Skip Links

Managing Cloud Complexity

SSL certificate authorities vs. ???

It's clear CAs have their problems, but nothing is ready yet to replace them

By , Network World
November 02, 2011 06:09 AM ET

Network World - With all the publicity about breaches of SSL certificate authorities and a hack that exploits a vulnerability in the supposedly secure protocol, it's time to consider something else to protect Internet transactions. If only there were something else to turn to.

Protecting SSL and its updated version TLS is vital because they support most e-commerce transactions by setting up end-to-end encrypted sessions that are authenticated, and that requires certificates that are verified by certificate authorities.

NETWORK WORLD'S HOTTEST TECH ARGUMENTS: Read the rest here

INTERVIEW: Father of SSL says despite attacks, the security linchpin has lots of life left 

Verification is supposed to assure that a public encryption key presented by a device is actually owned by the entity that claims to own it. It is meant to say, yes, you are indeed about to enter a secure session with your bank. The certificate authority plays this verification role and is considered a trusted third party in public key infrastructure.

The problem is certificate authorities can't always be trusted.

Earlier this year, certificate authority Comodo was breached and nine fraudulent digital certificates were issued. The certificates let the thieves trick Iranian users into thinking they were connecting to Google, Yahoo, Skype and Mozilla when they weren't. That deception would enable the thieves to gather user IDs and passwords to break into customers' real accounts with those businesses.

Later on, a similar breach at Dutch certificate authority DigiNotar yielded 500 or so fraudulent certificates that so damaged the company's credibility - and the ability of the Dutch government to function online - that the company declared bankruptcy

These are the manifestation of problems that have been talked about for years. Security expert Moxie Marlinspike has repeatedly demonstrated weaknesses and exploits against certificate authorities in public forums and calls for replacing them altogether.

He actually recommends a new model for authentication that he calls Convergence that is similar to one being trialed at Carnegie Mellon University called Perspectives. Rather than trusted third parties whose trust can't be assured, SSL/TLS authentication would rely on a reputation system of verification.

Servers called notaries are set up to constantly ping and re-ping sites on the Internet and record what certificates they present. When asked by browsers seeking to verify sites, notaries respond with the certificates that the sites have been issuing over time. The browsers check whether the certificates issued by the notaries match the certificates sent by the sites.

So if a customer is trying to reach mybank.com, the customer's browser would ask a notary what certificate it has been receiving over time from mybank.com. If the response matches the certificate the customer just got, that serves as verification.

Under Perspectives and Convergence models, anyone can set up a notary. Over time, the reliability of notaries will establish their reputations as deserving or not deserving trust.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News