Have you heard about the Vault 8 stuff?  If you haven’t, Vault 8 is a new repository at Wikileaks for US Intelligence software tools.  One particularly interesting thing they put out there is Hive — I’ll warn you that I haven’t gone through it with a fine-toothed comb or anything, but one of the things folks are noticing is that it contains a mechanism to use fraudulent Kaspersky certificates, issued by Thawte, to aid in exfiltration.

That’s interesting on it’s own, and I feel bad for Kaspersky because they’re already struggling to get out from under the bus…  but really for me it’s a bit of “last straw” for Thawte and maybe all the CA’s-that-were-formerly-Symantec on the whole.  Yes, I know this is just one instance of one bogus cert… but it seems like every time I read about certificate problems, Thawte has something to do with it.  I never really unpacked the data (until now), and I think Thawte is reflected disproportionately high.  I’ll explain what I mean, but first let’s tee it up.

First, you probably recall that I’ve been griping on this blog about the public PKI security model.  I did it when WoSign got the boot from the last of the browser trusted root stores, I did it again to comment on the meteoric rise of Let’sEncrypt (arguing that the economics of public CA’s support this) and then again when Google announced plans to pull HPKP out of Chrome (it didn’t address the root issue anyway and it’s better done at a different level of the stack).  Anyway, you’ve probably noticed I’ve been beating a drum that the public PKI model is broken.  I’m not the first to say that of course.  That said, I flatter myself that I’m maybe early to the table in trying to unpack the specific microeconomic reasons why.  Maybe others are out there researching that and I just don’t know about it.  If somebody knows of formal research in this area, I would greatly appreciate you telling me about it.

Anyway, I’ve explained why the case is what it is, so I’ll spare you going through it again (if you’re really interested, the Let’sEncrypt link I referenced above will go through it in more detail).  Just trust me when I tell you that the economics favor overall reduction in the security of certificate issuance processes over time.  You can take it to the bank.  It likewise frustrates me that nobody seems to care.  I promise you, this is every bit as big a problem as something like EternalBlue — it’s arguably worse because it facilitates targeted, stealth attacks against pretty much whomever.  No, there’s no “zombie apocalypse” scenario like WannaCry that originates from the PKI problem.  It’s more subtle, which I’d argue is worse.  So we know two things: 1) the rigor of certificate issuance processes and security measures will erode over time.  2) As they do so, the probability of bogus certs will tend to increase.  In fact, if you’ve been paying attention, you can see it at work right now.

A decade ago, it was unusual to hear about bogus certs.  Not that they couldn’t happen or anything, just that it was rare.  Remember DigiNotar?  The reason you remember it – and the reason that CA no longer exists today – is precisely because it was so unusual for fraudulent certificates to be issued.  Now?  It’s just something that happens.  Which gets me back to Thawte.  A while back, some enterprising researchers published a paper called “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI”.  It’s a good paper.  I recommend you go read it.   The reason I think the work they did is so valuable though is that they didn’t just analyze the problem, but they also published the supporting data and CA information.  It contains a list of compromised code signing certificates.  Which, should one be interested in doing so, one can import into Excel and do a comparative analysis of which CA’s are there, and compare that to the marketshare of certificates they issue.  In fact, I did that this morning.

Here’s what I found out.  Thawte, as you might know, was owned by Symantec as of last year.  Symantec sold it off in large part probably because Google decided to pull it out of Chrome.  Now, Thawte specifically represents just about 1.8% of the marketshare.  I base that on Symantec as a group (I’m calling it that even though it’s sold because that’s how the source data refers to it) having 13% marketshare and Thawte being 14.2 percent of the Symantec group.  That’s generous, by the way since the “marketshare” number is different from the “absolute usage” number.  If you use absolute usage, Thawte comes in at .07%.  Now hold that number in your head.  If you then look at the issuers on the signed malware list, what is the population of Thawte certs specifically?  Just about 40% (37.7).  If you include all the CA’s that were formerly Symantec?  74%.

Now, it bears saying that this is not really a systematic or scientific analysis.  There are a few reasons why.  First, and most obviously, these are code signing certs not server certs.  We can posit that there’s maybe a correlation for marketshare between the two groups, but it’s highly spurious to the point that I wouldn’t bet on it.  Second, I don’t know the methodology for why they picked the CA’s they did for the signed malware stuff.  So those things could skew the population, and thereby the integrity of the above.   That said, I do think one can reasonably conclude a few things.  First, I think we can surmise that Google was right to drop these.  Second, we can safely say that Symantec was probably pretty smart to unload them.

It likewise opens a few questions. One is the question of why Google is on its own in supporting these.  I haven’t heard yet that others are dropping these CA’s – maybe they are and I just missed it.  The second is whether the properties that were Symantec conform to the CAB minimum baseline.  If they don’t, it’s a problem because you’d expect browser (and OS) vendors to use it — because that’s the purpose.  More importantly, it’s pretty much the last line of defense and underpins the whole of the PKI ecosystem.  If they do adhere to the baseline, it makes me wonder about their utility — like whether the bar is high enough.  Either way, it isn’t good.  Practitioners need to pay attention to this.