“A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don’t even do that much.” ~ Matt Blaze AD 2010

Public Key Infrastructure (pki) for secure hypertext transfer protocol (https) has been compromised by “captive certificate authorities” who supply fake certificates for man-in-the-middle attacks to law enforcement officers (leos) and spy agencies. It has been going on for a very long time. For example, in AD 2011 an unknown attacker completely compromised DigiNotar and after obtaining full administrative access to all critical certificate authority systems, issued rogue certificates for numerous domains. Over 500 fake certificates were detected, but the full extent of the breach remains unknown. A rogue wildcard certificate for google.com was used for mass interception of traffic from Iranian citizens. It seems most likely that the unknown attacker had a spy agency relationship, either as an operative or as a contractor, given the use of the rogue cert for intercepting Iranian traffic from ordinary users.

You’re out there confused, aren’t you? Let’s take it a bit more slowly.

Certificate Authorities

In web security, a certificate authority (CA) is a trusted third-party organisation that issues digital certificates to verify the identity of websites, servers, and other entities. CAs are a crucial though largely tenuous link in the process of establishing trust online, enabling secure connections (like https) by validating an entity’s identity and digitally signing its certificate, which includes the public key for encryption. They are meant to help prevent fraud, ensure data confidentiality, and authenticate users or software.

Who issues most of the certificates? Just seven companies, so, a cartel, arguably operating in restraint of trade. They are Internet Security Research Group (ISRG) - the people behind the Let’s Encrypt movement, DigiCert, Sectigo (formerly Comodo), Google, GoDaddy, Microsoft, and IdenTrust. These seven outfits issue 99% of all certificates. Happily, ISRG security certs are available for free in many cases.

Now, you might be thinking that Comodo is a nice name, and you might even remember being solicited to buy a Comodo security cert if you ever started a web site and were smart enough to avoid GoDaddy for domain name registration. (I have profoundly bad experiences with GoDaddy.) Comodo is easier to say than Sectigo and should remind you of the friendly Komodo dragon which ambushes and lacerates its live prey before eating it in big chunks.

So why change the name? Well, Comodo is the Union Carbide battery of certificate authorities. What’s that you say? You have vague recollection of Union Carbide as the crazy outfit that killed at least 3,800 people and exposed about 500,000 people to deadly toxins in 1984, possibly one of the deadliest industrial accidents in human history. If you are really old, you might recall a battery called “Eveready” which had a black cat walking through a number 9 as its logo. You know, because cats supposedly have 9 lives? As I heard the story, the Eveready name was acquired after Union Carbide already had a reputation for making bad batteries. Yeah, the Eveready batteries were also bad. Never ready. So in 1986, seeking ready capital (for some reason, huh?) Union Carbide sold its battery products division to Ralston Purina (which is now part of the conglomerate Nestle which was recently run by a guy who became interim head of World Economic Forum and has said that having drinking water is not something anyone should expect or words to similar effect). Well, the Eveready brand was not any good, so Ralston’s people hired some publicity and marketing firms (DDB Needham Worldwide and Chiat/Day) to come up with the Energizer brand and its bunny (“it just goes and goes, banging on those meaningless cymbals”). Needless to say Energizer is now using name extensions like “Energizer MAX” and “Energizer Ultimate Lithium” because still bad.

There are four incidents in seventeen years involving Comodo. Whoops. In 2008, Comodo was trusting resellers to perform domain control validation, which is a critical certificate authority function, instead of doing it themselves. In 2011 Comodo was still trusting resellers to perform domain control validation instead of doing it themselves. So they finally stopped letting resellers do that part and brought that work in house. In 2016 Comodo was not properly sanitising attacker-controlled input when emailing out domain control validation emails. Also in 2016 Comodo was using optical character recognition to obtain admin addresses from whois records which was proven to be subject to spoofing. So, maybe re-brand as Sectigo in 2018 and hope nobody remembers?

Yes, it actually gets worse. The National Informatics Centre (NIC) of India, a subordinate certificate authority of the Indian Controller of Certifying Authorities issued rogue certificates for Google and Yahoo domains in 2014. At the time they claimed that their issuance process was compromised and that only four certificates were improperly issued. However, Google is aware of additional certificates not reported by NIC, so it can only be assumed that the scope of the breach is unknown. It is possible that it is of arbitrarily large scope, in that any number of security certificates could have been issued for any domain that existed in 2014. There is zero recourse to remediate this situation since it is a deliberate action (or error, if you prefer to believe and trust their intentions) by a national authority. It is unclear if this same agency is still issuing rogue certs for various other domain names.

Speaking of state actors, try the China Internet Network Information Centre (CNNIC) CNNIC, in violation of their certificate practice statement, in 2015 willfully issued an unconstrained intermediate authority certificate to MCS Holdings, an organisation with no certificate practice statement or technical infrastructure whatsoever to operate a certificate authority. MCS Holdings used the intermediate CA to forge certificates for Google and likely other domains. CNNIC violated their certificate practice statement and failed to properly oversee the practices of their subordinate certificate authorities. So the major browser software enterprises don’t trust MCS nor CNNIC. There is no reason to believe CNNIC isn’t still issuing rogue certs.

