This post is prompted by T.Rob’s recent post “We’re gonna need a bigger crowd” where, among other things, he talks about X.509 certificate security. I agree with the core point of his post – crowd-sourcing is ineffective for highly specialized subjects – but this X.509 subject keeps coming up. It is one of the rare cases where I disagree with him, so it’s worth a post.

His view is, in a nutshell, that trusting an outside Certificate Authority (CA) is always more secure than [normal people or companies] operating a CA themselves:

CAs usually take what would be considered extraordinary measures in an average IT shop.  … will manage a root certificate using dual-knowledge protocols so that no one person ever has exclusive access to it … ensure that no two certificates issued will have the same name or serial number… runs a secure and highly available revocation responder.

… mesh of intrusion prevention, intrusion detection, auditing, access control and access revocation …  Is it foolproof?  No.  Is it something we can afford to abandon to move to our own internal CA?  Again, no.

Before we talk about those, let’s first think about our adversaries and what they might want to accomplish when getting people to accept fake certificates. That, of course, depends a little on who you are (individual, company, defense contractor, three-letter agency etc.), but I’d put them into the following rough categories:

• “Small guys” who will set up phishing sites etc. on a small scale to get consumers to log into fake bank, e-mail or social networking sites, and sell what they found.
• Commercial interests who will attack their competitors, or other commercial targets, to obtain confidential information, to disrupt their business, or to siphon off moneys in the multi-million dollar range.
• Nation states who either attack their own citizens (e.g. Libya under Gaddhafi) or who go after (commercial, or governmental) targets in other countries

To follow his argument, let’s assume in each case that certs were issued by a certificate authority that did not meet T.Rob’s exacting standards for how it should operate. E.g. it keeps the master key on a thumb drive, as he says.

• I’d argue the “small guys” have no possibility (i.e. no budget) to even find out how secure or insecure the CA’s process is, never mind the ability to case and then break into the facility that has the desk with the thumb drive in the top drawer. Even the very insecure home-grown CA is out of reach for them, except if they happen to be really lucky.
• Nation states, on the other extreme, well, have more resources than the even most diligent and best-capitalized CA can muster, as we know since Stuxnet. Surely some attacks are simpler than others (think T.Rob’s thumb drive) but if they want the cert, they will get it, through break-in’s, compulsion, blackmail or what have you. So in this case the homegrown CA is not a lot less secure than the professional one; both will be compromised.
• Leaves commercial interests in the middle, and I’m not sure I have anything worthwhile to say on them because I can’t recall any published cases, so I’ll not discuss this point here. Have there been cases? (If so, let me know in the comments.)

But let’s look at the reverse, which is the cases in which professional CAs are definitely less secure than homegrown ones. My exhibit A, of course, is the list of root CA authorities bundled with a typical browser these days:

• Safari: 266 “trusted root certificates” as of 2010
• Mozilla: 58 included certificates
• Windows 8: 353 Windows and Windows Phone 8 Root Certificates

So, on Windows, I have to trust 353 root certificates. Many run by organizations that I have never heard of, and, frankly, if I had, I would not trust. They can be as professionally managed as they come, but 353 of them? Simple statistics tell me that if each of them may be breached (or co-opted, or “persuaded”, or have a rogue employee or three) with a probability of 0.1%, at 353 of them, one of them will be breached with 30% probability. Which is probably worse odds than the root key on the thumb drive.

And I will never forget the very first conversation I ever had with Kim Cameron, one of the Microsoft security chief architects, at a PC Forum if I recall correctly. He told me that Microsoft was considering creating a two-tier program for CAs, because some trusted root certificate authorities were, well, just not very trustworthy. The 353 above for Windows 8 tells me that that idea, however worthwhile, went nowhere. And I’m not even talking about secret certs that are supposedly included in various pieces of software.

I have an exhibit B, which is that most root CAs that I have ever interacted with do so little checking on who you are that even a middle schooler could fool them. (I can’t find a link right now, but I seem to remember that somebody managed to get an SSL cert issued to them for Microsoft Corp.)

So, depending on your specific circumstances, outsourcing certificate management to a professional CA might make all the world’s sense. But it’s clear that there are many circumstances where operating your own CA, only accepting certs you issued yourself, and which are signed with your own private key, may simply be the better, and the more secure choice.