when-digital-certificates-fail


Digital Certificates

Digital certifications are a center-piece in modern secure Internet communications. They are meant to establish trust and support verifying integrity.

They for example ensure that we are talking to the legitimate bank website, or that our computers are downloading unmodified updates from the vendor infrastructure and not from somewhere else.

The use of Digital Certificates and Certificate Authorities as a medium of trust was designed for a much smaller, simpler, and static world.

In 2011, a reseller of the certificate authority Comodo was attacked, and the certificate authority DigiNotar was compromised. Attackers could issue certificates for malicious websites, and users would see those websites as trusted.

To remedy the situation, every browser on earth needed to be updated in order to remove the compromised Certificate Authority as trusted, and every website using that compromised Authority needed to issue a new certificate.

The Comodo incident was one of the first signals indicating that the model was obsolete. In a complex world, static trust could create more problems than it solves, by adding a false sense of trust and cumbersome management.

The situation with Digital Authorities hindered the adoption of encryption on the web. Solutions like Let’s Encrypt are mainly designed to enable encrypted communication on the web and not to ensure the correct ownership and identity of the website provider (only the domain management). There is also no way to use Let’s Encrypt certificates to digitally sign documents or software.

Another approach to secure the signer integrity and identity was the PGP based “web of trust”, where parties would sign each other’s keys in cumbersome “Key signing parties”. Due to usability, it has never become popular outside circles of technical literates.
In order to broadcast signatures and revocations, PGP allowed anyone to send keys to a network of keyservers. This network was successfully attacked and vandalized in 2019. Its replacements now rely on simple email identities.

Digital Certificates in the Software Supply Chain

In December 2020, news broke that the US Treasury Department has been compromised by a sophisticated adversary. The attackers compromised a popular network management tool developed by SolarWinds, used by 300,000 customers.

They did not breach every SolarWind customer. Instead, they changed the code inside SolarWinds Supply Chain. Every customer got an update signed by SolarWinds digital certificate. Which means, SolarWinds added its own stamp to compromised software.

One may think: It is just a matter of revoking those certificates. Like in the previous example, revoking the certificate means invalidating the signature of everything signed with it. Thousands of deployments had valid software signed with the same certificate.

Here we can see digital certificates first adding a sense of trust to a compromised piece of software, and then ruining the trust chain for legitimate assets.

The problem with Digital Certificates is that they are only able to express that a piece of software is coming from a certain party, unmodified. Trust is static and never to change, never to be revised. This does not work in a world heading towards zero-trust models, where trust is dynamic and fine-grained.

Trust Agility

Moxie Marlinspike is an American entrepreneur, cryptographer, and computer security researcher. You may know him as the creator of Signal, one of the most secure messaging programs. Its encryption protocol is used by Signal, Whatsapp, Facebook Messenger,and Skype.

In 2011, Moxie was busy trying to solve the problem of centralized Certificate Authorities and developed several projects in this area like Convergence and TACK. In his talk "SSL And The Future Of Authenticity" he coined the term "Trust Agility" as one of the problems arising from the model of Digital Certificates and Certificate Authorities.

He defined "Trust Agility"" as the ability to revise a trust decision at any time. Instead of permanently trusting authorities, he introduced the concept of notaries, which would allow you to revoke trust in certificates in real-time. The user could choose his notaries from whoever he trusted.

Trust Agility in the Software Supply Chain

CodeNotary introduces Moxie’s concept of "Trust Agility" in the CI/CD process.

With CodeNotary you can have multiple parties expressing trust on specific assets at any time. There are no digital certificates to manage or deploy.

Trust can be revised, but previous trust assertions can’t be changed retroactively. The whole system is built on immudb, a tamper-proof database which secures the whole model. The entire immutable history of trust transactions is cryptographically protected. Revocation is granular: an identity revokes the trust on single artifacts without affecting what was previously trusted.

  • Pipelines can assert the trust of developers on the code
  • Security Scanners can trust and distrust assets at any time
  • QA teams can approve newly tested releases
  • Legal can approve or forbid the usage of libraries
  • Product Managers can EOL artifacts

And the most important: agents can assert the trust of the deployed software at runtime. This is what HomeAssistant, the most popular home automation software, does to validate the software running on user’s homes.

