Blog

Symantec, Comodo, Honest Achmed

Last week, we talked about how YouTube helped kill IE6. More recently (2018), Google did something similar (use their marketshare to do something that was tough).

Symantec's CA had historically been... lackadaisical about security. Theoretically, a CA with security issues should be distrusted by browsers. Unfortunately, some CAs are too big. Symantec signed somewhere in the ballpark of 21% of HTTPS domains back in 2017 when the issue first surfaced. That means that whichever browser acts first to distrust Symantec's root certificate appears to "break" 20% of HTTPS domains for their users. (Chrome shows an HTTPS error page, but Firefox, IE, etc. work.)

While we've got a link to the 2017 thread where this first surfaced, let me just select some juicy quotes. The first is after a 3 day silence:

Have you had a chance to review these questions? Considering that these are all about existing practices, and as a CA should be readily available and easy to answer, I'm hoping you can reply by end of day.

The second is after some apparently off-list exchanges:

As captured in our private mail exchange last week, Symantec's report fails to meaningfully address each or any of the questions I raised.

I don't know how to read "each or any" except maybe to laugh. Here's one from a month later.

If CrossCert was actually operated by a pair of students from a flat in Amsterdam, but Symantec had been able to achieve confidence that it was adequately validating subject identities and documenting this work correctly it seems to me that the threat to the Web PKI from their deceit is rather modest. Doubtless Symantec would be very unhappy with this purported Korean company, but there wouldn't be bogus certificates out there that should never have been issued, just a bunch of red faces at Symantec.

On the other hand, even if auditors flew in [...] from each of the Big Four professional services networks to examine CrossCert's physical site in Korea and their implementation of policy on the ground, that's worthless if CrossCert are anyway still causing Symantec to issue "test" certificates for example.com and Symantec doesn't even detect it.

(Big Four refers to the accounting firms – the discussion is about E&Y Korea.)

So Chrome, with it's 60-ish% market share, pushed to gradually distrust Symantec. Mozilla got on board, and at that point it was easy for Microsoft and Apple to stamp it too.

In the end, DigiCert acquired Symantec's PKI to end the whole thing ("DigiCert works with its customers and partners to successfully move past Google's distrust of Symantec TLS certificates" is such a whirlwind of a headline).

There are a variety of ways to read these events. A very cynical one is that Google abused their power to strongarm the other browsers into distrusting Symantec in their drive to commoditize the internet as much as possible. A rosier one is that Google sunk a bunch of money into developing a browser that captured majority marketshare and the moment they did, leveraged that to take care of a long-standing security issue on the modern web.

But there's another CA with large marketshare: Comodo. They've also had a history of security issues. After their 2011 security oops, someone posted the best CA inclusion request ever: Honest Achmed's Used Cars and Certificates. Instead of reading all this junk I just wrote about CAs or watching Moxie's DEFCON talk (first link in this paragraph), you could really just read this request to understand all the issues with CAs on the modern web.

Impact to Mozilla Users
Achmed's business plan is to sell a sufficiently large number of certificates as quickly as possible in order to become too big to fail (see "regulatory capture"), at which point most of the rest of this application will become irrelevant.

(An RA is a registration authority.)

Sub CAs Operated by 3rd Parties
Honest Achmed's uncles may invite some of their friends to issue certificates as well, in particular their cousins Refik and Abdi or "RA" as they're known. Honest Achmed's uncles assure us that their RA can be trusted, apart from that one time when they lent them the keys to the car, but that was a one-off that won't happen again.

So anyway, I'm waiting for Comodo to slip up again so Google can unleash their wrath.

China's Surveillance State

AI is great! With not very much effort, you can train a model to recognize faces. For example,

"We use people's hair, their clothing, their faces, and movements to track them," a company official said at the conference. "We can help governments go through hours of security camera footage to find them."

"We provide a tool for you to process your data," Franky Chan, a SenseTime public relations manager [...], told BuzzFeed News. Chan's statement echoed what Xie, Megvii's vice president, told Business Insider last year. "What we do is sell them a server [loaded with Face++]," he said. "That's all."

You don't even need to understand that "just selling the Chinese government a server" is completely not the issue!

SHA-1

In case you missed it, SHA-1 is insecure. In 2015, Thomas Peyrin et al. showed a freestart collision (two things that hashed to the same value, but the attackers choose the hashed value and the IV). In 2017, CWI and Google showed a collision attack (the attackers choose just the hashed value).

In April 2019, Gaëtan Leurent and Thomas Peyrin (again) showed a chosen-prefix attack (the attackers choose only part of the hashed value). By the way, scrutinizing this diagram gives me a feeling of bewildering joy.

I'm sure the blocks are at weird angles for a great reason (probably to show branching tree search), but the whole paper is over my head. Anyway, they estimate the cost of their attack to be $100,000.

Ubershaders

OK, enough doom and gloom. Let's talk about making GPUs do weird things to render 3D scenes.

Shaders are great because they use the GPU to operate in parallel on all the pixels (as opposed to the CPU which can only do a handful of things at a time). Games use shaders to shade objects (adjust colors) as well as bunch of other non-shading things.

PC games run on whatever GPU the PC has. Every GPU needs a different version of the shaders, but that's OK! You can write things in a common language (GLSL) and then the video driver's shader compiler takes care of things.

Dolphin is a GameCube and Wii emulator. From their ubershaders blog post,

Consoles are very different. When you know the precise hardware you are going to run the game on, [...] you can pre-compile GPU programs and just include them on the disc, giving your game faster load times and more consistent performance. This is especially important on older consoles, which may not have enough memory for or possibly even the capability to store shaders in memory. Flipper, the GameCube GPU, is the latter.

[...] the TEV unit doesn't have the ability to store configurations, so GC/Wii games must configure it to render an effect the instant it is needed, without any delay or notice.

And this is really tough for Dolphin, which runs on PCs with pesky GPUs, to do. Compiling shaders causes stutter and their post about it has lots of GIFs that demonstrate the problem.

They considered many ideas, implemented some, and then...

The crazy idea was born to emulate the rendering pipeline itself with an interpreter that runs directly on the GPU as a set of monsterous flexible shaders. If we compile these massive shaders on game start, whenever a game configures Flipper/Hollywood to render something, these "uber shaders" would configure themselves and render it without needing any new shaders.

And it works.

GPUs shouldn't really be able to run these at playable speeds, but they do.