Hi security knowledgeable people. I have a problem understanding the bigger security model behind Let’s encrypt.
From what I understand SSL and certificates give us mainly two things:
(1) Encrypting the communication between client and server, so that a third party can not read the communication.
(2) The client can verify the server’s identity.
By itself (1) is not enough, because a client can be fooled into talking with a malicious server, and then having the communication encrypted doesn’t really help.
Let’s Encrypt allows me to automatically obtain a certificate for my webserver at the domain www dot example dot com, assuming that I have control over the contents of the website at www dot example dot com (This is checked by the Let’s Encrypt HTTP challenges). By this model having control over the contents of www dot example dot com I prove my identity as the owner of www dot example dot com
My question is this: Why don’t we take a shortcut and let me self sign my certificate of www dot example dot com ? The usage of SSL with self signed certificate fulfils condition (1) from above. Condition (2) is fulfilled implicitly because I have control over the the contents of www dot example dot com.
I can formulate my question in the form of an attack. Assume that I publish my website at www dot mywebsite dot com. Also assume that some big government agency (call it ASN) wants to show users something else when they visit my website.
ASN, Being a large government agency, can pass the Let’s Encrypt HTTP challenge (Using a man in the middle attack for the HTTP protocol), and then obtain automatically a certificate for www dot mywebsite dot com. Using this certificate they could fool users into seeing a different www dot mywebsite dot com, which breaks the SSL security promise.
I think that having a self signed certificate give us a similar security setting to using the Let’s Encrypt model, with the additional advantage of not being dependent on the Let’s Encrypt central authority for creating certificates, and without having to automatically generate a certificate every 3 months.
I am pretty sure I am missing something here. Please tell me what you think.
real.
Yes, you're missing something. Anyone can create a self-signed certificate for www.example.com. So self-signed certificates don't verify you're the owner unless you're checking for the exact fingerprints or something. And that's not feasible for the public-at-large. That's mainly why certificate authorities exist today.
@kelunik: Thank you for the quick reply.
If you can create a self signed certificate for www dot example dot com and you can’t get the dns record for it, then having this self signed certificate doesn’t really have any impact. If you can get the dns record and route traffic to www dot example dot com to your webserver, it means you will also be able to get a Let’s Encrypt certificate for www dot example dot com (By passing the HTTP challenge), which allows you to take control over it.
So having a self signed certificate and using Let’s Encrypt still seem equivalent to me.
Let’s Encrypt provides Domain-validated certificates, like most other publicly-trusted CAs (who also do this in an automated fashion on their end, the main difference here is that Let’s Encrypt allow you to automate it as well).
The idea behind Domain Validation is that the CA performs the validation from their servers and their network, which is assumed to be less likely to be vulnerable to a MitM attack. CAs are not vulnerable to a lot of the typical MitM vectors such as public WiFi networks or ARP/DNS cache poisoning (CAs typically don’t operate networks where ARP poisoning is likely, should only use authoritative DNS, and use DNSSEC if it’s available for a domain). Let’s Encrypt is also investigating other approaches that would make it even harder to actively MitM validation requests, such as adding Tor to the mix, which makes things very hard to predict for an attacker.
It’s certainly not completely impossible to MitM the validation request, but it’s significantly harder that MitM’ing a single user, so there’s definitely a security benefit to this kind of third-party validation.
The "ASN" (or local agency) could coerce ISP's to MitM for them and coerce them to keep their mouths shut (cough PRISM cough). Just filter all the kinds of challenges and generate a second certificate at the same time, but this time for the "ASN". People wouldn't be surprised if not one, but two certificates are requested in one sitting.. Some experimentation perhaps..
And truth be told, do you really check the certificate transparency logs for clandestine certificate generation for your domain?
Sure, I didn't say it's impossible. If your adversary is a nation-state, all bets are off and you can only do so much. There's a good chance they'll go through some other CA that's not co-founded by the EFF first though.
My base assumption for such a scenario would be that SSL is the least likely venue they would try to use to "get in". It's way too noisy, with CT, HPKP, etc. Odds are, they're going to force your hosting provider to compromise your infrastructure first, or compromise someone on your team (coercion, blackmail or just plain old malware) and plant a backdoor. I don't think that SSL is the weakest link in most scenarios, though that should certainly not stop anyone from trying to make it better!
If I'd consider this scenario likely, I'd definitely deploy HPKP and monitor CT logs. The mere existence of CT logs alone ought to be a kind of chilling effect for intelligence agencies that is likely to cause them to try other avenues (see my earlier point).
@realcr: What you describe is definitely a weakness with domain validation. As @pfg says, though: There are lots of attackers that can compromise local DNS (an ISP, or employer, or library or school) but can’t compromise global DNS to fraudulently pass a DV challenge.
Hi, thank you all for the answers!
As a summary of what I understood, the advantage for using the Let’s Encrypt model over the idea of a self signed certificate is that it is easier to MitM a single user than it is to MitM Let’s Encrypt.
(EDIT: Changed “harder” to “easier”. Thanks @tialaramex )
)