In 2013 ArsTechnica reported on a French agency minting fake SSL certs to impersonate Google. How many other domestic and international agencies have done similar things? We won’t find out until we tear down all the spy agencies and publish all their misdeeds.

Some of the certificate authorities make some effort to fix known vulnerabilities as they are discovered. Others do not. Thus, “trusted third parties” are not actually trustworthy.

Back doors

At the beginning of 2024 our friends at Brownstone Institute reported on the difficulties in proposed European Union legislation that would have required certificate authority system changes that would have given 27 nation state entities vastly expanded surveillance powers over internet use. Of course, the bureau rats in Brussels don’t understand the technology, don’t mind if it is compromised, have no control over the 27 nations involved, and wouldn’t be able to prevent the same technologies required in their proposed law to be used by criminals. (The nation states involved may be presumed criminal since they are funded by theft and monetary debasement.) The proposed rule would have required all internet browsers to trust an additional root certificate from an agency (or a regulated entity) from each of the national governments of each one of the EU member states.

Of course, nation state and provincial state actors have significant powers of persuasion. They lie, cheat, rape, murder, torture, kidnap, extort, and use their power to force people to do things. There are many instances in my experience of activities being ended without due process of law because of nation state agencies. They engage in no-knock entry, warrantless entry, privacy invasion, vandalism, sabotage, murder, rape, kidnapping, theft of servers, theft of paper records, false charges, issue letters to domain registrars and certificate authorities without court orders, and do many other things to suborn essentially everything that can be corrupted, distorted, or hurt. That’s because the people involved are evil. They hate God. They hate mankind. They set about to hurt as many people as possible.

You have no way of knowing if the “trusted intermediary” certificate you are using for a given web site based on the assurances of your web browser and the signing of the relevant public keys by the relevant certificate authorities is actually trustworthy. It might be a different cert that has been imposed into the system through state-level actors and agencies. Which is, of course, how lots of things show up on some private computers and corporate servers that weren’t there just a little while ago. If you want to believe that the “evidence” presented by some fbi, cia, nsa, dea, batfe, or similar agency is persuasive, that’s up to you. But I would not.

Self-signed certs

It is possible to issue your own security certificate for your own web site. However, there is no chain of authority, and therefore many browsers choose to impose policies such as refusing the connexion or posting an absurd “not safe” or “back to safety” page. This sort of behaviour by browser enterprises (commercial and non-profit) represents the tendency of various kinds of activities to involve imposed hierarchies. People seem to want to have some “appeal to authority” even though the illogic of such arguments is demonstrable.

John Locke in his work An Essay Concerning Human Understanding, published in 1690, coined the phrase argumentum ad verecundiam (argument to reverence) to describe this type of argument. He described it not exactly as a formal fallacy in the modern sense, but as a form of argument that he considered inferior and not a path to true knowledge. He argued that relying solely on the opinions of established authorities (such as esteemed authors, ancient sources, or respected figures) without employing one’s own reason or seeking independent evidence does not advance a person’s understanding or knowledge.

Similarly, relying on a certificate authority because, well, it is an established authority makes no sense. Sure, there is an entire community monitoring the seven big outfits that issue 99% of certificates. But you still have to trust that they are doing what they say, that they aren’t doing favours for deep state agencies, and that the certificates you get are the certificates they issue. If you do trust them, you might believe that you won’t be subject to man-in-the-middle attacks. If you don’t trust them, then you might wonder if the man-in-the-middle (depicted as that spooky character in the graphic at the top of this essay) isn’t doing their job.

You know, they had one job: issuing properly verified certificates of authority. Well, trusting someone else with doing one job? Doesn’t always work out. Basher Tarr found out the hard way.

Certificate pinning

If there were a way to associate each website with its preferred certificate authority, it would follow that any certificate for that site from any other authority would be immediately recognised as fraudulent. Certificate pinning is a possible public protocol standard that has been evaluated toward this goal. The questions that arise are many, including how would that association be published and how would that publisher be trusted?

At each layer of this process, the technical solution relies on an external source of trust. But how is that trust established? By relying on an even more trusted source on the next higher plane? This question illustrates the “turtles, all the way down” nature of the problem. PKI does have a turtle at the bottom: the reputation, visibility, and transparency of the security industry and its customers. Trust is built at this level through constant monitoring, open standards, the software developers, and the certificate authorities. But all these turtles are swimming over a bottomless abyss.

In the current economy, the four major browser enterprises exert enormous power over the acceptance and acceptability of certificates. Those entities are Mozilla (Firefox), Microsoft, Google, and Apple. Obviously, you should be noticing that the three major corporations are government contractors and potentially corrupted in any situation involving a state agency seeking to coerce results. The Mozilla foundation is about 85% funded by Google, so it is arguably subject to being compromised.

There is an existing (now deprecated) public protocol referred to as HPKP which stands for http public key pinning or hypertext-transfer-protocol public key pinning. Back in 2019 it was fully removed from all browser applications. The idea of pinning is simple. Execution proved difficult, if not impossible at scale. Getting pinning wrong could create an outage and might even block updating the pinning configuration to recover from the outage.

