cross-posted from: https://infosec.pub/post/6945259
Let’s talk about root certificate management and the EU proposed QWACs.
Steve Gibson of the security now podcast weighed in with opposition to the EUs proposed QWACs certs and cited a few other prominent figures also expressing opposition.
Paragraphing their concerns, they proposed that mandating a bunch of new CAs introduced more risk and greater opportunity for abuse or compromise. Steve favors less CAs also being in favor pruning out most, but 6 or 7.
At the moment, I don’t care for browsers having their own certificate stores, as I would rather use the OS which I would use group policy for windows or use an automation tool for Linux.
I am also in favor of pruning out certs, though I’ve never tested that in an enterprise.
Does your organization allow non OS certificate stores?
Does your organization prune out default root certs?
How do you feel about the proposed QWACs?
The real issue with QWACS is the idea that the EU government requires them to be added to web browsers running in the EU. It’s bad enough that France and Germany can issue those certificates but imagine Erdogan’s government pushing them out.
It’s not like any politician knows how the Internet works and that someone who knows better couldn’t rip those certificates out, but the tyranny of the default means that governments will have more control over EU citizens browsing. That’s not something likely to benefit anyone.
Another thought I had was regarding interception. Anyone with access to root cert can decrypt the data. My understanding was that these certs were supposed to be counter signing right?
Otherwise, wouldnt any government implementing this just be conducting zero effort surveillance?
Anyone with access to root cert can decrypt the data
Not directly no, but it could be combined with other attacks to potentially decrypt your data. Maybe.
The root certificates are used for the primary proof that the server you’re talking to is the server it claims to be. It’s not the only protection so just this alone wouldn’t generally be enough to decrypt anything. Also if your traffic does go to the correct server… then having the root certificate doesn’t allow them to decrypt it.
It’s a complex system and difficult to explain all of it, you really just need to learn how every step of the process works and also how each one can be compromised, to fully understand any of this.
I setup our transparent proxy so we can do interception and IPS. I’m interested/concerned about the ability to use an intermediate ca cert downstream inline somewhere (like a teoco) and if regular consumer desktops would alert on that since their browser would trust the root. We GPO place our intermediate cert in the Windows trusted intermediates. I can’t remember if browsing breaks without doing that.
Not really a concern if there’s other certs/TLS required.in addition to the QWACs cert thought.
I got the impression the easier threat/worry was compromise of a nation CA and issuing illicit duplicate site certs, to then spoof a bank site. Still requires traffic redirection with DNS or routing though I think.