25-01-2016, 08:00 #1
[EN] AWS: certificados SSL gratuitos
Amazon have set up their own Certificate Authority called Amazon Trust Services LLC.
It looks like Amazon has purchased the Starfield CA, but leaving Starfield to run it.
Jan 22, 2016
AWS Certificate Manager ... a potential game changer?
Yesterday Amazon Web Services announced AWS Certificate Manager (ACM, and keeping with their flip flop tradition of prefixing stuff with either AWS or Amazon), and there was much rejoicing.
ACM now allows you to deploy an Amazon issued SSL certificate to your Elastic Load Balancer or your CloudFront Distribution, and the bit that has everyone excited is that AWS is not charging for the SSL certificates!
So... how do they not charge for certificates? Companies like Symantec charge a small fortune for SSL certificates. Simple. Amazon have set up their own Certificate Authority called Amazon Trust Services LLC (https://www.amazontrust.com).
This is actually quite a big thing, as it now enables Amazon to issue certificates at no third party costs to themselves, which dramatically reduces their overall cost to issue a certificate. When you change the economics behind an action, you change the behaviour that action drives.
To put it simply, now that it’s free to get an SSL certificate from Amazon (and LetsEncrypt) no-one should be running a site without SSL. If you’re an AWS customer, not only is the certificate free, setting up SSL is now a trivial event thanks to ACM. So the immediate action this should drive is a safer internet, well at least a more encrypted internet. Reducing the cost, and ease of deployment of a certificate will drive greater ubiquity of SSL certificates.
There is more to it though than free and easy SSL certificates for your website. If you dig a little deeper into Amazon Trust Services LLC, you’ll pretty soon get the picture that ACM for ELB and Cloudfront is just the start.
Amazon Trust Services operates four root certificate authorities.
- Amazon Root CA 1 — SHA-256 with 2048 bit key
- Amazon Root CA 2 — SHA-384 with 4096 bit key
- Amazon Root CA 3 — ECC P-256 (Elliptic curve ... also known as NIST P-256)
- Amazon Root CA 4 — ECC P-384 (Elliptic curve ... also known as NIST P-384)
Today, ACM only issues RSA 2048 bit keys from Amazon Root CA 1. Only Amazon Root CA 1 is recognised by browsers as a trusted CA as it is cross signed in the Mozilla CA Certificate Store the Starfield Class 2 Certification Authority.
Essentially Amazon Root CA 1 is piggy backing off the Starfield Class 2 Certification Authority. Starfield is a subsiduary of GoDaddy, and a separate entity to Amazon altogether. What does get interesting is in the Mozilla list of included certificates in their certificate store is that Amazon are listed as the owner of the Starfield Services Root Certificate Authority, whilst Starfield are the issuer.
It looks like Amazon has purchased the Starfield CA, but leaving Starfield to run it. This only appears to be an interim arrangement though to get things up and running as quickly as possible.
Separate to this Amazon has applied for their own four CA’s to be on the approved list with Mozilla. A process that started in June 2015 and is still on going. The application process gives quite a bit of insight into what Amazon have applied for, and help us jump to wild conclusions.
So why is getting into the Mozilla CA Certificate Store so important? The Mozilla CA Certificate Store is used by Mozilla Network Security Services (NSS) and is the largest Root Certificate Program in Linux, and is used by products such as Google Chrome (EDIT: Only on Linux, on other platforms Chrome uses the platform store), and was the first open source cryptographic library to achieve FIPS-140 compliance. Getting all the Amazon Root CA’s into the Mozilla CA store, not only opens up Chrome, but a host of other applications to trust an Amazon issued certificate.
So lets jump to some wild conclusions on where Amazon are going to take ACM, and the fact that they will have 4 Root CA’s on the Mozilla CA Certificate Store?
- API Gateway — Already supports self-signed certificates, adding Amazon signed certificates wouldn’t be a stretch.
- IoT — One of the biggest concerns today around IoT is security. Amazon can now ensure all communication between two devices is encrypted and/or signed by a trusted root CA. Issue a cert from a Root CA to every device? Why not?
- WorkMail — WorkMail needs an edge, and could offer better security out the box than competitors with publicly signed emails as default.
- WorkDocs — Publicly signed documents as standard? One way to securely share docs in a trusted way!
Ultimately Amazon can ensure that communication between two untrusted parties can be encrypted and signed by Amazon as the trusted party in the middle. This becomes really powerful when they start to bake that capability into all of their services natively with an easy to user interface and a host of SDKs, whilst adding no cost to issue a certificate.
The biggest downside I see with Amazon running their own CA, and with ACM, is that it looks like Amazon will only allow you to issue certificates through ACM, which is coupled to the AWS platform. So you won’t be able to use those certificates on a competing CDN for example. It’s not complete lock in, but it would mean maintaining a separate set of non-AWS certificates for non-AWS services.
In the short term, until the four Amazon Root CA’s are in the Mozilla CA Certificate Store, don’t expect this to go beyond ACM for ELB and Cloudfront. Once the four Amazon Root CA’s are on the trusted list, expect ACM in everything.
