I know that for most people this is not going to be very interesting, but my current job is teaching me that it’s always a good idea to help people learn from your own mistakes; especially so if you let others comment on said mistakes to see what you could have done better. So here it goes.
Let’s start to say that I’m an idiot. Last month I was clever enough to update the certificate for xine-project which was almost to expire. Unfortunately, I wasn’t so clever as to notice that the rest of my certificates were going to expire give or take at the same time. Nor I went remembering that my StartSSL verification was expiring, as last year I was in the US when that happened, and I had some trouble as my usual Italian phone number was unavailable. I actually got a notification that my certificate was expiring already when I was in London, last week. I promised myself to act on it as soon as I would get home to Dublin, but of course I ended up forgetting about it.
And then this morning came, when I got notified via Twitter that my blog’s certificate expired. And then the panic. I’m not in Dublin; I’m not in Ireland, I’m not in Europe even. I’m in Washington, DC at LISA ‘13, without either my Italian or US phone number, without my client certificate, which was restricted to my Dell laptop which is sitting in my living room in Dublin, and of course, no longer living in Italy!
Thankfully, the StartSSL support are great guys, and while they couldn’t verify me for a Class 2 as I was before right away, I got at least further enough to be able to get new Class 1 certificates, and start the process for Class 2 re-verification. Unfortunately, Class 1 means that I can’t have multiple hostnames for the cert, or even wildcard certificates. So I decided to bit the bullet and go with SNI certificates, which basically means that each vhost now has its own certificate. Which is fine, just a bit more convoluted to set up, as I had to create a number of Certificate Signature Request (CSR) as letting StartSSL generate the keys as 4096 bit SHA-256 RSA takes a very long time.
Unfortunately, SNI means that there are a few people who won’t be able to access my blog any more, although most of them were already disallowed from commenting thanks to my ModSecurity Ruleset as they would be Windows XP with Internet Explorer (any version, my ruleset would only stop IE6 from commenting). There probably are some issues for people stuck with Android 2 and the default browser. I’m sorry for you guys, I think Opera Mobile would work fine for it, but feel free to scream at me that being the case.
Unfortunately, there seems to be trouble with Firefox and with Safari at this point: both these browsers enabled OCSP by default quite a while ago, but newly minted certificates from StartSSL will fail the OCSP check for a few hours. Also there seems to be an issue with Firefox on Android, where SNI is not supported, or maybe it’s just the same OCSP problem which leads to a different error message, I’m not sure. Chrome, Safari on iOS and Opera all work fine.
What still needs to be found out is whether Planet Gentoo and NewsBlur will handle this properly. I’m not sure yet but I’m sure I’ll find out pretty soon. Some offline RSS readers could also not support SNI — that being the case, rather than just complaining to me, let upstream know that they are broken, I’m sure somebody is going to have a good fun with that.
Before somebody points out I should have alerts about certificate expiration, yes I know. I used to have these set up on the Icinga instance that was used by my previous employer, but ever since I haven’t set up anything new for that. I’m starting to do so as we speak, by building Icinga for my Puppetmaster host. I’m also going to write on my calendar to make sure to update the certificates before they expires, as for the OCSP problem noted above.
Questions and comments are definitely welcome, suggestions on how to make things better are too, and if you use Flattr remember to use your email address, as good suggestions will be rewarded!
What do you mean by “ StartSSL generate the keys as 4096 bit SHA-256 RSA takes a very long time.”? Did StartSSL really generate your private keys?
Yeah — for what I’m caring about I don’t care if my SSL CA has my keys, as it’s securing **my own login** on the blog; everything else is already public, posts and comments, so if it was easier to generate key and certificate at once I’d do that.I do it differently for things that require more safety. And I’m looking into CACert as an alternative if they complete their audit and get added to Firefox/Chrome/Android.
You could have generated the private key yourself in seconds with certtool or something similar. Letting StartSSL do this for you is just dumb. Now government institutions in Israel can log in into your blog and track all users on your website (even if you don’t care about them).
Generating them with OpenSSL is exactly what I ended up doing. Yes it is definitely faster, and it is a tad more secure. But on the other hand if you just start with the idea that it makes any difference in the case the Israeli were to target my blog (why would they?), you’re not doing a really good job at assessing risks.The Class 1 certificates I’m using carry no information about who I really am, the Class 2 did. Can you really be sure it was me changing the certificate? If any government with access to a trusted CA (and we know at least of the US and China being good at that) wanted to spy on my blog, they could just MITM and replace the certificate with a different one.Besides, CACert also generates the keys on the fly by default.
As far as I know, CACert doesn’t and never did generate private keys for users (I can double check this with CACert developers I know if you want). Also a recent press release states something else.I agree that the PKIX trust model is completely broken. However, Certificate Patrol can detect certificate changes and thus would have prevented the attack you described (forcing the CA to issue a certificate to the government for your site), but you can extend the attack in such a way that they also wrote a new blog post that you accidentally deleted your private key and had to create a new, which I wouldn’t be able to verify and to a) contact your over a secure channel to verify this, b) assume that the Israeli government started a MITM attack against me and never visit your site again or c) believe the post and be a victim of a MITM attack of the Israeli government. So yes, the only way to know that the data sent over a TLS connection from your server to me is to meet you in person or talk to you over a secure channel to verify the public key of your server and assume that the private key has not been compromised or you didn’t lie to me. But letting StartSSL generate your private key will make a MITM attack almost effortless and — unless you disclose that StartSSL generated and thus has your private key — the attacker will absolutely no risk of being detected.Also I don’t understand if you let StartSSL generate the private key for the certificate or not. You said “StartSSL generate the keys as 4096 bit SHA-256 RSA takes a very long time.”, “Yeah” and “Generating them with OpenSSL is exactly what I ended up doing”. I’m not a native speaker, so perhaps you can clarify whether you generated the private key with OpenSSL on our computer or whether StartSSL generated the private key on one of their computers.
Does not help that you don’t give a name, you know. Especially because I don’t like dealing with paranoids who seem to be persecuted by the Israeli government on my blog.The keys for all my websites are at the moment generated on the same servers are they are used. I *tried* using StartSSL as I was in a hurry and it took too long, so I decided to go the longer way and use a CSR instead.