Thales Blog

PKI Is Dead. Again. Apparently.

April 13, 2011

Over the past few weeks, we’ve seen a few blows to some of the world’s larger certificate based security systems. The noise still hadn’t settled around stuxnet, with its stolen signing key vector, when the Comodo affair came to light, and not long after that a long list of breach disclosures started coming out as a result of the Epsilon incident.

Such events inevitably attract comment, and in the past couple of weeks we’ve seen more than the usual spread of ‘PKI is dead’ stories. One commentator was moved to say “PKI's days as we know it are truly numbered.” In related news others are saying “How is SSL hopelessly broken? Let us count the ways”.

However all of this commentary is rather misdirected. SSL is not hopelessly broken and neither is PKI.

All of these stories focus on higher level or application issues: broken browsers, compromised trusted agents or poorly implemented policy. I agree with everything they say, and have been saying the same things for years _except_ the conclusions that they draw are wrong. SSL is not broken. It’s HTTPS and browser security models that are. PKI is not dead, it’s just taking the flak for poorly thought out and overly powerful public CA systems in certain high-visibility applications of PKI...

As part of my and other talks at the Key Management Summit a couple of weeks ago we discussed how the huge Internet CA registries make it very hard to trust everyone: where one mistake spoils it for everyone (whether that’s Comodo for SSL or Realtek for code signing). I’ve always had a hard time working out how we put the same levels of trust and diligence into verifying the name of a website as we might do into verifying code installer packages. And why the default list of authorities and ciphersuites is what it is in most browsers boggles the mind.

Quite ironically, this is not “PKI as we know it”. It’s specifically PKI as we _don’t_ know it that is the problem. Everything is done to hide the fact that these large public systems are a PKI, and to dress them up as somehow simple, leads to further opportunities for exploitation by attackers who _do_ know what they’re dealing with.

In the right hands PKI remains a valuable, powerful and secure model. We may well need a new model for Joe Public Internet security, but let’s not throw the baby out with the bathwater.