Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Networking

    Researchers Propose Way to Thwart Fraudulent Digital Certificates

    By
    Brian Prince
    -
    May 24, 2012
    Share
    Facebook
    Twitter
    Linkedin

      Two researchers have proposed an extension to TLS, or transport layer security, as a solution to some of the security challenges facing the Secure Sockets Layer certificate ecosystem.

      Their proposal comes after a troublesome year for certificate authorities (CAs) during which a number of high-profile CA security breaches shook the IT industry€™s confidence in SSL certificates and raised questions about whether it was time to develop some new certification process.

      In response to the situation, researchers Moxie Marlinspike and Trevor Perrin have outlined a proposal for what they call TACK, or Trust Assertions for Certificate Keys. In a paper detailing their approach, the researchers explained their approach can help address the problem of attackers spoofing SSL certificates by enabling a site to sign its TLS server’s public keys with a TACK key.

      “Traditionally, a TLS client verifies a TLS server’s public key using a certificate chain issued by some public CA,” they wrote. “‘Pinning’ is a way for clients to obtain increased certainty in server public keys. Clients that employ pinning check for some constant pinned element of the TLS connection when contacting a particular TLS host.”

      “Unfortunately, a number of problems arise when attempting to pin certificate chains: The TLS servers at a given hostname may have different certificate chains simultaneously deployed and may change their chains at any time, the ‘more constant’ elements of a chain (the CAs) may not be trustworthy, and the client may be oblivious to key compromise events which render the pinned data untrustworthy,” they explained.

      Signing TLS server public keys with TACK keys allows clients to pin a hostname to the TACK key without requiring sites to modify their existing certificate chains or limiting the site’s ability to deploy different certificate chains on different servers or change certificate chains at any time.

      “Inside the TACK is a public key and signature,” the researchers wrote. “Once a client has seen the same (hostname, TACK public key) pair multiple times, the client will ‘activate’ a pin between the hostname and TACK key for a period equal to the length of time the pair has been observed for. This ‘pin activation’ process limits the impact of bad pins resulting from transient network attacks or operator error.”

      If the user comes across a fraudulent certificate on a pinned site, their browser will reject the session and alert the user, they explained.

      Their work follows a handful of incidents in the past year that put a spotlight on CA security. In March 2011, for example, an attacker hit a Comodo affiliate registration authority and stole the username and password for a trusted Comodo partner. Using those credentials, the attacker was able to request nine digital certificates across seven domains, including: login.yahoo.com, mail.google.com, login.skype.com and addons.mozilla.org. According to Comodo, the situation was discovered within hours of the attack and all nine certificates were revoked.

      Five months later, certificate authority DigiNotar admitted it had been hacked earlier in the year, and Google reported an attacker used a fraudulent certificate from DigiNotar in man-in-the-middle attacks against Google users. Reports of the compromise affecting DigiNotar prompted browser vendors to revoke hundreds of bogus SSL certificates issued by the company. The situation ultimately forced DigiNotar to declare bankruptcy. Then, in November, telecommunications company KPN temporarily stopped issuing certificates after concerns were raised about a possible breach.

      Since TACK pins are based on TACK keys, trust in the CA is not required. The TACK key may also be used to revoke previous TACK signatures in order to handle the compromise of TLS or TACK private keys, the researchers wrote.

      “We’re hoping this is a fairly uncontroversial proposal,” Marlinspike said in an email to eWEEK. “The next step is to start having conversations with browser vendors about opportunities for integration.”

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×