Certificates Do Nothing



  • Please correct me if I'm mistaken, but I've reached the conclusion that CA-signed certificates in the current Internet Public Key Infrastructure do not add any more security compared to servers providing self-signed certificates or raw public keys and clients performing no certificate validation.

    CA-signed certificates are supposed to provide authenticity of the server. When the client validates the certificate back to a trusted root CA certificate, the client can be reasonably sure he can establish a communication channel visible only to the entity possessing the private key of the certificate (confidentiality and integrity), AND that the entity possessing the private key also controls the domain name listed in the certificate (authenticity).

    One type of attack that TLS/PKI seem to focus on and claim to counter is the man-in-the-middle attack. Assuming an adversary has the ability to send/receive packets to/from an address that is not his (the whole point of using TLS/PKI in the first place), this adversary can easily "prove" to a trusted CA that he controls a domain that he does not actually control the DNS entries for.

    For example in the ACME protocol, the adversary can simply complete challenges while impersonating the IP of the domain in question, and obtain a certificate from a trusted CA like LetsEncrypt. Any capable adversary can do this at any time, and the actual domain owner is completely unaware. Even if the domain under attack has an EV certificate, the adversary can provide the illegitimately obtained DV certificate, and the connection will proceed without errors (and display a secure padlock in web browsers, for example).

    TLS with no certificate validation could still be used for confidentiality and integrity for some server of uncertain authenticity, but since certificates don't provide authenticity anyway, what is the actual point of the additional overhead of certificates in the first place?



  • One type of attack that TLS/PKI seem to focus on and claim to counter is the man-in-the-middle attack. Assuming an adversary has the ability to send/receive packets to/from an address that is not his (the whole point of using TLS/PKI in the first place), this adversary can easily "prove" to a trusted CA that he controls a domain that he does not actually control the DNS entries for.

    You kind of assuming an adversary here with universal access to arbitrary infrastructure and the ability to fake arbitrary source IP address or hijack arbitrary connections at any time. Such broad capabilities are not common, very expensive to obtain and are usually only possible for a few well-financed government agencies with deeper ties to infrastructure providers, if at all.

    The typical attacker just sits at the local WiFi hotspot or maybe at the level of the ISP serving their home customers. In this case the attacker can only MITM a few connections, i.e. typically only the connections from some mobile or desktop users accessing web sites or retrieving their mail. This kind of access does not allow it to hijack or fake the connections between the server and the CA which is used an domain validation of certificates.

    ... but since certificates don't provide authenticity anyway

    I agree that the system is not perfect, i.e. short take overs of a domain, compromising the server side of the website to grab the certificates and keys or DNS cache pollution affecting CA happend in the past. But while these should be considered a risk the system itself usually works, i.e. it provides no perfect trust but much more trust than a blindly accepted self-signed certificate.

    But even a blindly accepted self-signed certificate provides more trust than no certificate at all, because it makes it possible to detect if the server has changed (different certificate). This is the idea behind Trust on First Use (TOFU).

    In summary, certificate provide security: self-signed certificates provide more security than no certificates, and certificates issued by publicly trusted CA provide more security than self-signed certificates. None of this is provides perfect security though.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2