Lots of talk recently about DigiNotar and Iran. I’d posit this problem is more impacting than people think, but not for reasons that are being bandied about. I don’t usually don quite so big a tinfoil hat, but I certainly don’t want to act naive about realistic risks. I’ll try to keep my statements brief, though a bit rambling.
Hypothesis: Iran made legitimate requests of DigiNotar for certificates. This is normal business for a CA. (This may or may not be true at all, but it still stands to illustrate a point.)
Iran cares about intercepting communications for governmental security purposes.
Every dang nation in the world cares about intercepting communications for governmental security purposes, though in some cases we really hope it is with documented procedures and reasons (i.e. like we hope for the US).
Every CA has a way to request any sort of cert you want to aid governmental interception. You really think any CA that does business in country X will be able to still conduct business if they rebuke the host government? No. (Apply this thinking to things like Skype or Google’s portals to request data on people of interest for some precedence.)
The government(s) isn’t going to let there be some completely private global (or even national) means of communication without leaving them the ability to tap into it if needed. I’d posit that this partially explains various not-optimized communications security like CDMA and such.
The web of trust for SSL/CA/web infrastructure is weak, and maybe even broken, but that’s unfortunately part of the (mostly accidental) design, if you ask me. Granted, this was all devised long ago when scale wasn’t a huge concern. Before having 600 CAs in the world that most every browser just inherently trusts because it is good for business because it eases user frustration and efforts (if you run an e-commerce website, just think how awful it will be to work with every user when their browser won’t trust everything inherently). Sadly, it is inherent that a “web of trust” is only as trustworthy as the least trusted part of it, and it only takes one mistake to let that in. Maintaining that trust amongst general public does not outweigh business health/profits
At some point I have to trust something, because I am not smart enough to really be able to intelligently verify my trust in most things encryption. It’s a quandary, certainly.
Getting back to DigiNotar, what’s the best way to cover your ass when someone finds out you’ve been giving shit away to other governments when they force you to or pay you enough? Pre-existing hack proof to give you deniability.
Anyway, that’s one way to look at it. Honestly, I’m sympathetic to typical LEO thinking: the simplest solution is almost always the correct one: someone broke into DigiNotar and issued themselves certs. But I’m also sympathetic to the idea that govs require access, even if the common person thinks they’re communicating securely.