Why browsers differ on Web sites' safety

The Comodo security breach shows that each major browser maker ships a different list of master keys to Web authentication and that each creates its list in a different way.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read

For all the tens of billions of dollars a year spent on Internet security a year, on everything from antivirus software to intrusion prevention, there's one component that's vital but remains obscure: which Web sites browsers decide to trust.

Each of the major browser makers has compiled a different list of who possesses the master keys to Web authentication--namely, who can be trusted to issue the secure digital certificates to create encrypted channels--and each has different procedures for approval. A closed lock icon typically appears in a browser and an "https://" connection is displayed when a Web site is deemed legitimate.

The flaws in this system were thrown into sharp relief by last week's revelation that a hacker traced to Iran obtained fake digital certificates for Google, Yahoo, Microsoft, and other companies. Comodo, a Jersey City, N.J.-based firm, said it revoked the nine certificates as soon as it discovered the breach in a business partner's systems.

Today's system gives browser makers tremendous responsibility. Any list of so-called certificate authorities they include will be trusted by billions of Web browsers around the world, unless users take the time to change the settings. The surprise is, perhaps, that the lists of who's trusted aren't the same.

"Microsoft appears to generally trust a much larger set of certificate authorities than Mozilla does," says Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation. "That may be because Microsoft's criteria are easier to meet in practice, or because certificate authorities prioritize getting onto Microsoft's list first."

Mozilla ships Firefox with a list of about 150 trusted certificate authorities. The list included with Microsoft Windows, used by Internet Explorer, totals 321 as of last week.

Opera includes only 37. Apple's OS X operating system, which Safari relies on, trusts 79 certificate authorities. Google says Chrome uses the Windows or OS X lists; Google Checkout trusts 168. (See CNET's spreadsheet with comparisons.)

It's difficult to compare those numbers directly, though, because some certificate authorities are counted multiple times. VeriSign appears 55 times in Microsoft's list based on different types of products offered but only once in Opera's, for instance.

Microsoft explicitly trusts more government-operated certificate authorities than any other browser maker. The list includes: Brazil, Hong Kong, India, Japan, Latvia, Lithuania, Serbia, Slovenia, the United States, Tunisia, Turkey, Uruguay, and Venezuela.

Another complicating factor is that some browsers download updated lists of "root" certificate authorities as needed.

Opera's default "list starts out with a limited number of frequently used certificates," says Yngve Pettersen, a senior developer at Opera Software in Oslo, Norway. "The remainder are downloaded as needed from certs.opera.com when the user actually visits a site issued from a root...We pre-ship some roots and also some intermediates, while others are downloaded dynamically."

What makes the list of trusted certificate authorities crucial is that each possesses the master keys to Web authentication. Companies like Etisalat, a wireless carrier in the United Arab Emirates that implanted spyware on customers' BlackBerry devices, can generate certificates that can be used to impersonate any secure Web site on the Internet. So do more than 100 German universities, the U.S. Department of Homeland Security, and random organizations like the Gemini Observatory, which operates a pair of 8.1-meter-diameter telescopes in Hawaii and Chile.

A fraudulent certificate would allow a network provider (or a government) to use what's known as a man-in-the-middle attack to impersonate the legitimate sites and grab passwords, read e-mail messages, and monitor any other activities on those Web sites, even if browsers show that the connections were securely protected with SSL encryption. And in the last few years, plenty of other techniques have emerged to trick computers into visiting fake Web sites even without control of the network.

Microsoft says it included the Tunisian government as a trusted certificate authority after it went through the normal application process.

"Microsoft requires that certificate authorities applying to the program provide standardized information," says Bruce Cowper, Microsoft's group manager for trustworthy computing. Tunisia applied in 2006, he said, and its certificate was distributed in February 2007. Venezuela applied in September 2010, and was approved a month later.

Cowper declined to provide information about how many companies, organizations, or governments have failed to pass muster, saying "Microsoft does not share specific information about denied applications, but we do reject applications from certificate authorities who don't meet our criteria (or) fall into one of the named exclusions from the program." Microsoft's specifications say that any certificate authority that fails an audit, for instance, will be given the boot.

If a certificate authority "isn't in our list it is either because they have not asked to be included, or have not yet been approved," says Opera's Pettersen. "So far, I don't think we have refused any certificate authorities that have applied." Neither Tunisia nor Venezuela have sent Opera an application to be included, he said.

Neither Apple nor Comodo responded to requests for comment.

While both Microsoft and Opera make their criteria public, Mozilla goes further and even makes the list of pending applications public. Those include a certificate authority operated government of the Valencia region of Spain and Deutscher Sparkassen Verlag GmbH, the world's largest smartcard provider.

As a result of the Comodo breach (Comodo is currently trusted by all the major browsers), there's been talk among Mozilla developers of imposing what amounts to the Internet death penalty: revoking the company's certificate authority, at least until a security audit is performed, from the default Firefox configuration.

Lending ammunition to critics is that this is not the first time that Comodo has experienced a serious security breach. In 2008, a reseller issued an improperly acquired certificate for Mozilla.org.

And Comodo's chief technology officer, Robin Alden, wrote in February 2010 that, before issuing a certificate, "Comodo performs an automated check of domain control by sending (and confirming receipt of) an email to an address which is either on the domain to be validated or is explicitly mentioned in the Whois entry."

That apparently wasn't done when a Comodo business partner issued those fraudulent certificates earlier this month. Comodo declined to answer questions that CNET posed last week, including the identity of its reseller, what current audits were performed, and how much authority it delegates to partners.

Elinor Mills contributed to this report