Everyday Crypto #007 – The Certificate Authority System is Broken

The certificate authority system is broken.  It has grown too large and involves too many people and organizations to provide real security.  While it’s still better than not having it all, the amount of security it really provides is diminishing every day.

Where are these 3000 CA keys?

source: https://jhalderm.com/pub/papers/https-imc13.pdf

“We observed 3,788 browser-trusted signing certificates between April 2012 and August 2013 of which 1,832 were valid on March 22, 2013. All but seven of these signing certificates can sign a valid browser-trusted certificate for any domain.”

“These 1,832 signing certificates belong to 683 organizations and are located in 57 countries.”

“We were surprised to find that religious institutions, museums, libraries, and more than 130 corporations and financial institutions currently control an unrestricted CA certificate. Only 20% of organizations that control signing certificates are commercial CAs. “

In the video I am talking about 3000 CA keys, most organizations have multiple keys and 683 different organizations control the 3000+ keys.  But out of that 683 organizations most of them are not well equipped to secure the information they hold.

[Updated 8/29/2014]

Further proof CA’s are not doing their jobs: http://news-beta.slashdot.org/story/14/08/29/2019251/mozilla-to-support-public-key-pinning-in-firefox-32

Further Reading:

Leave a Reply

Your email address will not be published. Required fields are marked *