29C3 - Version 1.9

F/a{hr-p).l//a,n
2.9/C-3

Speakers
axelarnbak
Schedule
Day Day 2 - 2012-12-28
Room Saal 1
Start time 12:45
Duration 01:00
Info
ID 5319
Event type Lecture
Language used for presentation English
Feedback

Certificate Authority Collapse

Will the EU Succeed in Regulating HTTPS?

Hypertext Transfer Protocol Secure (HTTPS) has evolved into the de facto standard for secure web browsing. But in the security community, it has long been known that HTTPS is fundamentally broken, and this has been confirmed by alarming hacks and security breaches at several Certificate Authorities (CAs). To tackle the global collapse of trust in these central mediators of HTTPS communications and to augment HTTPS security, the EU has launched a proposal for strict regulation. Will these efforts succeed?

Through the certificate-based authentication protocol that is HTTPS, web services and internet users protect valuable communications and transactions against interception and alteration by cybercriminals, governments and business. In only one decade, it has facilitated trust in a thriving global E-Commerce economy, while every internet user has come to depend on HTTPS for social, political and economic activities on the internet.

Recent breaches and malpractices at several Certificate Authorities (CAs) have led to a collapse of trust in these central mediators of HTTPS communications as they revealed fundamental weaknesses in the design of HTTPS. In particular, the breach at Dutch CA Diginotar shows how a successful attack on one of the 650 Certificate Authorities across 54 jurisdictions enables attackers to create false SSL-certificates for any given website or service. Moreover, Diginotar kept the breach silent. So for 90 days, web browsers continued to trust Diginotar certificates, enabling attackers to intercept the communications of 300.000 Iranians. In its aftermath, Dutch public authorities overtook operations at Diginotar and convinced Microsoft to delay updates to its market-leading web browser to ensure ‘the continuity of the internet’. These bold interventions lacked a legitimate basis.

Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. Moreover, taking the form of a Regulation, the EU proposal will become law in 27 Member States directly upon adoption in Brussels. In other words, this is the one to watch.

The presentation addresses the question if, and if so, how the EU should address the systemic vulnerabilities of the HTTPS ecosystem. The hack at Dutch CA Diginotar and other security breaches at CAs are discussed from which the systemic vulnerabilities of HTTPS emerge. It then analyses the EU eSignatures Regulation and abstracts from the EU proposal in search of general insights for communications security governance.

The presentation and paper are part of a PhD project on communications security governance and have been presented in September 2012 at the Berkman Center of Harvard University and the Telecommunications Policy Research Conference in Washington D.C.