An Open Letter to CA/Browser Forum re: Personal Certificates for “.onion”

Ryan, I’d like to take you up on your invitation and request that you forward the following text to the CA/Browser Forum public list, please…


Hi CA/B Forum! I’m a software engineer and one of the authors of RFC 7686; since 2001 I have maintained a personal blog and it’s overdue for a complete software refresh. I want to take advantage of Let’s Encrypt to provide normal HTTPS certificates for the blog, and I want a 100% HTTPS deployment when I am done.

I intend also to provide my blog with an Onion Address, thus my question:

On my blog I do not represent a company – I act purely as an individual; I expect to easily get a “normal” domain-related certificate from Let’s Encrypt, but as an individual I will not be able to get an EV certificate for my Onion Site as mandated by CA/B Forum Ballot 144.

This situation inhibits me from protecting my personal blog’s Onion Site with some form of Onion HTTPS certificate.

It further discriminates against my choice of software deployment as an individual.

Perhaps I could run my blog as HTTP-over-Onion and HTTPS-over-Internet, but this breaks my goal of a 100% HTTPS deployment. Clients of my Onion Site would not have access to HTTPS-only “Secure” cookies and other functionality which browsers today (or will soon) restrict to HTTPS sites, e.g. Camera & Microphone access. This would be an undesirable lack of consistency.

It is not viable to hack the Tor Browser to support an “Onion-only” CA, because only some portion of Tor traffic uses the Tor Browser; non-browser apps which use Tor would not be able take advantage of such a kludge, and thereby would not see the benefit of SSL.

In any case, “.onion” is now an official special-use TLD, and therefore should be supported by official means.

After a hint from Ryan Sleevi – plus referring to the Mozilla CA glossary [1] – I did some research and think that I need either an AV (address validation) or an IV (individual validation) SSL Certificate for my personal blog’s Onion Site.

Discussing likely use cases with Runa Sandvik, we believe that people who use Tor desire (at least) all of privacy, anonymity and integrity. The option that seems most sympathetic to all of these requirements is the AV (address validation) certificate. An AV certificate would provide an Onion Address with an SSL certificate (and thus a form of persistent identity) corresponding simply to an RFC822 email address. This would appear extremely well-suited to users of Onion-backed instant messenger software, such as Ricochet, especially those communicating without reference to “real world” identities.

The alternative of an IV (individual validation) certificate appears closer to the goals of the EV certificate, being a more expensive “absolute identity” certificate that would (per the Glossary) require a Driving License, Passport, or National Identity Card to get. This would be useful for instances where people wish to publicly attest to ownership of what they write / blog / post / publish, but would be less useful e.g. for whistleblowers operating in repressive regimes.

Frankly I see a need for both, and would be (for this case in point) happy to get one of either, but am also open to other alternatives which would not require me to register a company to bootstrap.

So, finally, the question: how may I go about obtaining a suitable, personal, Onion-capable SSL Certificate for my blog, please?

Alec Muffett
London

[1] https://wiki.mozilla.org/CA:Glossary – some extracts follow:

AV (address validation) — Many CAs issue end entity certificates to individuals for use with S/MIME email for which the applicant need only demonstrate that they own and/or control the email address named in the certificate. For example, the owner of the “jdoe@example.com” address could obtain an AV certificate for that address based on their demonstrating to a CA that they owned or controlled the email address in question, e.g., by responding to email addresses sent to an email sent to that address. We can refer to such certificates as address-validated or AV certificates.

More formally we can define AV certificates as certificates containing an emailAddress attribute or Subject Alternative Name extension with a value (or values) apparently corresponding to an RFC 822 email address, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that address in question is owned and/or legitimately controlled by the cert subscriber, and for which the CA makes no claims as to the validity of any individual identity stored in the Common Name attribute of the certificate. Note that “AV” is not a common industry term, but is newly-coined by analogy with “DV”, “IV”, etc. Some people use the term “DV” loosely to cover this case, but arguably it deserves a term of its own.

…and…

IV (individual validation or identity validation) — Many CAs issue end entity certificates to individuals for email, SSL/TLS client authentication, and other uses, for which the applicant is required to supply some sort of evidence as to their identity (e.g., by presenting themselves in person with a copy of their national identity card). These are commonly referred to as identity-validated or IV certificates.

More formally we can define IV certificates as certificates containing a Common Name (CN) attribute with a value apparently corresponding to an actual named individual, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that value corresponds to the individual identity of the certificate subscriber. Note that some people use “IV” as a synonym for “OV” when referring to certificates issued to organizations. However it’s arguably more clear to use “IV” to refer only to certificates issued to individuals.

Note that an IV certificate could also contain an email address in addition to the individual identity information. Mozilla policy requires that email address to be validated to the same or greater degree as for a AV certificate.

Muffett’s Personal Opinion on the Cyber Volunteer Force

A friend of mine asked me about the UK’s mooted Cybersecurity “volunteer” force; this is approximately how I responded:

The Cyber-Force thing is simultaneously scary, tragic and amusing; Iain Lobban – Director of GCHQ – has been heard to lament that they cannot afford to pay for geeks:

www.techweekeurope.co.uk/news/news-security/gchq-boss-complains-of-cyber-brain-drain-34212

…that essentially they can’t compete with private sector industry for salaries and conditions.

The truth is a little more complex and a little less clear-cut than that.

From my modest experience of the demographic – dating from around 1994 to the present day – the UK defence establishment has subsisted by chewing-up public spirited geeks who were willing to trade shitty pay for unfireable job-security and an index-linked civil service pension from age ~55ish, thence to buy a cottage in Cornwall, or Provence or something.

