[OSM-talk] HTTPS on overpass-api.de

Fri Mar 27 05:51:49 UTC 2015

Dear fellow mappers,

a thank you for all that have notified me that the certificate has 
expired. I will cater for renewing in the next days. A responsible 
handling of technology should also include a security assessment.

I think most users will expect that a SSL certificate will somehow be 
secure while an unencrypted connection will be somehow insecure. I would 
like to go into detail.

These certificates are issued by certificate authorities (CAs). These 
are organizations that earn money with that business. They urgently need 
that browser vendors trust them. Browser vendors in turn aren't picky: 
there are over 200 CAs installed by default in my (and your) browser.

If any of these organization is breaking bad or makes a mistake then an 
arbitrary third person may impersonate overpass-api.de without any 
warning or information from the browser. To give you an idea, I would 
like to make a comparison: Assume you are ticket conductor in a train 
for which not only the operator but 200 other indenpendent companies can 
issue valid tickets at will. How probable is it that you can reliably 
find each and every fare dodger? Which chances has an average passenger 
to figure out whether he has an invalid ticket because of a rogue issuer?

You could argue that an attacker has more to do than just to obtain a 
ticket: He must intercept the traffic between browser and the web server 
that serves overpass-api.de. The attacker would have the same challenge 
for an unencrypted connection. Without much effort, this can and has 
been conducted by preinstalled software (e.g. Lenovo [1]), your ISP [2] 
or in case of using a WLAN every other user of that same network. I can 
also be intercepted by the ISP of the server of an Internet Exchange 
[3]. In all these cases, attackers have not only intercepted the traffic 
but also provided certificates that are trusted by the browser. There 
were exactly zero difference in the security of encrypted and 
unencrypted traffic.

To obtain illegit certificates is not only possible for secret services 
[2] and makers of dubious software [1] but also for individuals [4]. To 
obtain a certificate you must only be able to read an eMail adressed to 
an adress like postmaster at overpass-api.de at a point in time chosen by 
the attacker. This mail comes over the same way as the later connection 
by HTTPS; an attacker must anyway be able to control that access for an 
attack. In addition, a couple of undocumented ways to obtain a 
certificate may exist: for example, being police or secret service or an 
employee of the CA or one time impersonating police or secret service or 
an employee of the CA.

The CAs have a commercial interest to keep the state as it is. The other 
lever is in the hands of the browser vendors: for them too it is not an 
advantage to shorten the list of CAs; every CA may turn out to be a 
source of money if the browser manufacturer would need money. In 
principle, users could completely reorganise the list of CAs. But in 
practice, the vast majority of users won't do or won't do it on all used 
computers. One of the strange things to notice is that Firefox refuses 
to integrate CAcert which is (like OSM with geodata) the only community 
based CA [5].

More security would be possible: in the end this will mean that each 
user connects his personal source of trust as a separate piece of 
hardware with the computer. It could be a USB stick to boot from or 
something analogous to a SIM card.

Contrary to this, Certificate Pinning [6] is pushed. This is a technique 
that inherently gives large companies an advantage: you need to make a 
contract with the browser vendor such that they take special precautions 
for your domain. In practice this means to get through a bureaucracy or 
to put money on the table or a combination of both. You can imagine how 
prospective this is for OpenStreetMap related websites given the trouble 
CAcert has.

In result, this means that I spend money and time to somebody to not 
make my users anxious (it's legal, as opposed to [7]). To assure comfort 
to the average user, I will do so. But nobody should say that she or he 
has not known that there is no real security benefit.

I would like to express thanks to Fefe and the search engine on his blog 
(in German) [8].

Best regards,

Roland

[1]: 
http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
[2]: 
http://googleonlinesecurity.blogspot.de/2013/12/further-improving-digital-certificate.html
[3]: 
http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
[4]: 
http://arstechnica.com/security/2015/03/microsoft-takes-4-years-to-recover-privileged-tls-certificate-addresses/
[5]: https://bugzilla.mozilla.org/show_bug.cgi?id=215243
[6]: 
http://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning
[7]: http://en.wikipedia.org/wiki/Protection_racket
[8]: z.B. http://blog.fefe.de/?q=openstreetmap