An Interactive Graph of the Certificate Authority Ecosystem

An anonymous reader writes "Researchers of the International Computer Science Institute in Berkeley have created an interactive diagram that shows root-CAs, their intermediates, the relationships between them and how many certificates have been signed by them. The graph was generated by passively monitoring the Internet uplinks of a number of (mostly) edu sites for SSL connections and their certificate Information. Among other things the graph shows that one GoDaddy intermediate signed more than 74,000 certificates and that a German CA uses more than 200 sub-CAs for administrative reasons."

Re:

[cgimusic]

Yes, we know. It is horrible and incredibly sad but why did you feel the need to post a comment about it on this story?

Re:

[fibonacci8]

All I see is a Mandelbrot lake, it looks like the paths are just escape-time iterations graphed and random labels thrown on them afterward.

Not bad, but...

[drosboro]

they probably should have hired Randall of XKCD to actually do the graphics... Nobody does these sorts of visualizations as well as that. And I just didn't find the alt-text funny at all. :)

Re:

[gagol]

Funny thing is, other human beings were born after you and are in that stage of their lives... and others will too!

How is that useful?

[gagol]

How is that useful? Serious question here.

The graphic is a lie

[Dynedain]

The graph, while cool, sucks!

It implies a root signer, which isn't really there. By clumping all the various networks identified within a circle, they make it look like there are connections between the networks that don't really exist.

Look carefully around the edge between the inner and outer circles, there's nothing that bridges them.

Now look carefully around the outer circle, you'll see it isn't one continuous network, it's a bunch of small networks just sitting next to each other.

The whole reason for putting data in a graphic is so that you can draw new meaning from visual clues because the human brain is so good at interpreting visual information. However, if you force stuff into shapes like this, you imply meaning that isn't really there.

Re:

[at10u8]

Not a lie, just missing another essential component: What I want to see is another layer of graph that shows which browsers (have) trust(ed) which CAs, and (if only!) how many dollars flowed along each of those edges.

Re:

[Anonymous Coward]

You misinterpreted the "The graphic is a lie" in parent.

Reason it is a lie is cause it gives an impression they are all connected, whereas they are not. It should have been grouped in several circles.

Re:

[bill_mcgonigle]

That, and it makes me think there's probably a hidden '23' in the plot that I can't see because of the colors they chose.

Re:

[interval1066]

...they make it look like there are connections between the networks that don't really exist.

Hey, I'll be the first to say I probably don't understand this as well as I should, but isn't this a map of CA relationsips, and not "network connections"? Or by "network" do you mean the network of CA authorities?

Re:

[MartinSchou]

Truth: Most of the CAs are in tiny closed relationships and have no connection to others.

Graph: Huge lump of CAs, making it look like they are all interconnected.

Re:The graphic is a lie

[Kalriath]

Actual truth: Most of the CAs are Symantec, using multiple names to make it appear there is actually competition.
Graph: Huge lump of CAs making it look like they aren't all Symantec.

Re:

[Dynedain]

I meant the network of CA authorities.

If this graph was accurate, it would look like a bunch of individual unconnected clusters, with one particularly large cluster. But clearly the creator was too interested in forcing it to look like on of those color-blindness tests.

This is a godsend

[azav]

Such a great tool. Thank you Berkeley.

CAs are an extortion racket.

[Medievalist]

Set up a few servers and mint cash.

Best idea I ever heard was that the US Post Office should become a CA, I'd use them instead of the current bunch of swindlers who do the minimum acceptable job at the highest acceptable price.

Re:

[NJRoadfan]

Ask DigiNotar how well that worked out for them. Whats funny about the whole is that people are supposed to "trust" a private enterprise with a clear profit motive. Yet nobody seems to actually question that trust enough.

Zoom!

[emho24]

If I zoom in close enough I can see my house.

sub-CA hell

[cratermoon]

DFN-Verein "creates a unique sub-CA for each institution for which it issues certificates"

I feel sorry for the technical folks who have to implement and maintain such a fucked up idea as per-institutional sub-CAs.

