ru-mitm/).

🟡 {6} A critical server is one whose *authenticity* and/or *indistinguishability from fake sites* are important upto (thtough) essential for internet users. I don't care if a home NAS uses a DV-cert, but banks, goverments (in particular those that do *not* use a specific domain name ending, such as .gov), insurances, websites showing and/or receiving medical/patient data etc. - any server related to PII or needs to otherwise prove their identity.

🟡 MORE INFORMATION
🔸 Let's Encrypt certificates mis-issuances & ocsp ending: https://infosec.exchange/@ErikvanStraten/112914047006977222

🔸 Untrustworthy HSTS and lack of "https only" in many browsers: https://infosec.exchange/@ErikvanStraten/113045241408077702

🔸 Why awareness trainings fail (in Dutch): https://infosec.exchange/@ErikvanStraten/113045136092456532

🔸 Why the physical location of an offline service provider (like a bank office or a town hall) is a hugely underestimated authentication factor (in Dutch): https://security.nl/posting/855557

🔸 Why Google lied when they killed EV certs, and why it's insane to introduce digital identity wallets (eID's) for strong online authentication of people on the current, highly crminalized, internet, with more anonymous servers every day (in Dutch): https://infosec.exchange/@ErikvanStraten/113031344934186250

🔸 How Google became evil by facilitating cybercrime, renting them hosting services for domain names such as NNoutlook.com, NNNNoutlook.com and ecbeuropa[.]eu, even providing them with server certificates for free: https://www.virustotal.com/gui/ip-address/35.241.18.84/relations

Internet reliability needs to be restored, and further improved upon, ASAP.

#RPKI #PKI #WebPKI #InfoSec #BGP #BGPHijack #DNS #DNSHijack #Websites #Real #Fake #Authentic #Authenticity #Impostors #CABForum #Commercialization #Independant #UserRepresentatives #Certificates #DV #OV #EV #QWAC #EDIW #EUDIW #eID #eIDAS #WebAuthn #FIDO2 #Yubikey #Yubico #Titan #GoogleTitan #Feitian