I like modern cryptography. I quite understand some bits of it, since I had an excellent university course on that, and while the rest feels pretty magic, these are my thoughts that should be understood by anyone.

My general opinion is that encryption is a mistake in most cases, but digital signatures make true sense to me, and I will focus on them.

If someone gives you much data, they know more than you.

This is true especially for big integer numbers. Remember RSA? This is the (still widely used) encryption algorithm that assumes that while it is trivial to know n = pq when you know two primes p and q, it is really unlikely and/or computationally expensive to guess p and q from n.

If someone tells you n, you cannot tell at first whether they know p or q. You should assume that they might know more than you and thus be able to do extra mathematical operations.

This has been called several names, my favorite being ‘backdoored (or trapdoored) primes’.

If someone is unfair, they can pretend to be fair

This costs them nothing. If they can decide whether to be fair or unfair, behaving fair does not mean anything. As all the stock exchanges repeat over and over: Past performance is not indicative of future results.

If many trust you, you are more trustworthy

Remember not to treat it number-wise, though. I only mean that if people of set X trust you, you are strictly more trustworthy than someone trusted only by a strict subset of X.

Curve25519

This is a cryptographic group derived from a nothing-up-my-sleeve number, and it has been widely suggested as a replacement for NIST’s P-256, which is at least a bit smelly.

It has been adopted by browsers for key exchange, but it still has no (browser) support in certificates, even though it is widely (for real, I mean widely) considered the best available asymmetric cryptographic system.

Security Risk Ahead?

I saw the website securityriskahead.eu when someone pasted a link to it on an IRC channel.

It talks many empty words about the EU (European Union) wanting to mandate QWACs (Qualified website authentication certificates, whatever that means) for websites.

What I think they mean (nobody told me this! the entire text below is speculations of course: do your own research, because I did not have enough time for mine) is that the EU wants to sneak in a backdoor for the law enforcement to be able to do universal MITM (man-in-the-middle) attacks (i.e. impersonate any website you can think of, and therefore potentially steal your credentials). I will later explain how I arrived at this conclusion.

This is made possible by the fundamental design flaw in X.509 / WebPKI. What the draft law says is pretty much ’every website must present a QWAC to EU citizens’. Which, in itself, should be harmless. You would get an extra guarantee from the QWAC (whatever it is) if you trust it, and if you don’t, it would just use some minor extra bandwidth.

The design flaw

X.509 / WebPKI is a standard that specifies the format of certificate chains. It has been established by the CA/B (Certification Authority/Browser forum) tens of years ago. It mandates that every certificate is signed either by another certificate, or by itself. Self-signed certificates can be generated by anyone and therefore do not guarantee anything (like the n=pq example above), but assuming you trust their owners to only certify mindfully, it becomes a Trusted CA (Certification Authority). Every other certificate can be certified only by a single CA, which is fundamentally broken.

Think of it as being able to only have one bank account (or e-mail account) at a time. The format simply does not have any way to express the fact that a single certificate is considered valid by both entity A and entity B. You have to choose either the former or the latter. This leads to monopolization, since if you are setting up a website, and you want to choose a CA, you choose one of those supported by all major browsers. You cannot combine one that is only supported by Firefox with a one that is supported only by Ghrome. So becoming a new CA involves convincing every single browser to add your cert to its root CA bundle (often called the root CA zoo), BEFORE you even get your first CSR (certificate signing request) from a potential client.

How it allows for sneaky MITM

Since the EU wants every website to be verified by a QWAC (again, no matter what it actually is), the websites would have no option but to sign their certificates with a QWAC only. This in turn means that the browser vendors cannot revoke a QWAC if it is misused, because “trusting it” is the only way to access the website. Or they can revoke it, but the QWAC that comes next is bound to be misused again in the same exact way.

Either way, mandating QWACs sounds like a heavily bad idea, but it is only because of how utterly broken the X.509 / WebPKI format currently is.