Government-Linked Certificate Authorities in OS X

<i>None of them appear in my Windows PC (Windows 7)…A Windows 7 PC has 38 Certificate Authority certificates installed. My Mac OS X Yosemite has 217 Certificate Authority certificates installed.</i><p>This is a poorly-reseasrched comparison, because Windows downloads root certificates when they are first encountered (see <a href="http://support.microsoft.com/kb/931125" rel="nofollow">http:&#x2F;&#x2F;support.microsoft.com&#x2F;kb&#x2F;931125</a>).<p>&quot;When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S&#x2F;MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. &quot;<p>This means that Microsoft can add a new root certificate to a user&#x27;s system at will.<p>I&#x27;d argue that this is actually <i>much less secure</i>, given that by default a Windows machine has an unauditable list of root certs, which change based on what Microsoft supplies. That means that a third-party (let&#x27;s say a government) can force Microsoft to add an arbitrary root cert to the list, and a user&#x27;s machine will blindly accept certificates signed by it!<p>Of course the entire model is broken, if you are looking for un-crackable end-to-end security.

Most of the certs listed in the blog post are in Mozilla&#x27;s trust store[1] and in Windows trust store[2] as well.<p>[1] <a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/" rel="nofollow">https:&#x2F;&#x2F;www.mozilla.org&#x2F;en-US&#x2F;about&#x2F;governance&#x2F;policies&#x2F;secu...</a><p>[2] (PDF) <a href="http://download.microsoft.com/download/1/5/7/157B29AB-F890-464A-995A-C87945B28E5A/Windows%20Root%20Certificate%20Program%20Members%20-%20Sept%202014.pdf" rel="nofollow">http:&#x2F;&#x2F;download.microsoft.com&#x2F;download&#x2F;1&#x2F;5&#x2F;7&#x2F;157B29AB-F890-4...</a>

I&#x27;m not sure that this is particularly interesting news. For starters, when &quot;the government&quot; wants to spy on you, they generally want to do so in such a way as to not reveal that they are doing so - using their own CA is a big tell that something fishy is going on (yes, only if you have the know-how and inclination to do so, but I&#x27;m thinking that this is probably the case for most people trying to keep secrets from the government).<p>No, if they want to hack your SSL comms, they aren&#x27;t going to do it by using a MITM attack backed by a government-issued root CA, they are going to do it by gaining access to a &quot;neutral&quot; CA (such as Verisign), and obtaining the root certificate&#x27;s private key. Now you would have a much harder time of figuring out that something has gone wrong, but then, if you&#x27;re paranoid of the government spying on you, and you are using a CA other than one you own yourself, you&#x27;ve already lost the battle.<p>Trust is a Hard Problem(tm) to solve. Without using Certificate Authorities that you don&#x27;t personally know, it is difficult to create a sufficiently trusted network. I think the best attempt at a description of such a system that I have seen is in Cory Doctorow&#x27;s &quot;Little Brother&quot; (<a href="http://craphound.com/littlebrother/download/" rel="nofollow">http:&#x2F;&#x2F;craphound.com&#x2F;littlebrother&#x2F;download&#x2F;</a>), but even there it seems to me that there were numerous problems for scaling, or even just avoiding invaders.<p>All of which is to say that certificate-based technology couple with CAs that you don&#x27;t control is not a solution against state-level adversaries. Which in turn makes this entire article fear-mongering rather than a real discovery of a potential threat. In a more cynical mood, I might wonder about the author&#x27;s motives, was this an attempt to distract away from the fact that the main CAs are not secure against state actors?

&quot;You think your HTTPS connection is securely encrypted, but wait, couldn’t the U.S. government generate a brand new fake certificate, give it to the NSA, and then serve that to you? Your web browser won’t raise any alarm bells. The SSL certificate is valid, and it is signed by a Certificate Authority that is trusted by your computer.&quot;<p>I think it&#x27;s highly unlikely that they&#x27;d do that, as there&#x27;s a chance that the fake certificate could be used as evidence against them later. A valid certificate for google.com signed by the US Govt CA would raise a few eyebrows.<p>If the NSA really wants to MitM you, it wouldn&#x27;t surprise me if they had backdoor access to the real GeoTrust Global CA, either by bribery, National Security Letter or even &quot;dark arts&quot; that the real GeoTrust knows nothing about.

