HN
Today

WebPKI and You

This deep dive exposes the hidden complexities and systemic failures within WebPKI, the critical public key infrastructure underpinning HTTPS. It meticulously details how Certificate Authorities often prioritize convenience and profit over public safety, illustrated through real-world revocation fiascos involving major players like Entrust and Microsoft. The author's blend of technical insight and scathing critique offers a compelling look at the messy human element behind internet security.

4
Score
1
Comments
#5
Highest Rank
6h
on Front Page
First Seen
Mar 12, 5:00 AM
Last Seen
Mar 12, 10:00 AM
Rank Over Time
18856913

The Lowdown

This comprehensive article delves into WebPKI, the complex public key infrastructure vital for HTTPS, arguing it's as much a social and political system as it is a technical one. It meticulously unpacks the mechanics of certificates, Certificate Authorities (CAs), and revocation, while exposing the systemic failures and conflicting incentives that compromise internet security.

  • WebPKI Basics: Explains the fundamental process of how websites like banks prove their identity using private/public keys and certificates issued by CAs, which are then validated by client browsers against root programs.
  • History and Certificate Types: Traces HTTPS's evolution from niche e-commerce to pervasive standard, detailing Domain Validated (DV), Organization Validated (OV), and the ultimately failed Extended Validation (EV) certificates, which browsers abandoned due to user indifference.
  • Certificate Transparency (CT): Highlights CT as a crucial mechanism developed after incidents like DigiNotar, forcing CAs to log certificate issuance publicly, making mis-issuance harder to conceal.
  • Expiration and Revocation Challenges: Discusses traditional revocation methods like Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP), their inherent scaling and reliability issues, and the modern shift towards short-lived certificates to mitigate these problems.
  • Revocation Fiascos: Presents detailed case studies:
    • Trustico: A reseller that unencrypted and disclosed thousands of private keys, forcing mass revocation.
    • Entrust: A major CA that initially resisted revoking mis-issued certificates lacking a Certification Practice Statement (CPS) link, only complying after pressure from Google Chrome's root program, revealing widespread issues and critical infrastructure exceptions.
    • Microsoft: A massive mis-issuance event in 2025 involving ~100 million certificates, characterized by poor counting, slow-rolling revocation, and excuses regarding CRL size limits, leaving invalid certificates in circulation for extended periods.
  • TLS Beyond the Web: Argues that not all TLS usage requires WebPKI; internal services and critical infrastructure could benefit from private CAs, avoiding public scrutiny and the complexities of public root programs.
  • Mitigation Strategies: Proposes solutions like stricter CA restrictions (e.g., geographic limits, penalties for incompetence), HSTS-like declarations for future certificate restrictions, "Subscriber CAs" for ephemeral server fleets, and ACME Renewal Information (ARI) for more intelligent certificate renewal, while critiquing the inherent conflict of interest in CA auditing.

Ultimately, the author concludes that the WebPKI system has historically prioritized the financial security of CAs over the safety of relying parties. They urge subscribers to adopt ACME for web servers and private CAs for internal systems, and call for root programs to exert stronger, more consistent pressure on underperforming CAs, while acknowledging that individual relying parties primarily have the power to complain.