Short lived certificates cannot solve the “un-aware victim” problem – 4

| Posted by , under Uncategorized

 

 

 

 

 

 

Here we are conversing with Ryan at Google, I must admit this has been a very healthy discussion where opinions are expressed and ideas are shared…..and few blogs later we arrive at crossroads……

-Do we (as the computer industry) accelerate investment (I say accelerate as there is already a momentum) in automation….

OR

-Do we (as the CAs and Browsers) build a scalable revocation infrastructure…….

OR

-Build both………

Both are, in theory, technically viable solutions. There could be differing opinions about which one provides more security (for example, I believe Revocation infrastructure offers more security, because unlike short lived certs it has less moving parts) but either way, they are both acceptable solutions…they both are good enough technical solutions….

The real question is…which road leads to promised land faster with minimal disruption!

Here is the main problem:

We are only implementing one solution. Short lived certs!!

 

 

 

 

 

I believe this is a short sighted view of the world, where the courageous few marching away on one path and one path only……….

Can we afford to take the risk of one path only? Are we even ready for this path? Should we not wait for the bridge to be built before we walk off the cliff?

Can we gamble the future of computing infrastructure on one bet alone? There is a good saying, “Show me a gambler, I will show you a loser”. We become that gambler if we put all our eggs in one basket and gamble it all away.

Courage is to stand for what you believe in even if you stand alone. I believe we have a responsibility to the world not to gamble their computing future away!

I believe we have to immediately start working on a scalable Revocation infrastructure. Because again, I believe it will get us there much quicker and with minimal disruption compared to short lived certificates.

So lets talk about pros and cons of each implementation. (we are not discussing their technical viability or superiority to eachother, already did that last few blogs…). Implementation in a sense of deciding to implement either solution

Short lived certificates – High Frequency Certificate Management Platform:

Who does what in order to create this world of Short lived certificates and high frequency cert management world?

Browsers: Nothing.

CAs: Just reduce the time of certificates…minimal work

Server/Infrastructure Equipment manufacturers: These guys are the wrong end of the stick where they have to re-code their products to handle all sorts of use cases that this high frequency cert renewal will bring to them. A lot of work!

Enterprises:Introduce high frequency certificate management platforms, change processes, business continuity issues must be addressed and re-worked. A lot of work!

Hmmm……..no work for browsers? minimal work for the CAs? And huge $$$ opportunity for people like me to make a lot of money selling brand spanking shiny high frequency cert management platform!

All the while Server/Infrastructure Equipment manufacturers and Enterprises working their backsides off….

 

 

 

 

 

 

 

 

 

Here is only a small partial list of some of the equipment manufacturers that must somewhat change what they do………..

Mac OS X Yosemite
Mac OS X El Capitan
Microsoft AD LDAP (2008)
Microsoft AD LDAP (2012)
Microsoft AD FS
Microsoft Exchange 2007
Microsoft Exchange 2010
Microsoft Exchange 2013
Microsoft Exchange 2016
Microsoft Exchange 2016 (Utility)
Microsoft Forefront TMG
Microsoft IIS 4.x
Microsoft IIS 5.x/6.x
Microsoft IIS 7
Microsoft IIS 8
Microsoft IIS 10
Microsoft Office 365
Microsoft Office Comm. Server
Microsoft Outlook Web Access
Microsoft SharePoint 2010
Microsoft SharePoint 2013
Nginx
NetScreen
Novell ConsoleOne
Novell I-Chain
Oracle Wallet Manager
Parse.com
Plesk Server
Qmail
Radware Alteon
Small Business Server 2011
Small Business Server 2008
SonicWALL NSA
SonicWALL SSL VPN
Sun Java Web Server
SurgeMail
Tomcat Web Servers
Weblogic 8 & 9
Weblogic (previous versions)
Webmin
Website Pro
Websphere
WebSTAR
WHM
Windows Azure Cloud Services
Windows Azure Website
Windows Server 2016
Zeus Loadbalancer
Zeus Webserver
Zimbra
Zyxel Zywall

………and countless other platforms that use certificates that must be modified to operate in the “high frequency” cert management eco-system……thousands of equipment manufacturers…….with enterprise refresh cycles of 7-10 years in a “good and fast” refresh cycle!

