What do you think this is?

just thoughts of a restless mind...

SSL certificate revocation gotchas

SSL certificate revocation gotchas

As you may have heard, Let’s Encrypt revoked several certificates today that were issued through a faulty process. Read on for the details, and on how to identify the revoked certificates themselves.

CAA and a faulty process

Certification Authority Authorization or CAA for short is a DNS entry that can help domain owners announce (and limit) which Certification Authority is authorized to issue certificates for these domains.
Since September 2017, all Certificate Authorities that issue public certificates are required to check the CAA record before they do so. If for example the CAA record for one domain indicated Thawte, then only Thawte is authorized to issue certificates for this domain and all other Certificate Authorities must refuse to do so.

Let’s Encrypt had a faulty process that did not check for the CAA record before issuing a certificate; that resulted in Let’s Encrypt having to revoke more than 3 million certificates. This faulty process may have led to a huge opportunity to phishers, as they could have requested certificates for subdomains, issued by Let’s encrypt, while not being authorized.

Browsers and OCSP

You may wonder, how does one know that the certificate is revoked? The simple answer is that the browser will tell you.

This is what you see on Chrome:

This is what you see on Firefox:

And how does the browser know? Well, there is one thing called Online Certificate Status Protocol or OCSP for short and it does exactly that. Furthermore, most web servers implement OCSP Stapling which means that the server itself will tell the browser that the certificate is revoked. If the browser doesn’t receive an OCSP package from the server, it will go and ask on its own.

Certificates in 2020

The certificates and overall Public Key Infrastructure are of huge importance in 2020. Certificates are there to provide Trust and Identification and any flaw in the certificate management, such as this one, may have catastrophic security impact. This doesn’t say much about Let’s Encrypt, a pioneer in Certificate Management. They are not the only, definitely not the first and won’t be the last Certificate Authority to have a certificates related incident.

In the past many Certificate Authorities failed to check ownership (one of the main reasons that led to CAA record) or failed to protect keys appropriately. So us, as individuals, have to always be vigilant.

Tagged in : security

Risk understanding and coronavirus

Risk understanding and coronavirus

Due to the Coronavirus outbreak there are lots of voices saying that we shouldn’t care so much - especially if we haven’t vaccinated for the flu which shows a lack of diligence on our side.

That could not be more wrong! People who say that understand ZERO about risk management, and since my social bubble is mostly security and risk management people, I find that very alarming.

Let me explain:

Risk management fundamentals

There are two aspects one needs to understand about risk management: Probability and Impact. Probability refers to how likely it is that the impact will be materialized. Impact refers to the consequences expected. There are many risk calculation algorithms, the easiest and prevalent is a multiplication: Probability x Impact.

There are also two events that need to be evaluated: The infection and the mortality.

Infection rate of coronavirus and flu

According to WHO, the transmission mechanisms of both coronavirus and flu are similar. But unlike flu, where one hundred patients are expected to infect 13 other people, one hundred coronavirus carriers will infect 22 other people. In risk management terms, it is significantly more probable to be infected with coronavirus.

Lethality of coronavirus and flu

Not only it’s more probable to get coronavirus, but also it’s more probable to die. Coronavirus infection results to death in 2.3% of the cases. Common flu results to death in less than 0.1% of the cases.

Simple maths

We get now to the probability x impact calculation: We will multiply the probability of the two events: get infected (event 1) and dying due to the virus (event 2). For simplification, as impact we will use the value 1. Either you die (==1) or you don’t (==0).

For Coronavirus, the risk is 2.2% x 2.3% x 1 == 5.06
For Seasonal flu, the risk is 1.3% x 0.1% x 1 == 0.13

If I was interviewing candidates at this time, I would definitely ask someone to explain that to me, and I would certainly turn down a candidate that cannot apply a risk management approach in such an important issue.

If you’re hiring security or risk professionals now, I suggest you do the same.

Tagged in : risk management