&gt; I’ve been sitting on this information for some time, waiting to get more research done before I publish a post.<p>You&#x27;ve been sitting on common knowledge for some time? Research into what?<p>Sorry but this is a very well known issue with HTTPS that has been discussed in depth for the last few years, in particular with people suggesting alternatives and improvements to HTTPS (like certificate pinning, Convergence[0], etc).<p>The fact the author thinks they have found some type of unknown or smoking gun says more about the author than anything. I mean heck you can go back and find tons of examples of root CAs &quot;mistakenly&quot; generating fake certificates for things like Google or Windows Update. You can also read about entire countries being victim of it [1].<p>[0] <a href="http://convergence.io/" rel="nofollow">http:&#x2F;&#x2F;convergence.io&#x2F;</a> [1] <a href="http://www.bbc.com/news/technology-14789763" rel="nofollow">http:&#x2F;&#x2F;www.bbc.com&#x2F;news&#x2F;technology-14789763</a>

We should come up with a scheme where certificates are signed by multiple CAs (or you have several cross-linked certificates). If one signature changes but not the others, you know something is wrong [1]. It would be beneficial to use CAs from different political blocks, like one from the US, one from China, and one from the EU, to reduce the risk of collaboration.<p>Of course, a MITM attacker would just strip all certificates and send only theirs along, so you have to have a way to enforce multiple signatures from different blocks. Maybe a httpss url scheme or something.<p>[1] Something like: <a href="http://security.stackexchange.com/questions/6926/multiple-cas-signing-a-single-cert-csr" rel="nofollow">http:&#x2F;&#x2F;security.stackexchange.com&#x2F;questions&#x2F;6926&#x2F;multiple-ca...</a>

This is not news. The CA system is broken by design. It&#x27;s been this way from the start. Not just on OSX but on all platforms.<p>Your browser blindly trusts a list of a few hundred CA&#x27;s, any of which can impersonate any SSL site you visit at any time (except for the chosen few that use certificate pinning)<p>Many of the biggest CA&#x27;s (e.g. Verisign) are under government control.

When scanning through the list of CAs on my machine, so many of them sound like unknown entities who I have no idea whether or not to trust. So it&#x27;s difficult deciding whether I should remove any of them or not.<p>What would really help in this would be to know if any of these CAs have signed certificates for popular websites. Rightly or wrongly, I&#x27;d trust a CA who has certificates in active use by many sites over an obscure foreign (or not?) government CA who doesn&#x27;t seem to sign any certificates that I&#x27;d normally interact with. After all, if suddenly one day ycombinator.com&#x27;s site appears to be now signed by an obscure CA, I should probably be worried.<p>So, is there any way to map a given CA to the subset of the top 1000&#x2F;10000&#x2F;whatever number of websites that have certificates signed by it? Surely some webcrawlers must have indexed a large number of site certificates and have the data to build such a database.

I don&#x27;t know why people trust companies more than governments. Both can be large and powerful.<p>Also I find it highly unlikely that these certificates get abused:<p>- Those certificates are from other branches of the government. They won&#x27;t like the NSA abusing their certificates.<p>- When abuse of these signatures gets detected it would be a big scandal. It&#x27;s way more easy and stealthier to steal the keys of a intermediate CA.

The OSX trusted root can be viewed with the Keychain Access tool. I&#x27;ve removed a lot of CAs I don&#x27;t trust.<p>There is also (at least one) a project that tracks changes in trust stores in OS:es, Java, browsers:<p><a href="https://github.com/kirei/catt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;kirei&#x2F;catt</a><p>(I am one of the authors.)

