Certificates through DNSSEC
[Press release, Amsterdam (NL), February 9th 2011]
Two student researchers doing an internship at NLnet Foundation have produced a working, inexpensive solution to protect internet users against certain forms of identity theft in the browser. Web site operators traditionally rely on often expensive and awkward browser certificates to protect the communication with their users against abuse, but over the last five years the technical community at large has become increasingly aware that this system is still wide open to abuse.
The solution presented by Danny Groenewegen and Pieter Lange from the University of Amsterdam is to make use of the possibilities offered by the recently upgraded domain name system of the internet (DNS) to automatically let the browser of the end user verify certificates through an independent and secure channel. This validation through the so called 'trust chain' of DNSSEC does not only provide more security for users --at no cost to them-- but also gives web site owners more freedom to deploy the cryptography of their choice. In addition to the security benefits the new method significantly lowers operation cost for deployment for owners of web sites, because everyone can now set up a completely secure website instantly in an automated way, rather than the current more complex method where they depend on external parties.
"Once a not entirely trustworthy certificate authority is included in browsers, it can silently generate valid certificates for any domain on the planet. It is like a bank handing out money from your bank account as soon as a piece of paper with your bank account number and a human signature on it says it is okay --without checking who signed it," says Michiel Leenaars, director of Strategy at NLnet foundation. A rogue certificate is not visible without additional manual steps, and a website identifying itself with a rogue certificate even produces the same reassuring 'padlock' that users are taught to trust. The system proposed and built by the students from the University of Amsterdam recognises these rogue certficates based on their unique fingerprint published in DNS, and is able to shield the user from impersonators --so called man-in-the-middle attacks.
In the recent hijack of social network Facebook in Tunisia in January 2011, it became obvious that when the Tunisian government sought to gain access to user accounts from citizens it could use the certificates of its own certificate authority (Certification.tn) to intercept seemingly protected traffic. A number of other governments --including the Dutch, Japanese and Taiwanese government-- as well as private companies and security researchers have successfully registered their own CA and these are now part of the large set of trusted certificate authorities in various modern browsers. "Access to an actual Certificate Authority is not even required to create a rogue certicate, as another option is to modify valid certificates issued by Certificate Authorities that still use outdated cryptographic technologies", says prof. Cees de Laat of the University of Amsterdam, "sometimes such use of weak cryptography is intentional, as the name of one such Certificate Authority (MD5 collisions inc.) points out". In security terms a cryptography collision is the situation where two certificates share the same fingerprint.
Although the current amount of lost data and identity theft through this type of attacks is unknown, a recent global survey by the Electronic Frontier Foundation of the entire publicly reachable web (also sponsored by NLnet foundation) found many worrying examples of abuse of SSL certificates out in the wild. With a rogue certificate it becomes possible to perform a successful man-in-the-middle-attack, which include running software on your local computer as well as criminals intercepting sensitive internet applications such as banking and e-government.
Over the last couple of months a working group in the Internet Engineering Task Force has been debating on various technical issues and policies to standardise the way in which these certificates are put in the DNS, based on a number of different proposals from the technical community including DNS security researcher Dan Kaminisky. By creating a configurable, user-friendly open source plugin for the popular Firefox 4 browser that is able to parse the different available candidate options, the students from the University of Amsterdam are the first to offer an end-user ready solution. Although the students insist on calling it a proof of concept, it does offer usable real-world protection. "Given the fact that you can offer immediate relief for people in difficult political situations, we urge web site owners to start offering the enhanced security as soon as possible, so that users have a choice", say Lange and Groenewegen, "Once you set up DNSSEC, which is a best practise anyway, it only takes minutes. It really is a no-brainer."
The plugin can be downloaded for Linux, Mac OS X and Microsoft Windows for free at: https://os3sec.org
A five minute description for webmasters how to protect users of their website can be found here: https://os3sec.org/technicalbackground.html
The EFF HTTPS Observatory: http://www.eff.org/observatory
Tax-deductible donations for the further development of the plugin and related open source development can be made to the DNSSEC fund at NLnet foundation. NLnet is open to grant proposals to other DNSSEC related projects, as well as other projects that improve the internet. More information on submission dates and conditions here: http://nlnet.nl
More information, contact Michiel Leenaars, Director of Strategy, or NLnet Foundation
Additional information
About NLnet Foundation
NLnet Foundation is a widely respected private charity fund supporting open standards and open source worldwide, and has over the years actively contributed to (internet) standards, open source projects and subsidiary or enabling activities such as the development of GPLv3. NLnet foundation is an independent organisation whose means came initially from interest on a very substantial own capital formed in 1997 by the sale of the first Dutch Internet Service Provider. Its private capital ensures an absolute independent position. The articles of association for the NLnet foundation state: "to promote the exchange of electronic information and all that is related or beneficial to that purpose". NLnet believes in open standards and open source. At the moment, dozens of projects and organizations are supported financially. Amongst them: research laboratory NLnet Labs, the Free Software Foundation, KSplice, TOR, SPEAR, NAT64 and the Internet Society.
More info: http://nlnet.nl , For logo's: http://nlnet.nl/logo/
About System and Network Engineering at the University of Amsterdam
The University of Amsterdam is ranked among the top 15 universities in Europe and the top 50 world-wide, and its founding dates back to 1632. System and Network Engineering is the only academic Master in The Netherlands specifically designed for students with the need for specialized and in-depth knowledge of IT systems and networks. The Master programme is unique because of the focus on Open Standards, Open Software and Open Security. It has an internationally renowned teaching staff, with extensive experience in both the research and working field. It has a highly motivated, trained and international student population, selected by a fairly strict admission procedure. The Master's programme in System and Network Engineering has been accredited by the Accreditation Organisation of the Netherlands and Flanders (NVAO). This means that upon successful completion of the programme, students will receive a legally accredited Master's degree in System and Network Engineering and the title of Master of Science (MSc).
More info: https://www.os3.nl