Pinsets were key to making pinning workable. Rather than pinning one key, one would pin a set of keys. HPKP allowed for pinsets of public keys. There are times when there is more than one legitimate public key. The most obvious is during certificate rotation. Trying to time pin rotation with certificate rotation with a single cert pinned would be impossible, as most clients would be offline and have an old pin. Unfortunately, the implementation of HPKP involved “trust on first use” which is evidently an unworkable method for initial distribution of trusted pinsets. This situation is particularly difficult if there is a man-in-the-middle attack on the first use. Guarding against this problem, including associated social hacks, proved to be impossible, with no mechanism to locally reset the pinsets. Further, many corporate environments use man in the middle based transport layer security inspection, which issues cloned certificates from a corporate trusted certificate authority. While the naming information would match, the certificate’s public key would not. This could create an unintended denial of service on the application. And, naturally, the world’s major corporations are not inclined to change their security protocols to improve security for anyone else (or even for everyone else) without someone else paying the cost of the change.

Pinning public protocol

There are many reasons not to trust the existing secure sockets layer approach to web security. There are many applications including decentralised apps (dApps) that necessarily must avoid the secure sockets layer system entirely.

One of the ways to avoid these problems is to use the Interplanetary File System (IPFS). Access via IPFS has the effect of guaranteeing file integrity, since all addressing is via content hashes. (An HTTPS website cannot do this.) These IPNS (Interplanetary Name Service) links will remain consistent across updates, and assume your local IPFS gateway is running on the default port of :8080.

As well there exists a hybrid ECDSA/AES-256 encryption algorithm that can be accessed using ECIES, to generate one-time keys for every message exchange between client and server. This approach provides superior encryption, which travels over ordinary hypertext transfer protocol.

However browsers won’t access non-secure HTTP web sites from within a “secure” HTTPS context. You cannot use a https:// gateway URL to access certain IPFS content. To quote from one ‘PrivFi’ or privacy finance project, “You might pull up the dApp, but communications to our layer 2 nodes wouldn’t function. This situation means that the IPFS Companion and similar plugins won’t work, because they rely on public relays secured with HTTPS, such as .dweb links.” Their workaround is to use Kubo, the IPFS Go client which is extensively documented.

The problems don’t end there. It becomes difficult to gain entry to wallets invoking the WalletConnect Protocol because that requires the developers to accept the legal jurisdiction of the Cayman Islands, the USA, and the State of Delaware; agree to comply with all GeoIP-blocking, address blacklisting, and sanctions decreed by the US Treasury or other national and international regulatory bodies, and generally be subject to any “legality” imposed by any of those nation state entities. In sum, for the dApp quoted here, the answer has been “bail.” To further quote their page, “Our dApp isn’t really intended for mass adoption; rather, it’s a reference implementation targeted at Web3 power users.”

It all gets back to that problem of trusted authorities. Are there ways to design things better?

Certainly. For one thing, public keys might easily be posted to one or more blockchains. So could security certificate authentication codes (hashes, e.g.). Do we need to have a new certificate of authority to issue security certs and sign public keys? Perhaps. Or perhaps the Let’s Encrypt team would be amenable to working on the public protocol for more secure web transfers.

Remember that all these technologies are of recent vintage compared to say, the loom, or the axle, or the wheel. When Taher Elgamal created secure sockets layer for Netscape in 1995, the idea was to make the web secure. If it seems like it involves many miracles for it to work at all, then perhaps it is time to consider a different design. Yes, https works. But only if you have trusted certificate authorities, and only if you have kept the private keys involved in issuing certs and signing public keys private, and only if the trusted authorities are trustworthy.

Remember the goal of Bitcoin in the context of what was in 2008 perceived as the “e-gold problem.” The intention was to have a software system that could run on tens of thousands of servers, anywhere in the world, so it would be essentially impossible to shut down all of them at once. The intention was to have a software system published anonymously so that nobody could compromise the author and coerce him or her to change the code. The intention was to have no central storage of gold or any other form of value that could be seized, but to have the software be so arranged that it was itself the store of value. Again, it works, and that’s testament to how determined people can build well.

Maybe after thirty years the implementation of web site security (so you can reliably use your credit cards and other private transaction information) should be revisited. Maybe SSL is not the only way forward, which would mean that “trusted” authorities might not be required, which would mean that you could stop paying for certificates - a savings that many big businesses would realise right away.

Whatever solution is developed it has to be a public protocol. It can be tested in a private environment, but unless everyone knows how it works, unless all the code is available for scrutiny, it would become just another “trust us” system. We’ve been down those roads again and again and found that legacy finance and even quite a lot of decentralised finance isn’t trustworthy. (You may recall that faced with the choice of forking Ethereum or honouring the smart contracts that were compromised by the security flaw, the choice was made to fork and classic Ethereum is not the same as new.)

Am I proposing a solution? Not exactly. I am proposing that a solution be developed. It is clear to me that we need better choices. It is also clear that there are many people competent to implement better code. So it would seem like now is a good time to get started.

That’s all I’ve got for today. Come back next time when I have something new. Or old.