Everyday Crypto #007 – The Certificate Authority System is Broken

The certificate authority system is broken.  It has grown too large and involves too many people and organizations to provide real security.  While it’s still better than not having it all, the amount of security it really provides is diminishing every day.

Where are these 3000 CA keys?

source: https://jhalderm.com/pub/papers/https-imc13.pdf

“We observed 3,788 browser-trusted signing certificates between April 2012 and August 2013 of which 1,832 were valid on March 22, 2013. All but seven of these signing certificates can sign a valid browser-trusted certificate for any domain.”

“These 1,832 signing certificates belong to 683 organizations and are located in 57 countries.”

“We were surprised to find that religious institutions, museums, libraries, and more than 130 corporations and financial institutions currently control an unrestricted CA certificate. Only 20% of organizations that control signing certificates are commercial CAs. “

In the video I am talking about 3000 CA keys, most organizations have multiple keys and 683 different organizations control the 3000+ keys.  But out of that 683 organizations most of them are not well equipped to secure the information they hold.

[Updated 8/29/2014]

Further proof CA’s are not doing their jobs: http://news-beta.slashdot.org/story/14/08/29/2019251/mozilla-to-support-public-key-pinning-in-firefox-32

Further Reading:

Introduction

I’m creating a new blog / Youtube channel to discuss crypto currency, computer security, electronics, etc or whatever I think is cool at the time.  The last 2 years or so i’ve been obsessed with Bitcoin and and other crypto currencies.  With all the reading and searching I do I thought I could share my thoughts and knowledge with others through this blog.  I wouldn’t call myself an expert as there are plenty of people who know more than I but think I do have some good ideas to share.  I’ll give a little shoutout to Dave Jones over at the EEV Blog as his constant recommendation to just put something out there is a big reason i’m doing this.   I’m going to just put out some videos / blog posts and see if anyone is interested.