You security people may write great crypto, but you have some serious communications problems.
I recently updated my certificate at pamelaproject.com, and got the following error message upon attempting to commit code to subversion:
Being the owner of the domain, I know a few things:
- If the subversion client had bothered to use PKI to validate this certificate, they would not be giving me this warning, because this certificate was issued by a trusted authority. I know because I paid for it.
- Since this subversion client never automatically validates the issuer of any certificate, the error message shown here is utterly misleading. A more accurate error message would be to note that the certificate has changed; I doubt the software was doing anything that would warrant a stronger assertion.
Still, I wondered — what would I do if this message popped up on the screen, and I actually took it seriously?
According to the security message, I should manually validate the fingerprint of the certificate before continuing. How hard could it be to (a) find out what that actually meant, (b) learn how to do it, and (c) actually verify my own certificate?
Plan A: Hit the “help” button
I clicked on the oh-so-convenient help button in netbeans. It didn’t tell me how to be secure, it simply told me the different ways in which I could make the error page go away. This gave me no satisfaction on points a, b, or c.
Plan B: Google it
I searched for combinations of ‘validate certificate fingerprint manually’. The first hit was google asserting its own specific certificate fingerprint – didn’t help. The next 6 pages of hits were various combinations of people asking for help or expressing frustration at this message. I didn’t read all of these, but of the ones I did read, the answer given was to the wrong question. People were advised on how to make the error screen go away, not how to ensure that the error was unfounded.
So far, I still couldn’t even answer the simple question of what it means to manually validate a fingerprint. Finally, deep in the search results, I found this:
Buried in the page was this paragraph:
…the key should be authenticated manually by contacting the CA administrator and comparing the fingerprints of the certificate.
This was the closest thing I have found to an explanation of what would have to happen in order for me to reach my goal. It seems that I would have to contact the site admin, and have them tell me the actual fingerprint of the actual certificate so that I could visually confirm that the fingerprint shown in the error message was the same as the fingerprint of the site.
Luckily in this case I am the site admin. It’s hard to imagine that many people would refrain from using a their subversion client for the time it would take to identify and communicate with a site owner. I also wonder whether if you were actually the target of a MITM attack, whether this means that DNS is poisoned and you couldn’t actually trust either email or a the same domain’s website page with a phone number.
Not that we’re done yet: How many site owners would know how to generate a fingerprint from their certificate in order to satisy a request from a user? A bunch more searching got me to the point where I could generate an MD5 fingerprint with this command:
$ openssl x509 -noout -fingerprint -in cert.pub MD5 Fingerprint=0D:89:07:D6:4F:BC:84:2E:2E:14:C2:DA:D4:3B:D5:7C
Users are never going to jump through the hoops I just jumped through to obey the spirit of this message and nobody on the software side cares whether users obey the spirit of this message either. It doesn’t even matter that the meaning of the message was incorrect – because there is no obvious path to take that could actually result in users responsibly acting on any variation of the message. This popup is nothing but an inconvenience with no security value whatsoever.
Someday, somebody is going to win the Nobel Prize for making certificates usable. I hope it happens soon. They will have earned the distinction.