Oh... and good luck to Symantec and their certificate business..
Edit: Microsoft have added the AWS Root CA’s to their trusted CA store as of 21 January. More detail here http://hexatomium.github.io/2016/01/21/amazon-roots/
25-01-2016, 08:36 #2
- It looks like Amazon will only allow you to issue certificates through ACM, which is coupled to the AWS platform. So you won’t be able to use those certificates on a competing CDN for example. It would mean maintaining a separate set of non-AWS certificates for non-AWS services.
- Until the four Amazon Root CA’s are in the Mozilla CA Certificate Store, don’t expect this to go beyond ACM for ELB and Cloudfront.
24-02-2016, 19:56 #3
The Danger of Free SSL Certificates
In January Amazon Web Services (AWS), the ecommerce giant’s cloud computing business, introduced AWS Certificate Manager (ACM). This move was a response to the fact that the SSL/TLS certificates often used with Amazon Web Services (AWS) to encrypt and secure transactions take a significant amount of time to provision, install, and manage, hindering the use of AWS cloud instances.
ACM reduces SSL/TLS certificate management complexity by issuing certificates directly through Amazon’s certificate authority (CA) and Amazon Trust Services (ATS). Offering this service is a big step for Amazon as it enters the CA business. It is currently only available in the US, but Amazon is moving towards offering the service globally.
ACM is great for businesses who want to quickly encrypt and secure transactions within Elastic Load Balancers (ELC) and/or CloudFront (CF) distributions, and best of all, any certificate issued by ACM is totally free, a trend that will become the norm as the industry moves towards encrypting 100% of all transaction and communication traffic.
Unlike generic CA’s, the goal of Amazon ACM isn’t to become a direct competitor of other CAs. It is not in the business of selling certificates. In this case, it is simply offering the ability to add a significant layer of security to AWS quickly and with minimal complexity. This is great for our cloud-enabled world and it’s likely that all CA’s will soon have to adopt the free certificate model and offer domain validated (DV) certificates for free.
Free encryption doesn’t secure your keys and certificates
When Amazon ACM issues certificates, the corresponding private keys are stored in the cloud. An organization takes a huge risk anytime it stores a private key anywhere other than on a hardware security module (HSM). This risk increases as the key is stored further and further from the organization’s premises, so having a private key in the cloud introduces all kinds of risks. By doing so, the organization trusts whoever issues and stores its private keys, to ensure that only your organization has access to it.
Securing keys in the cloud is exactly what malicious actors (i.e. hacktivists and disgruntled employees) hope an organization will do, because it makes the keys much easier to steal.
Once a key is compromised, a malicious actor gains the upper hand and can then sell it on the Darknet or use it to encrypt and hide their actions within the organization’s network.
The more free certificates are issued, the weaker the security of the internet becomes. As keys and certificates are compromised more frequently, malicious actors will increasingly use the security blind spots that trusted encryption provides, disguising their attacks.
Amazon ACM does not secure encryption nor increase the security posture of an organization
The benefit of reducing the complexity of encrypting Amazon AWS services is great, but it comes at the cost of security. All the keys and certificates issued by ACM are stored within the Amazon AWS cloud, which makes it easier to issue and manage certificates in the cloud, but as mentioned, this also introduces significant risk—a malicious actor only needs to access to an AWS environment.
Once they do so, they could proceed to issue their own keys and certificates. Falsified keys and certificates would give the malicious actors an encrypted channel where they could hide their activities.
The other major risk is that if the Amazon CA is compromised, there is no quick way to revoke compromised keys and certificates. (Amazon requires a service case be created.) Also there is no way to automate the failover to a secondary CA as recommended by NIST. In short, Amazon ACM does not provide any security for the keys and certificates it issues: it simply reduces the complexity of managing them.
The goal of Amazon ACM isn’t to secure certificates, nor is it to compete with existing CA’s. Amazon ACM simply wants to increase agility by making it easier to acquire and deploy encryption to the AWS cloud. Unfortunately, it also falls short when it comes to management.
For example, ACM doesn’t let its users have visibility over certificates issued by any other CA, nor is it, at the time of writing, compatible with any other service but AWS Elastic Load Balancing or Amazon CloudFront. Plus, it imposes substantial lifecycle restrictions; all certificates issued are valid for 13 months, while certificate renewal is done automatically with no controls or notifications.
Amazon even requires its users to open a service case should they wish to opt out. Worryingly, ACM users will have no ability to identify or register unknown certificates or create and enforce any certificate management policies.
With all keys and certificates stored in the AWS cloud, this provides malicious actors with a valuable opportunity. Yet we’re not saying that businesses shouldn’t use Amazon ACM; as businesses rely on AWS for fast, elastic IT cloud resources, it’s important that they be able to quickly encrypt and secure their transactions. Yet, they need to understand that using ACM alone doesn’t provide enough security for their keys and certificates, exposing them to the risk of key and certificate misuse for breach and compromise.
As certificate specialists have observed, it's just a matter of time before we see cybercriminals using these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data. Ultimately, while AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000.