The problem is trust and given the current SSL authority scheme, can not be solved.<p>It&#x27;s a choice that users must do, not the OS. I don&#x27;t blame computer manufacturers for adding these certs to their systems, they try to make browsing as easy as it gets. Theoretically speaking, the government is <i>your friend</i>. Practically speaking, if you&#x27;re into any business that requires extra security, you need to take control of your OS at much deeper level, which probably means running something Open Source and manually checking the certificates that came along with your system and your browsers.

Here is the list as presented by Apple at their website: <a href="http://support.apple.com/en-us/HT202858" rel="nofollow">http:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT202858</a>

I&#x27;ve written a simple script to remove these from OSX: <a href="https://github.com/sammcj/delete-unknown-root-ca" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;sammcj&#x2F;delete-unknown-root-ca</a><p>Pull requests welcome, Don&#x27;t run unless you know what you&#x27;re doing, YMMV etc....

There&#x27;s an open bug report about adding the Federal Common Policy CA to Firefox: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=478418" rel="nofollow">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=478418</a>

Crap article makes many mistakes , windows has near 400 not 38 , and there identical between OS&#x27;s so seems kinda worthless.

I could see another weaker but immediately implementable approach to just issueing a list of domain-root certificate maps that someone would have to manage :<p>Why couldn&#x27;t browser issue a warning whenever the root CA for a known domain has changed compared to previous browsing sessions ? I suppose MITM attack are targeted and probably depends on the network you&#x27;re using. If there&#x27;s a difference between the root certificate for google.com when surfing with your laptop at home or from the office, then there&#x27;s probably something wrong.<p>It&#x27;s a bit similar to what ssh is doing with cert&#x2F;ip associations.

With certificate pinning, the chances that malicious use of certificates by rogue CAs goes undetected have decreased a lot.<p>For Firefox, use CertPatrol:<p>• <a href="http://patrol.psyced.org/" rel="nofollow">http:&#x2F;&#x2F;patrol.psyced.org&#x2F;</a><p>• <a href="https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;certificate-p...</a><p>Also, a few websites are starting to use DNSSEC with TLSA and DANE. There&#x27;s also a Firefox plugin for that at <a href="https://www.dnssec-validator.cz/" rel="nofollow">https:&#x2F;&#x2F;www.dnssec-validator.cz&#x2F;</a>

The biggest problem with MITM is not interception it is potential manipulation. Despite being a clear violation of your constitutional rights we must look beyond this at what is clearly the bigger issue: can we trust the legitimacy of any information encoded into a digital form when organizations such as the NSA and FBI have immense amounts of power to tamper with connections. Evidence can clearly be misrepresented, manipulated, or even planted on unsuspecting Americans by our government or other foreign governments.

It&#x27;s technically illegal for the NSA to intercept the Internet traffic of American citizens, but that doesn&#x27;t mean the US Government can&#x27;t supply certificates to GCHQ and company.

I always remove Turkish govermental certificates from all of my browsers&#x2F;devices.

Perspectives is a new approach to helping computers communicate securely on the Internet. With Perspectives, public “network notary” servers regularly monitor the SSL certificates used by 100,000s+ websites to help your browser detect “man-in-the-middle” attacks without relying on certificate authorities.<p><a href="http://perspectives-project.org/" rel="nofollow">http:&#x2F;&#x2F;perspectives-project.org&#x2F;</a>

Why doesn&#x27;t the browsers collect information from its users (if they agree to it) about which CAs are used by which domains - and display a strong warning if a different CA than the norm tries to issue a certificate?

The article is somewhat wrong in that for google.com in particular the browser would show an HSTS warning and disallow access completely, as it is a pinned cert.

Why not use the blockchain model for decentralized CAs in place of trusted CAs?

iOS uses government certificates, too.

These problems in SSL and the kludges in HTTP&#x2F;2 to avoid connection overhead would be greatly reduced by moving to a proper dnssec, ipsec, and tcp reimplementation.

&gt; Sidenote: A Windows 7 PC has 38 Certificate Authority certificates installed. My Mac OS X Yosemite has 217 Certificate Authority certificates installed.<p>Windows 7 was released 5 years ago. Might be more relevant to compare to Windows 10 given that Yosemite is updated quite regularly.