The SSL system helps to protect secure communications across the Internet. It’s also a technology that relies on trust; specifically, the trust of the SSL Certificate Authority (CA), which may not always be trustworthy, according to security researcher Moxie Marlinspike.
Speaking at the Black Hat security conference, Marlinspike detailed issues with the current CA system and proposed a new system to replace it.
The need to replace the CA system according to Marlinspike was highlighted by the recent attack on CA provider Comodo in March. Marlinspike noted that Comodo is the second largest CA in the world and the attack was able to do a lot of damage. Comodo officially blamed Iran for the attack.
Marlinspike has a publicly available tool called SSLsniff that enables security researcher to sniff SSL traffic to see if it is secure. Comodo published the IP address of their attacker and Marlinspike was able to identify from his weblogs that someone from the same IP address had downloaded SSLsniff from his website. The logs shows that the attacker was using Windows and had followed a YouTube tutorial one how to intercept SSL.
Marlinspike argued that Comodo is likely not as trustworthy as they should be. He also noted that as a result of the Comodo hack, nothing punitive happened to Comodo and they didn’t get sued.
Marlinspike explained that for SSL to work, security, integrity and authenticity are needed. In his view, authenticity is the weak link today. Authenticity helps to prevent man in the middle attacks and it’s the role of the CA’s to ensure that sites are authentic.
“The real story with the Comodo attack is that it’s not unique,” Marlinspike said. “It’s happening every day.”
Marlinspike said that with the current CA model, if a user doesn’t trust Comodo there is little they can do.
“If you remove them from the list of trust authorities the problem is that a quarter of the Internet will disappear,” Marlinspike said. “It’s same problem for a browser vendor they can’t remove Comodo either.”
The essence of the problem is that the current CA system doesn’t provide for trust agility.
“Trust agility means that a trust decision can be revised at any time,” Marlinspike said.
The other issue for Marlinspike is about giving users the choice of where they want to anchor their trust. He explained that in the current SSL CA model the user connects to a site which then connects to the CA authority, which then in turn authenticates the SSL certificate. Marlinspike wants to invert the relationship and have the user interact with the authority system directly as a way to provide trust agility.
To that end, Marlinspike introduced a replacement for the CA system, called Convergence. Marlinspike explained that instead of a CA there is a notary server that allows for trust agility. Privacy is achieved via local caching on the browser side, so the second time the users talks to an SSL site, if the SSL certificate is the same, there will be no need to check with a notary. On the first attempt the user side will check with the notary to ensure SSL authenticity.
Convergence is available as of today as a Firefox add-on at Marlinspike’s site, convergence.io. He said that the system does not require any changes for websites.
“I want to leave you with this,” Marlinspike concluded. “If anyone is trying to convince you to use a trust system, you have to ask , who do I have to trust and for how long?”