Monday, March 3, 2014

SSL certificates for Tor Hidden Services

I know I'm going to get hit from the security community for this, but there's no good reason for a CA to not sign certificates for Tor sites.

Why?  The premise of signing a certificate is that the browser manufacturer has verified CAs (Certificate Authorities) as 'noble'.  By doing so, they include these CA's so users can establish secure connections with websites who are 'known' to be the correct owners. This is, ultimately, nothing more than a UI enhancement - keeping ignorant end users from seeing a scary warning page.

Unfortunately this trust breaks down very quickly.  Many SSL certs are issued via email to an address on the domain's whois record, and then signed for up to FOUR years.  It's a one-time spot check, which has and will fail, and does not ensure the validity of the site beyond that point in time.  In addition, the CAs have gone all out marketing the implied security of SSL certificates as ensuring the website is secure.

That's as far from the truth as you can get. SSL only encrypts the CONNECTION. Signing the certificate just says someone made an effort to ensure the person who requested the certificate is truly affiliated with that domain/host.  Using an unsigned certificate still encrypts the connection, but browsers will throw an error because the 'CA' (you) that signed it has not been verified as trustworthy.
When you are looking for a 'green bar' in your web browser, all it means is some big company dished out a ton of money to be personally contacted by the CA to ensure they (at that moment) own the domain/host the certificate is being signed for.  That's it.

So how does this apply to Tor?  How do you verify a site owner for a TLD that doesn't have any registration whatsoever? 
Tor hidden service names use PKI to ensure the clients are talking to the correct endpoint.  This is EXACTLY what CAs sign certificates for. The only difference is that Tor does it for EVERY CONNECTION, while a CA does it once every FOUR YEARS.
An enterprising CA would just need to modify their verification system to connect to a specific page on a .onion hidden service, verify a pre-shared key, and you'd be set.  There's no purpose to EV certificates.  There's no need for 'wildcard' certificates. What's needed is a realization and end to the false advertising that CA signed certificates 'secure' websites - rather than scaring end-users into thinking a site is not secure merely because some CA didn't sign that site's certificate.

Users don't change their ways, I think we should send the following to CAs:
I want to put an SSL cert on a Tor .onion site. Apparently this goes against your method of verifying 'domain ownership' by using whois data. I disagree with your methods - they're flawed and inconsistent. SSL signing is to verify the owner of the HOST (hence your wildcard certs costing more) and not the domain name - yet it's the domain contact that is used to verify a hostname 'owner'.

Tor hostnames, TLDs for a better name, appear random but are based on PKI.  In fact, the destination host (hidden service) name is verified using PKI for EVERY CONNECTION - as opposed to a CA who sends an email once every FOUR YEARS or so.

So I'm asking for a change.  An option.  I'd like my Tor users (who are more advanced, but may still be ignorant of SSL) to not get that pesky "This site is not secure" warning - when it reality it's more secure than a signed SSL cert.  Why do I use SSL if Tor is more secure?  The hidden service is an endpoint within my network, and doesn't REQUIRE SSL, but I would still like to use it. It's convenience.
Your process would simply allow the CSR submitter to also submit a domain name matching URL, where they would post your PSK - instead of emailing the PSK to them as part of a link to click on. At that point, the rest of your process is the same.

Why would you want to do this?  As we move to a more privacy-based infrastructure, I don't believe you will want to get cut-out as Tor (and other alternate 'Internet' services) are integrated into browsers and the CAs relevance begin to diminish - each participant is cryptographically doing your job - https is technically not necessary. The best solution for you to stay viable and grow your business is to participate and make it pointless to ignore your services.