So it looks like the Flying Pig Program has been forging digital certificates too.
I hope nobody was surprised that a well-funded spy agency with unfettered access to the internet backbone would think to use the root CA attack vector.
I’d be kind of surprised if they didn’t.
In Web Server Authentication Is Still Broken, I gave an overview of some of the major efforts that are attempting to close the gap and make MitM TLS attacks like this much harder for the bad guys. And let’s be clear: No matter who you think the bad guys are, you can bet they’re still trying to exploit this weakness today: It’s low hanging fruit and almost everyone is vulnerable.
In the next two to three years, I think browsers and servers are going to get better at key pinning (HPKP and/or TACK), and I hope other CAs will follow GlobalSign’s lead and commit to the Certificate Transparency Framework. These things will help tremendously.
But what if you want better protection now? There’s one approach you can use in Firefox today without installing any new software or browser plugins: Trust On First Use.
Trust On First Use (TOFU)
The idea behind TOFU is that you verify the identity of a site the first time you connect, and thereafter, you just make sure it doesn’t try to identify itself differently. The most practical way to do it with browsers today is through the use of certificate fingerprints. It’s similar in concept to key pinning, but with certificates.
First off, you need a browser that gives you the ability to do both of these things:
- Untrust all certificate authorities.
- Manually accept new certificates
A disappointing number of them don’t. Firefox does.
Un-Anchoring Yourself in Firefox
Distrusting the default root CAs is not something any browser makes easy. On the surface, that would seem like a good thing, since users might do something dangerous. I’m more inclined to think that the danger is that users are being shielded from something they ought to know more about, since it severely impacts their actual risk.
Enough proselytizing. Here’s how to un-root yourself in Firefox.
First, turn off OCSP checking. This is the protocol implemented in recent versions of Firefox that attempts to contact the CA in order to determine if a certificate has been revoked. You’re no longer trusting the CAs, so you might as well distrust them fully. Go to Preferences -> Advanced -> Encryption -> Validation and un-check the first option.
Second, you’ll want to remove the built-in roots:
Method 1: Temporary Hack
- Go to Preferences -> Advanced -> Encryption -> Security Devices
- Select Builtin Roots Module and click Unload
The module will be unloaded for this session, but when you restart Firefox, it will come back again. I think that’s a feature.
Method 2: Permanent Hack
- Go to Preferences -> Advanced -> Encryption -> Security Devices
- Select Builtin Roots Module and note the path.
- Shut down Firefox
- Go find that file, libnssckbi.so and move or rename it (moving it back later and restarting Firefox will bring the default roots back)
- Start Firefox
Method 3: The Right Way, Which Takes Forever and Can’t Easily Be Undone
- Go to Preferences -> Advanced -> Encryption -> View Certificates
- Go to the Authorities tab, and for each authority (the indented ones in the list):
- Click Edit Trust, then de-select This Certificate can Identify Websites
Finally, if you have any custom root CAs installed, remove them through the View Certificates -> Authorities dialog.
Manually Accepting New Certificates
From now on, when you first visit any HTTPS site, if you haven’t previously accepted its certificate, you’ll see the big scary certificate warning that everyone ignores:
Before clicking through, read this: Manually Verifying TLS Fingerprints.
Seriously. You really should verify the fingerprint of every single new HTTPS site you encounter if you’re going to use the TOFU approach. Not doing so is putting yourself at a lot more risk than you would have been if you had just trusted the default CAs.
Browsers today aren’t really designed around the TOFU approach, so it shouldn’t come as a surprise that some friction comes with the territory.
Here are a few problems you might run into if you go down this road:
- Some certificates don’t show the “I Understand the Risks” option. I haven’t been able to track down the cause, but it seems to consistently happen with the www.grc.com certificate. If you run into this, here’s how to get around it: a) Go to Preferences -> Advanced -> Encryption -> View Certificates -> Server tab. b) Click Add Exception (if you don’t have this, make sure you’re running the latest Firefox). c) Enter the host, click Get Certificate, then View, d) Click Export, and save the cert to a local file. e) Close dialogs and click Cancel until you’re back at the main Certificates dialog f) Click import and select the exported file. g) Select the cert in the list, click Edit Trust, and select Trust the Authenticity of this Certificate.
- If a page you’re viewing doesn’t work or seems to have missing components, that’s probably because it refers to components from HTTPS hosts whose certificates you haven’t accepted yet. To find what those are, go to Tools -> Web Developer -> Error Console -> Messages. You should see one or more messages like “The certificate is not trusted..”. Go ahead and enter https:// followed by the hostname shown in the message in your urlbar. Now you should get the certificate warning page. Once you’ve validated the fingerprints for yourself, reload the original page and the embedded resources should resolve.
- As noted in Manually Verifying TLS Fingerprints, when fingerprints don’t match, sometimes that can be for a legitimate reason: the site uses a cluster of severs, each with a different certificate. This works fine when you’re using the CA model because your browser just checks that the signature on each certificate is trusted. But it makes certificate-centric approach less practical.
The TOFU model doesn’t scale and therefore isn’t really practical for casual browsing. However, with careful and limited use, it can provide you with better protection against counterfeit certificates than is possible with most browsers as shipped today.
I’d be interested to hear if anyone else is doing this…especially with other browsers. I’ve seen a couple reports like this on the web, but no evidence of widespread use.
Finally, if you do find yourself TOFU’ing with Firefox, you might also want to check out HTTP Nowhere. When active, it blocks all non-https urls by default.