And…lets not forget tens of thousands of large enterprises who must now adopt new management capabilities, change their business continuity processes and much much more…..

Oh, by the way, did I forget to mention that there is no single organization that unify all of these thousands of equipment manufacturers and tens of thousands of enterprises to help by creating guidelines and so on…….its a humongous task, that must be done individually!

Now lets take a look at the other alternative……..

Scalable Revocation Infrastructure:

Who does what in order to create this world of Scalable Revocation Infrastructure world?

Browsers: Minimal work.

CAs: A lot of work

Server/Infrastructure Equipment manufacturers: Nothing

Enterprises:Nothing

Yes…..the CAs are at the brunt end of the work in this method. CAs must build the Scalable Revocation infrastructure and browser must only change one lookup…instead of looking up OCSP……just lookup DCSP…(the system is not limited to getting the data via DNS via dns client….will explain later…)

Both Browsers and CAs have an industry organization called CABForum (where things can be agreed and executed much faster than the above alternative)….With the CAs carrying the majority of the burden, without disrupting the Enterprises or Equipment manufacturers enabling Scalable Revocation Infrastructure will, in my view, get us to our goal much sooner than short lived certificates, and  do so with minimal disruption.

So why are browsers and CAs not creating this platform? Why are we gambling on one solution….the more difficult…the more disruptive….longer implementation cycle…….the less secure solution…???

Now heading to the: “he said she said section……..”

The author said:

Additionally, browsers have a pretty deep-seated position on revocation checking at this point given all the problems of the past so convince them will take time.

 

 

 

I think you hit the nail on the head

 

 

 

(remember my question above “So why are browsers and CAs not creating this platform?”..now you know why……)

We are dealing with “insecurities” here…….time to overcome these “deep-seated” insecurities. Time to…..

 

 

 

 

 

 

 

 

 

We can’t keep looking back, we are not going that way! We are going forward…..

 

 

 

 

 

 

 

 

 

 

 

Of course hold onto lessons of the past……but lets build the infrastructure of the future! Browsers, for the sake of internet eco-system, must invest in both systems and must overcome these deep-seated positions from holding them back.

The author said:

Most browsers do not ship their own DNS clients

They don’t need to ship DNS clients to work with DSCP. DSCP not only is able to push the data via DNS records, but it also lives in a CDN similar to what Google uses to help accelerate their Ad delivery , that provides uptime, scalability, speed….so that, with a small change in the browser, you can now query the DCSP network directly (without needing a dns client on the user end, just a query like you do today for OCSP for example but instead you call DCSP). Small change in browser, now you have scalable revocation! Imagine this infrastructure being run by a Non-for-profit organization, using CDNs, where it can serve browsers for every cert that exist today, backward compatible with all existing certs, scalable, uptime guaranteed…..all this while the second method of delivering this revocation data is being disseminated via DNS by changing both DNS servers as well as DNS clients……..So yes DSCP has 2 modes of operation, one OCSP like lookup capability to deliver this tiny data over CDN networks….and the other via pushing it thru DNS records….

 

The author said:

To be clear, I think something like this is worth exploring but I don’t think it will see meaningful deployment in the near term.

If you think DNS client is the only way, then you are right…but its not the only way! Therefore short term success is possible.

 

The author said:

If we were in Vegas,

It does seem like we are in Vegas, the way we are gambling with one and only one method! 😉

 

The author said:

while in parallel building the new thing.

well you know what they say….

 

 

 

 

 

 

 

 

 

So do we have a Mirror or a Browser? 😉

 

PS: Guess who is leading this revocation initiative DCSP from our side? (he even came up with the name DCSP! 🙂 )

Instead of cookies……he eats bananas!…Really..I mean it….