Is this my site?

Nov 9, 2014

In reading Alex Gaynor’s post prodding for more HTTPS, I was ecstatic to learn I could start serving my site with a free certificate from CloudFlare. I’ve set this up already; be sure to check it out.

Not only was I interested in the details of implementing a certificate on my site (however, CloudFlare abstracts that away pretty magically), but I also had been wanting to publish my PGP key in case anyone wanted to talk about super secret stuff. I jest, but I think it’s kinda cool.

A while ago, I had my PGP key published on an unsecured site of mine. A friend quickly told me this was a problem: Without TLS in place, the content on my site, including a PGP key, is not guaranteed to have:

Confidentiality: secrecy of the content from other parties, like ISPs, employers, etc.
Message Integrity: the content is intact and has not been modified.
Authenticity*: the content was delivered from me/on my behalf.

But I have all that now with a certificate in place. So I can publish my PGP key and security-conscious users can rest assured they’re getting the key they think they’re getting?

Wrong.

I tricked you a little bit here because I didn’t tell you about CloudFlare’s identity verification process: There is none for the certificate I use here. That means there’s no provable link between this site and me, the breathing human being Tim Martin with a reputation to uphold. Hence, this compromises the aforementioned authenticity*.

As of right now, the only way to prove authenticity is for a Certificate Authority to perform an identity check, the details of which are (only) guidelined by the CA/Browser Forum in a document like this. Further, this check is only performed on applications for a different class of certificates known as Extended Validation Certificates (which generally cost considerably more), and this certificate is not one of them.

(There are a lot of theoretical flaws and profit-centric motives in the CA scheme that accompany practically any notion of trust on the web. Some of these flaws have been acted upon. You should do some Wikipedia-ing on the matter if you’re unfamiliar.)

Anyway, you can check for yourself that this certificate has nothing really to do with me, and that my identity has not been verified. Take a look at this screenshot of Chrome’s Certificate dialog:

Chrome's Certificate dialog — See that `sni74477.cloudflaressl.com`? That's not me.

So, yes, you have confidentiality, you have message integrity, but the only thing you know about authenticity is that this content comes from CloudFlare.