Blacklisting SSL Certificate Authorities

The Register has an article on Firefox black listing an SSL Certificate authority.

Certificates and certificate authorities are the underpinnings of our secure web infrastructure.

When you see the lock on your browser, it means that the session is encrypted and the site has presented a valid site certificate (so it is who it claims to be).

That site certificate is signed by one of many certificate authorities.

I see 86 certificate issuing authorities in my Firefox now.

Many of those certificate authorities have multiple signing certificates.

Additionally the certificate authorities can delegate to subordinate certificate authorities to sign site certificates.

Any certificate signed by any of these authorities or subordinate authorities is recognized as valid.

These entities are located all over the world, many under the control of oppressive governments (however you define that).

Certificate authorities can create certificates to enable man in the middle attacks, by signing keys purporting to be for a given website, but actually created and held by some other entity.

There are plugins like certificate patrol for Firefox that will tell you when a site you have visited before changes certificates or certificate authorities. Unfortunately this happens fairly frequently for legitimate reasons, such as when renewing certificates every year or few years.

Some certificate authorities are known or suspected to be working with various law enforcement entities to create false certificate for surveillance.

Here is how it works:

The government has certificate authority create a new certificate for a website.

The government then intercepts all sessions to that site with a server (at national level routers for example).

The server uses real site certificate to communicate with the real website securely.

The server uses the new fake certificate to communicate with user securely.

The server then has access to everything in the clear as it shuttles data between the two secure connections..

It can read and/or modify anything in the data stream.


Firefox is removing TeliaSonera’s certificate authority from the list in Firefox for this reason. Going forward no certificate issued by them will be recognized as valid. This will impact a large number of legitimate websites that have contracted with TeliaSonera, as well as preventing the fake certificates.

There is a lot of controversy about this. What is appropriate cooperation with law enforcement vs. supporting and enabling dictators.

In any case, this is a failure of the protocol. If the browser shows a certificate as valid when it has not come from the real website, then there has been a security failure.

The SSL key infrastructure is showing its age. It was “good enough” when there were only one or two certificate authorities and the certificates were not actually protecting anything of great importance. Now everyone relies heavily on the security of the web. Unfortunately, while it is broken, it is very hard to replace.

In the short term, installing a certificate checker like certificate patrol is probably a good idea, despite the number of false positives you will see.

In the longer term, there is a really hard problem to solve.