After Jacob outed the compromise at one of Comodo's resellers, I decided to see how I could best secure my browser when it comes to TLS. This is important given how fundamental TLS is to our daily online activities. The advice I currently recommend and have implemented myself in Firefox 4 consists of:
- Install HTTPS-Everywhere
- Reducing the number of trusted root CA certificates to the most frequently used
- Forcing OCSP revocation checks
- Monitoring for certificate changes
Install HTTPS Everywhere
You need a reason to engage in all this hard work. Install the EFF's HTTPS-Everywhere add-on which will automatically redirect you to encrypted version of many popular websites. Blanket rules for doing this tend to break things, and the EFF has put some good work into making this usable. Everyone should have it installed.
Reducing the Trusted Roots
Qualys SSL labs, and the EFF SSL Observatory both have data sets which identify the top root certificates in use across the internet. The interesting finding their research highlights is that the top 10 root certificates (note, some CAs have multiple root certificates) account for over 90% of the Internet. This means we can safely cut his number down from the nearly 200 currently in Firefox to 24. I'll be publishing a more detailed analysis on SensePost's blog, but in the meantime, the 24 most commonly used I went for (which accounts for approximately 98% of all certificates is use) are:
- AddTrust External CA Root
- COMODO Certificate Authority
- AAA Certifice Services
- DigiCert High Assurance EV Root CA
- Entrust.net Secure Server Certification Authority
- Entrust.net Certification Authority (2048)
- Equifax Secure CA
- Equifax Secure Global eBusiness CA-1
- GeoTrust Global CA
- GlobalSign Root CA
- GTE CyberTrust Global Root
- Network Solutions Certificate Authority
- SecureTrust CA
- StarField Class 2 CA
- StartCom Certification Authority
- Thawte Server CA
- Thawte Premium Server CA
- thawte Primary Root CA
- Go Daddy Class 2 CA
- http://www.valicert.com/ (Class 2 Policy Validation)
- Verisign Class 3 Public Primary Certification Authority - G5
- Verisign Class 3 Public Primary Certification Authority
- Verisign Class 3 Public Primary Certification Authority - G2
Note that these are specific certs, not CAs. You can manually configure these in Firefox by going to Preferences->Advanced->Encryption->View Certificates and manually editing the trust for every certificate. This is a pretty tedious process, and so you can rather download the preconfigured certificate database from me here (SHA 512: e184e5750ccab4b9ea6ef4d67e813fcdbe8515ac9aafc9ded1fa27eb59c8bfe111cba5d424d33721f830b2d2b5ff3a388a4885502a93f6d805041ecbcaf31c05). This will overwrite any existing certificates you may have trusted or imported, so I'd recommend you do it on a new clean profile. Just copy it into your Firefox profile directory. A profile directory is usually several random alphanumeric characters followed by the profile name e.g. xxxxxxxx.default. On different operating systems the file should be placed in:
- OSX ~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/cert8.db
- Windows %APPDATA%\Mozilla\Firefox\Profiles\xxxxxxxx.default\cert8.db
- Linux ~/.mozilla/firefox/xxxxxxxx.default/cert8.db
Forcing OCSP verification Checks
There are two ways for your browser to check whether a certificate, validly signed by a certificate authority, has been revoked. The first is to check the CRLs embedded in a certificate, and the second is to do a dynamic lookup over the Online Certificate Status Check Protocol (OCSP) (one can also subscribe to CRL lists, but this is currently an onerous and complete process). By default this is not forced each time, and must be enabled
by manually toggling the option in about:config through a config option. The trade off is that the OCSP provider can see what sites you are visiting. If you're being surveilled you may not want to do this, but for your average user it may be worth it given the current compromises.
To do this:
Type "about:config" in your URL bar Click "I'll be careful I promise" when you see the warning Add a new Boolean key named security.OCSP.require Ensure the value is set to "true"
- Navigate to Preferences->Advanced->Encryption->Validation
- Select both checkboxes referring to using an OCSP server, and marking failed validations as invalid
- Choose the first radio button about using OCSP if a cert specifies it (hopefully a trusted entity will run a decent OCSP server we can validate all certs against soon)
Monitoring for Certificate Changes
Your browser now provides a little more certainty that you can trust the random certificate it has been presented, however, it is still useful to know when a certificate has changed. This will give an indication that either a validly signed certificate is being used in a man in the middle attack, as is the case with some lawful intercept products, or as in the case of Comodogate. For example, my use of certificates on this website has nothing to do with valid signatures and relies on the fact that the exact same certificate that I trust is in use. For this monitoring I used to use Petnames, however, this has not been updated for Firefox 4, and so I found Certificate Patrol (thanks Ivan). This too is not compatible with the final release of Firefox 4, however, it is with a beta, and so
disabling Firefox add-on compatibility checking using the add-on compatibility reporter will allow it to be installed.
What Certificate Patrol does when you first visit a site and are presented with a certificate, is to display a pop-up showing the certificates details. This forces you to actually evaluate the certificate for common-sense indicators e.g. is it assigned to the company it should be or "Iranian Secret Police". The really useful feature however, is when you next visit the site, it will check that the certificate is the same as seen before, and if there is a mismatch (i.e. the certificate has changed) it will warn you. Thus, for example, if you are in a wireless hot-spot and find you get a "certificate changed" warning on every SSL site you visit, that's a clear indication that someone is intercepting your traffic. If you get it on your banking website with no warning, it should make you look for an announcement from the bank about it, and if not, ask them for one.
To disable add-on compatibility checking and install Certificate Patrol, do the following:
Got to about:config as described in the previous section Find the key named extensions.checkCompatibility.4.0 Toggle the value to false
- Install the "Add-on compatibility reporter" to allow you to install & report on plugins not yet marked as compatible with FF4
- Navigate to the Certificate Patrol page, and click "Download Now"
- Restart Firefox when prompted
Update: Updated to avoid about:config changes.
Update II: Added SHA sum of cert trust DB and fixed some spelling.
Update III: Referenced perspectives