State-run SSL certificate authorities make Congress nervous about web security

Congress is losing sleep over the possibility other nations could endanger web security, and now it wants the four major browser makers to weigh in. The House of Representatives' Committee on Energy and Commerce recently sent letters to Apple, Google, Microsoft, and Mozilla with questions about how the backbone of HTTPS security could be violated.

The concern is whether a government-owned SSL certificate authority (CA) could start issuing phony security certificates that look legitimate to browsers. Those certificates could then be used to harvest login details from social networks, corporate networks, and email accounts.

Although generally trustworthy, there are many examples of the SSL certificate system being compromised. Most famously in 2011, when certificate authority (CA) Diginotar was hacked and malicious actors generated hundreds of fraudulent certificates for popular sites such as Google, Skype, and Yahoo.

There are numerous government-owned CAs across the globe, including in China, France, Spain, and Turkey.

Why this matters: Most users are not even aware they exist, but SSL certificates working behind the scenes are a fundamental part of the web's security model. It's not clear whether Congress could reign in the global mess that is the SSL certificate system or if this is something best left to browser makers or CAs themselves. Nevertheless, it's fascinating and a little bit shocking that lawmakers are even wading into such an esoteric part of web security.

SSL certificates in brief

When users sign in to a secure site like Gmail, Facebook, or a bank, their browser typically displays a green lock icon in the address bar followed by https:// and then the site's URL. That green lock appears because of the SSL certificate system working behind the scenes.

There are a number of companies around the world known as certificate authorities that are trusted to issue these legitimate SSL certificates. A website owner has to purchase a cryptographically signed SSL certificate from one of these CAs. Browsers then have a list of the CAs they are willing to trust to ensure a user is connecting to the website they think they are.

If the certificate is legitimate, then the browser will allow the user to interact with the site as they normally would. If, however, the SSL certificate for that site isn't the real deal, the browser will display a warning or block the user from accessing the site entirely.

Basically, HTTPS security hinges on trusting the CAs, which also means CAs have a lot of potential for abuse.

The risks of state-run certificate agencies

What has American lawmakers worried is that a government-owned CA could start issuing fraudulent certificates for sensitive sites like email or social networking. "A government-owned CA...may issue certificates for email providers or social media sites in order to seek out political dissent," Congress' letter said.

Hackers could then use those fake certificates to create a man-in-the-middle (MITM) attack where users think they are connecting to Google or Bank of America but are actually handing their login details over to state-sponsored hackers.

Modern browsers have methods to detect potential MITM problems even with legitimate SSL certificates, but there's still a chance some users may be fooled and have their security compromised.

To defend against this possibility, Congress is asking the major browser makers whether government-owned CAs should be restricted in the kinds of certificates they issue. Instead of being allowed to issue a certificate for any site on the web, a government CA would only be allowed to issue certificates for its specific government domain. France, for example, could only issue SSL certificates for "gouv.fr"--"gouv.fr" is the French equivalent of ".gov" for American government sites.

Then if a browser saw a certificate for Twitter coming from a French government-owned CA, the browser could automatically reject that certificate as fraudulent.

Although Congress doesn't come out and say it, U.S. lawmakers are likely worried that nations like China, Iran, and Russia may try to carry out these kinds of attacks in their respective countries, as well as against U.S. interests.

Experts debate the consequences

While Congress ponders the problems with SSL certificates, security experts have also been debating the effectiveness of placing restrictions on CAs, including privately owned certificate issuers. "This is an idea that people have discussed for a long time," said Matthew D. Green, a cryptographer and research professor at Johns Hopkins University. "If it was implemented correctly it would certainly help to protect against some of the really, really bad compromises we've seen."

Kenneth White, security researcher and co-director of the Open Crypto Audit Project, isn't as convinced that a scheme like this could work. Nevertheless, he says, something needs to change. "The public CA trust system is already fundamentally broken according to many of us in the security world," White said. "I'm not sure if regulation is the right way versus the trust organizations themselves doing some sort of policing."

Currently, when fraudulent certificates start appearing online they are invalidated relatively quickly by all the major browser makers--though not always. In extreme cases, like the Diginotar hack, all certificates from that CA are blacklisted and the company may go out of business.

Although effective, the problem with blacklisting is that a fraudulent SSL certificate can still be in use for some time before anyone notices. Plus, says Green, browser makers are generally hesitant to blacklist an entire CA since it will break numerous websites around the world that people use every day.

Congress also isn't convinced that blacklisting would stop rogue certificates from being issued by a government-run CA. Thus, the idea to restrict the type of legitimate certificates that a CA could issue.

The browser makers have until Tuesday, June 23 to respond to Congress' letter. We'll have to see what the browser makers say in the coming weeks and whether Congress will (or even can) act on its concerns.