The Misadventures of Quinxy truths, lies, and everything in between!


Why Certificate Authorities are Stupid


All certificate signing agencies basically do the same thing, they provide a means by which a user browsing a site or using a piece of software can know who is operating the site or writing the software.  Code signing (and signing in general) is a wonderful thing.  I fully believe in it.  But you don't need these centralized commercial entities to provide it.  And I'm just not convinced of the value add of signing authorities which charge a lot of money to (in my view) add only a thin veneer of security.

The vast majority of those applying for certificates are surely entirely legitimate and provide entirely legitimate details.  That means that the vast majority of certificates signing authorities give out are entirely valid.  But that's not proof that the system is good.  Surely the effectiveness of security is determined not by those who intend to stay within the law but those intend to violate it.  Airport security is not good because it finds no bombs on lawful people, it is only good if it is able to find bombs on unlawful people.  Certificate agencies' version of due diligence is laughable, they generally require nothing more than emailed (or faxed) images of desired documents.  Could someone submit easily photoshopped documents to a signing authority and have their credentials "validated" such that they get a signing certificate?  Yes, it's been done.   And even if the certified owner was valid at the time the certificate was issued, the security provided to end users (those looking are supposed to rely upon the certificates) is fleeting at best; the certificate owner can always move, disconnect their phones, or give the certificate to others.

Now in no way are these signing authorities radically different than the purveyors of other more traditional security products.  It's true that we put locks on our houses and secretly know they would keep out only the laziest or stupidest of criminals (lock picking being an easily acquired skill and glass being easily broken), but signing certificates have the potential to be so much better.   The fact that they are not, and that they cost so much for not being so superior to self-signed certificates, frustrates me.  I just wish signing authorities would either do more (require you show up face-to-face at an office with a passport to be fingerprinted and DNA mapped) or do less (acknowledge how easily they may be deceived and not make you jump through hoops to proffer false 'proof').

But here we are in the land of is...  God bless the industry of false security.

^ Q