Conclusion

Digital Certificates were designed for a small and static world. They are cumbersome to manage, provide a false sense of trust and revoking them is an expensive and destructive operation.

Notarization of individual assets provides a more fine grained and agile trust model for CI/CD environments. Trust is tied to identities, individual assets, and can be revised at any time. The immutable history of trust allows a compromised pipeline to reconstruct the picture and take actions.

Start notarizing today.

About CodeNotary

To learn more how you can implement end-to-end zero-trust protection for your CI pipeline, visit CodeNotary and signup for the Cloud version or download the Self-Hosted edition.

CNIL Metrics & Logs

Self-Hosted performance monitoring and compliant log analysis for VMware vSphere, container and much more.

immudb

Built on the fastest immutable ledger technology. Open Source and easy to use and integrate into existing application.

Codenotary Cloud

Trusted CI/CD, SBOM and artifact
protection with cryptographic proof.
One CLI to manage all.

Subscribe to Our Newsletter

Get the latest product updates, company news, and special offers delivered right to your inbox.

Subscribe to our newsletter

Use Case - Tamper-resistant Clinical Trials

Goal:

Blockchain PoCs were unsuccessful due to complexity and lack of developers.

Still the goal of data immutability as well as client verification is a crucial. Furthermore, the system needs to be easy to use and operate (allowing backup, maintenance windows aso.).

Implementation:

immudb is running in different datacenters across the globe. All clinical trial information is stored in immudb either as transactions or the pdf documents as a whole.

Having that single source of truth with versioned, timestamped, and cryptographically verifiable records, enables a whole new way of transparency and trust.

Use Case - Finance

Goal:

Store the source data, the decision and the rule base for financial support from governments timestamped, verifiable.

A very important functionality is the ability to compare the historic decision (based on the past rulebase) with the rulebase at a different date. Fully cryptographic verifiable Time Travel queries are required to be able to achieve that comparison.

Implementation:

While the source data, rulebase and the documented decision are stored in verifiable Blobs in immudb, the transaction is stored using the relational layer of immudb.

That allows the use of immudb’s time travel capabilities to retrieve verified historic data and recalculate with the most recent rulebase.

Use Case - eCommerce and NFT marketplace

Goal:

No matter if it’s an eCommerce platform or NFT marketplace, the goals are similar:

  • High amount of transactions (potentially millions a second)
  • Ability to read and write multiple records within one transaction
  • prevent overwrite or updates on transactions
  • comply with regulations (PCI, GDPR, …)


Implementation:

immudb is typically scaled out using Hyperscaler (i. e. AWS, Google Cloud, Microsoft Azure) distributed across the Globe. Auditors are also distributed to track the verification proof over time. Additionally, the shop or marketplace applications store immudb cryptographic state information. That high level of integrity and tamper-evidence while maintaining a very high transaction speed is key for companies to chose immudb.

Use Case - IoT Sensor Data

Goal:

IoT sensor data received by devices collecting environment data needs to be stored locally in a cryptographically verifiable manner until the data is transferred to a central datacenter. The data integrity needs to be verifiable at any given point in time and while in transit.

Implementation:

immudb runs embedded on the IoT device itself and is consistently audited by external probes. The data transfer to audit is minimal and works even with minimum bandwidth and unreliable connections.

Whenever the IoT devices are connected to a high bandwidth, the data transfer happens to a data center (large immudb deployment) and the source and destination date integrity is fully verified.

Use Case - DevOps Evidence

Goal:

CI/CD and application build logs need to be stored auditable and tamper-evident.
A very high Performance is required as the system should not slow down any build process.
Scalability is key as billions of artifacts are expected within the next years.
Next to a possibility of integrity validation, data needs to be retrievable by pipeline job id or digital asset checksum.

Implementation:

As part of the CI/CD audit functionality, data is stored within immudb using the Key/Value functionality. Key is either the CI/CD job id (i. e. Jenkins or GitLab) or the checksum of the resulting build or container image.

White Paper — Registration

We will also send you the research paper
via email.

CodeNotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on CodeNotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.