Firefox Add-on Bypasses Certificate Authorities
"The truth is, somewhere along the line, we made a decision to trust Comodo", Marlinspike said, adding, "And now we are locked into trusting them forever, and this is the essence of the problem".
The current system doesn't support "trust agility," or the flexibility to revise the list of who to trust and who not to trust, according to Marlinspike. Comodo may have been trusted at one point, but now it's near impossible to remove from the list without making large swathes of Internet "disappear," he said.
Users also don't have a choice of which certificate authorities to trust under the current CA system, Marlinspike said. When a user accesses a Website it connects to the CA authority, which authenticates the SSL certificate. Marlinspike wants to change the system so that the user decides which CA authority to connect with to authenticate the site's certificate.
Convergence, a Mozilla Firefox add-on released by Marlinspike, is intended to replace CAs. Instead of a certificate authority, there is a notary server that checks SSL authenticity on the user's first visit to the site. Certificates are locally cached on the browser side and checked on repeated visits. As long as the certificates match, there is no need to access the notary server again. Web site administrators won't have to make any changes to be available to users using the Convergence plugin to bypass CAs altogether, Marlinspike said.
While Marlinspike's ire was directed at Comodo, he distrusted all certificate authorities, including VeriSign. "There isn't anyone doing a great job," he said, noting that it wasn't realistic to expect that any organization can look at sites "as carefully as necessary" to certify them.
Other issues with SSL were highlighted during Black Hat. According to a survey from Qualys, a significant majority of supposedly SSL secured sites are not actually fully secured, Philippe Courtot, chairman and CEO of Qualys, told eWEEK. Organizations are implementing the security technology incorrectly, making the Websites insecure despite claiming to have SSL. Mixing encrypted and unencrypted data puts users at risk for session hijacking, for example.
"If anyone is trying to convince you to use a trust system, you have to ask, who do I have to trust and for how long?" Marlinspike said at the end of his presentation.