Re:sub-CA hell

[Let's All Be Chinese]

And why is that? This is actually exactly how the CA structure was designed to work, not that commercial "we'll protect you from anyone we don't take money from"-crap, involving RAs and other unchecked entities that can use a CA to vouch for something that they haven't even checked themselves, a practice that somehow made it into the gold standard.

The DFN is the german academic research network, and so the guys running that network can vouch for every organisation connected to it. Each organisation is supposed to be able to vouch for the certificates they issue. What's your problem with that?

Personally, I think the whole PKI thing is FUBAR, since only one super is allowed to vouch for a sub and you're effectively forced to trust someone else's CA collection (down to a certain vendor silently undoing your changes to the store on your operating system come every update check). To make digital trust workable I, end user, have to be able to choose whom to trust, a choice I currently do not have, in fact cannot have lest my intarwebz stop functioning!

But in the case of the DFN, the hierarchy is exceptionally clear and one of the few places where it actually makes sense. And maintaining 200 sub-certificates is a lot less work than maintaining millions upon millions of certificates issued on a couple bucks and a grainy copy of your passport. What does that prove anyway?

Re:

[cratermoon]

OH I definitely agree that the system is broken. Just looking at the site should make anyone on the internet ask themselves, "who the hell all these CAs are and do we really trust them with our most personal data"?

Yes, I think that encrypting your traffic securely is the right thing to do, and using public-private key pairs with cryptographically strong algorithms is the right way to do it, the trust model was broken the first day that money started to change hands as a surrogate for "trust"

Re:

[dkf]

Just looking at the site should make anyone on the internet ask themselves, "who the hell all these CAs are and do we really trust them with our most personal data"?

You are very confused. Alas, you are spreading your confusion around.

The whole design of SSL and public key infrastructures means that you don't trust the CAs with your personal data. Indeed, you hardly ever need to communicate with the CA directly at all. You just trust them to make accurate statements about hosts of websites. You then have to decide whether to trust that site with your personal data. Thus, no matter who signs the SSL certificate for Facebook, I'm not trusting them with my personal data...

Re:

[cratermoon]

No, I'm fully aware we don't trust the CAs with our personal data. We're trusting the CAs to vouch for the organizations to whom they issue certificates. But now there are hordes of CAs, some of whom may not be particularly trustworthy, but the browser makers don't descriminate (much).

As a result, we have CAs that we're supposed to trust because our browsers accept them, but those CAs are passing out SSL certs like candy to anyone with a few bucks.

While we're not directly giving our personal data to the CA

Re:

[heypete]

Personally, I think the whole PKI thing is FUBAR, since only one super is allowed to vouch for a sub and you're effectively forced to trust someone else's CA collection (down to a certain vendor silently undoing your changes to the store on your operating system come every update check).

If you're referring to the Windows utility to update root certificates, that can be easily disabled.

To make digital trust workable I, end user, have to be able to choose whom to trust, a choice I currently do not have, in fact cannot have lest my intarwebz stop functioning!

Why not? It's quite possible to remove all root certificates from your system and only install those that you trust. If you're concerned about the trustworthiness of a root, you can install a certain server cert (though you may lose such benefits like OCSP or CRL checking, as those are signed by the roots).

The ICSI Certificate Notary

[Onymous Coward]

So this graph is publish by the ICSI. They're getting into the "notary" game: http://notary.icsi.berkeley.edu/ [berkeley.edu]

They reference Perspectives [perspectives-project.org] as the pioneer of this scheme and also mention Convergence [convergence.io].

ICSI's Certificate Notary offers itself as different: "our notary collects certificates passively from live upstream traffic at multiple independent Internet sites, aggregating them into a central database in near-realtime." I'm not sure this is an improvement.

Octave

[troll -1]

GNU Octave is a very handy program to know: http://www.gnu.org/software/octave/ [gnu.org]

Redundancy, Robustness and Hubs

[m.shenhav]

I don't know much about certification. I do know something about networks though. What we see here is a graph whose connected components seem to have a one or two hubs. So let me ask anybody who knows anything about CAs: What happens if we take down those hubs?