The unfireable pension opportunity has now evaporated and DERA (the Defence Evaluation and Research Agency) which provided the hinterland of geeks for GCHQ was largely privatised as Qinetiq – significant numbers have left that – plus computing is now sexy again, so suddenly a lot of the UK’s core security expertise is going into private hands.

You know my perspective on “cyber”[1] – that it is a framing of the debate to launder:

  • interception/monitoring/snooping
  • filtering/blocking/censorship
  • public relations/propaganda, and …
  • expansion of state regulation opportunity

…as a necessary new military activity in a new “domain” – the domain of “communications” – which they call “cyber” because calling it communications would be too obviously unmilitary for people to bear.

Not to mention that honesty would sound too “Orwellian”.

However the good manpower is now off earning loadsamoney with either:

  1. “Big Data”, or…
  2. “Silicon Roundabout Startups” – which are sacrosanct because they may save the economy and the DTI is currently behind them.

…and therefore GCHQ are calling for volunteer cyberwarrior do-gooders.

If in one scenario this is not terrifying to normal people then it bloody well ought to be, if only for the example of “LOVEINT” at the NSA:

news.cnet.com/8301-13578_3-57605051-38/nsa-offers-details-on-loveint-thats-spying-on-lovers-exes/

…because if the best-funded cyberagency in the world has significant spy-on-your-ex-lover issues, what the hell will happen when you let loose a bunch of volunteers on the spook-internal databases of the UK?

There would be rather more “snoop on your mate’s ex-girlfriend” than “Edward Snowden” activity, to be sure.

But let’s instead imagine that GCHQ are not fools and that the volunteers are kept at a discreet arm’s length from the datacentre at Cheltenham; what then? Will you have a bunch of volunteers going around to BNFL and setting up firewalls for nuclear power stations? Or trying to hack into the National Grid? I think they’re already equipped.

What will they be doing, and will they actually be any good at it? And whom will they be depriving of a paid job in the interim? Answers: they won’t be sure, not terribly, and possibly themselves.

I’ve spoken with a competition winner from the GCHQ “UK Cyber Champion” contest and it seems that even if they really like you as a person, the public sector does not have the culture to employ creative, individualistic, modern computer people.

So I think they are in trouble; and you can’t justify the budgets if you can’t get the staff.

If I was to suggest a way out for GCHQ and the Government it would be to stop fretting about process so much, stop throwing money at the big defence contractors and instead engage directly with smaller parties in the private sector.

But that will never happen on the scale which it needs to. Alas.


[1] my perspective on cyber: www.slideshare.net/alecmuffett/how-to-think-clearly-about-cybersecurity-v2

The cost of UK Cybercrime was not £27bn – Hansard

Told you so…

Chi Onwurah (Newcastle upon Tyne Central, Labour)

Let us look at cyber-statistics. In answer to my parliamentary question, the Minister put the cost of cybercrime at £27 billion, but that turns out to be a 2010 “guestimate” from defence company Detica. The National Audit Office misused Cambridge university figures, managing to confuse pounds with dollars. We all know that online crime is rising, but the Government rely on outdated third-party figures. Is he surprised that the public do not trust the Government’s efforts to fight cybercrime, given that they clearly cannot even measure it?

Source; also, the Cabinet Office are throwing it under a bus:

I am writing to advise you that following a search of our paper and electronic records, I have established that the information you requested is not held by the Cabinet Office.

The £27 billion per annum figure is not our figure but comes from a BAE Systems/Detica report. We do not hold any information about how this figure was arrived at.

End days for Cyberfear?

Cybersecurity and “Igon Values”

Igon Value Problems: so very, very applicable to politicians and cybernetwork-security…

I will say this about Malcolm Gladwell: I like his writing, which oozes with intellect that enables him to see angles that many people miss. As a golf fan, I thoughtGladwell’s assessment of Tiger Woods versus Phil Mickelson was so spot-on that I printed out Gladwell’s quote and taped it in front of my desk. However, at this point, the record is clear that Gladwell sometimes finds himself speaking and writing about topics that are out of his depth, leading to head-scratchingly elementary mistakes. The most notable is Gladwell’s gaffe with “igon value,” illustrated in a book review by Steven Pinker:

Gladwell frequently holds forth about statistics and psychology, and his lack of technical grounding in these subjects can be jarring. He provides misleading definitions of “homology,” “sagittal plane” and “power law” and quotes an expert speaking about an “igon value” (that’s eigenvalue, a basic concept in linear algebra). In the spirit of Gladwell, who likes to give portentous names to his aperçus, I will call this the Igon Value Problem: when a writer’s education on a topic consists in interviewing an expert, he is apt to offer generalizations that are banal, obtuse or flat wrong.

Malcolm Gladwell, Eclectic Detective [New York Times]

via Ask a Korean!: Culturalism, Gladwell, and Airplane Crashes.

HP Keeps Installing Secret Backdoors in Enterprise Storage # and the best bit is the password they used…

…and a quick Google for 78a7ecf065324604540ad3c41c3bb8fe1d084c50 yields “badg3r5”, which is a really terrible password by any metric

Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would “cripple the cluster,” according to information provided to The Register by an unnamed source.

The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it’s not hard to find: “Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn’t know existed,” according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public.

The hash hiding the login “is easily brute-forced,” according to Technion, who noted in a later blog that more than 55 users have separately notified him they’d broken the hash. The backdoors are hidden in versions of the LeftHand OS v. 9.0 and higher. They have existed since at least 2009, according to The Register.

via HP Keeps Installing Secret Backdoors in Enterprise Storage.