Internet users have been shaming Lenovo for shipping the SuperFish adware on their flagship ThinkPad laptops. SuperFish was inserting itself into the end-users’ SSL sessions with a certificate whose key has since been discovered (fascinating write-up by @ErrataRob here).
Clearly the certificate used by SuperFish is untrustworthy now. Browsers and defensive systems like Microsoft Windows Defender are marking it as bad. But for most certificates the status isn’t entirely as clear. Yes there are “extended validation certifications” that give your browser a green bar, but that’s just a small fraction of the Internet. What makes the rest of the certificates trustworthy? It’s worth a look to take a step back and consider them in the aggregate.
Stay with me for a minute. This is neat, I promise.
Observable life is made up of strands of DNA. In humans, over 90% of these strands are not coded to express proteins, so they can’t “do” anything. Geneticists have pejoratively named the stuff “junk DNA.” A few interesting wiki facts about junk DNA: the male chromosome has a much higher rate of junk DNA. But it also has a lower rate of entropy (speaking of entropy, see my previous column). Some species of plants are evolving to rid themselves of junk DNA; the carnivorous bladderwort has slimmed down to only 3% junk DNA. Human junk DNA looks to be relatively stable at 90%, increasing slightly in the coming generations. It is sort of strange isn’t it—the programming of humanity, and much of it is junk.
Observable Internet encryption is largely made up of SSL servers listening on port 443. On the Internet, approximately 40% of these servers have so-called “self-signed” certificates. A “real” certificate (trusted by your browser) is signed by a trusted third party called a certificate authority: VeriSign, Comodo, GlobalSign, GoDaddy are a few of the tier 1 providers. But a server whose certificate is signed with its own key is called self-signed and is considered untrustworthy. It is sort of strange, isn’t it, that there’s all this software that can perform sophisticated encryption on the Internet, yet much of it is junk.
In mid-2015, the Electronic Frontier Foundation (EFF) will be launching a free, open Certificate Authority called “Let’s Encrypt” with an aim to reducing the stumbling blocks that prevent us from “encrypting the web.” Once it is active, new websites can get signed certificates automatically [programmatically through a protocol called ACME], without paying any fees or even registering with a third party.
If Let’s Encrypt succeeds, will self-signed certificates go extinct?
I’m guessing no. I’ll explain why, and why I think that’s not necessarily a bad thing.
There are three reasons certificates are self-signed. Let’s think about how Let’s Encrypt might change the situation for each.
The first and most quantitative reason for self-signing is because real certificates cost real money. A world-class “extended validation” certificate, perhaps used by a global financial institution and trusted by every browser, might cost $1,000 per year. So it’s no wonder that there are over 10 million sites with self-signed certificates, right? These sites would represent $10 billion in subscriptions per year if they all had real certificates.
Will Let’s Encrypt pose a threat to the tier 1 commercial certificate authorities? Probably not, because there are already bargain certificate vendors who provide no frills, no-questions-asked certificates for $5 per year or even less. Yet, the tier 1 certificate authorities appear to provide enough value to their customers to command tier 1 prices. It seems more likely that Let’s Encrypt might drive the bargain certificate authorities out of business because their consumers are exactly the type of people who are looking for encryption and protection without a large cost.
The two other reasons that a web address might be using a self-signed certificate are apathy and ignorance. Is there a difference? I don’t know and I don’t care! (Just kidding, there is a difference.)
One of the most common scenarios resulting in a self-signed certificate is when a new device like a router or webcam gets deployed in a small network. The software in the device supports HTTPS (and not HTTP, otherwise it would set off all kinds of compliance alerts) but it is up to the user to get a real certificate (from a certificate authority) and stick it on there. Unless the user is a security professional of some kind, they probably aren’t going to get a certificate for their device, regardless of the price. They are trying to solve a connectivity problem, and they don’t really care about the security of the solution.
So, will Let’s Encrypt solve the problem of user apathy? Ha, ha, we don’t even really need to answer that, do we? (Of course it won’t.)
Ask a penetration tester or DAST vendor, and they’ll tell you that a huge number of devices on the Internet were never meant to be there in the first place. The people who deployed them either segmented their network improperly, or they configured the management interface to listen on all interfaces. To see how often this really happens, you don’t have to look any further than the infamous SHODAN search engine, which can find weird devices on the Internet based on their HTTP headers.
Will Let’s Encrypt fix all these routers and webcams? No, because their owners aren’t security-aware and probably don’t even know that their device is facing the Internet. If you were to pick a tool to help the situation, it wouldn’t be Let’s Encrypt, it would be, well, SHODAN.
I predict that Let’s Encrypt probably won’t make a huge impact on the number of self-signed certificates out there, and maybe that’s not a bad thing.
When you try to visit a site with a self-signed certificate, your browser complains loudly. Chrome and Firefox warn you several times against it and make you click through several “Are you Sure?” buttons. You, as the user, definitely get the signal (or, at least, you should) that whoever set up the site does not care about security. This is an important data point for you.
If somehow every site magically got a signed certificate because it was automatic, you, the user, wouldn’t necessarily get that data point, because your browser wouldn’t alert you to a problem. So, it might seem that those 10 million web addresses had the same security posture as the sites with legitimate certificates.
Will Let’s Encrypt Succeed?
Even though Let’s Encrypt has no apparent business model, let’s suppose for a minute that it gets some market share. Over time, vendors might trust its longevity enough to build support into their routers, webcams, and other devices. When their end-user customers set up the device, it would automatically certificate-fetch from Let’s Encrypt. That’s the only world in which self-signed certificates might become a thing of the past. But that world is years away. So like the junk DNA within all of us, I predict that self-signed certificates will live on for at least a few more generations.