[OSM-talk] HTTPS on overpass-api.de
Roland Olbricht
roland.olbricht at gmx.de
Fri Mar 27 05:51:49 UTC 2015
Dear fellow mappers,
a thank you for all that have notified me that the certificate has
expired. I will cater for renewing in the next days. A responsible
handling of technology should also include a security assessment.
I think most users will expect that a SSL certificate will somehow be
secure while an unencrypted connection will be somehow insecure. I would
like to go into detail.
These certificates are issued by certificate authorities (CAs). These
are organizations that earn money with that business. They urgently need
that browser vendors trust them. Browser vendors in turn aren't picky:
there are over 200 CAs installed by default in my (and your) browser.
If any of these organization is breaking bad or makes a mistake then an
arbitrary third person may impersonate overpass-api.de without any
warning or information from the browser. To give you an idea, I would
like to make a comparison: Assume you are ticket conductor in a train
for which not only the operator but 200 other indenpendent companies can
issue valid tickets at will. How probable is it that you can reliably
find each and every fare dodger? Which chances has an average passenger
to figure out whether he has an invalid ticket because of a rogue issuer?
You could argue that an attacker has more to do than just to obtain a
ticket: He must intercept the traffic between browser and the web server
that serves overpass-api.de. The attacker would have the same challenge
for an unencrypted connection. Without much effort, this can and has
been conducted by preinstalled software (e.g. Lenovo [1]), your ISP [2]
or in case of using a WLAN every other user of that same network. I can
also be intercepted by the ISP of the server of an Internet Exchange
[3]. In all these cases, attackers have not only intercepted the traffic
but also provided certificates that are trusted by the browser. There
were exactly zero difference in the security of encrypted and
unencrypted traffic.
To obtain illegit certificates is not only possible for secret services
[2] and makers of dubious software [1] but also for individuals [4]. To
obtain a certificate you must only be able to read an eMail adressed to
an adress like postmaster at overpass-api.de at a point in time chosen by
the attacker. This mail comes over the same way as the later connection
by HTTPS; an attacker must anyway be able to control that access for an
attack. In addition, a couple of undocumented ways to obtain a
certificate may exist: for example, being police or secret service or an
employee of the CA or one time impersonating police or secret service or
an employee of the CA.
The CAs have a commercial interest to keep the state as it is. The other
lever is in the hands of the browser vendors: for them too it is not an
advantage to shorten the list of CAs; every CA may turn out to be a
source of money if the browser manufacturer would need money. In
principle, users could completely reorganise the list of CAs. But in
practice, the vast majority of users won't do or won't do it on all used
computers. One of the strange things to notice is that Firefox refuses
to integrate CAcert which is (like OSM with geodata) the only community
based CA [5].
More security would be possible: in the end this will mean that each
user connects his personal source of trust as a separate piece of
hardware with the computer. It could be a USB stick to boot from or
something analogous to a SIM card.
Contrary to this, Certificate Pinning [6] is pushed. This is a technique
that inherently gives large companies an advantage: you need to make a
contract with the browser vendor such that they take special precautions
for your domain. In practice this means to get through a bureaucracy or
to put money on the table or a combination of both. You can imagine how
prospective this is for OpenStreetMap related websites given the trouble
CAcert has.
In result, this means that I spend money and time to somebody to not
make my users anxious (it's legal, as opposed to [7]). To assure comfort
to the average user, I will do so. But nobody should say that she or he
has not known that there is no real security benefit.
I would like to express thanks to Fefe and the search engine on his blog
(in German) [8].
Best regards,
Roland
[1]:
http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
[2]:
http://googleonlinesecurity.blogspot.de/2013/12/further-improving-digital-certificate.html
[3]:
http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
[4]:
http://arstechnica.com/security/2015/03/microsoft-takes-4-years-to-recover-privileged-tls-certificate-addresses/
[5]: https://bugzilla.mozilla.org/show_bug.cgi?id=215243
[6]:
http://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning
[7]: http://en.wikipedia.org/wiki/Protection_racket
[8]: z.B. http://blog.fefe.de/?q=openstreetmap
More information about the talk
mailing list