SSL certificate authorities vs. ???

With all the publicity about breaches of SSL certificate authorities and a hack that exploits a vulnerability in the supposedly secure protocol, it's time to consider something else to protect Internet transactions. If only there were something else to turn to.

Protecting SSL and its updated version TLS is vital because they support most e-commerce transactions by setting up end-to-end encrypted sessions that are authenticated, and that requires certificates that are verified by certificate authorities.


INTERVIEW: Father of SSL says despite attacks, the security linchpin has lots of life left 

Verification is supposed to assure that a public encryption key presented by a device is actually owned by the entity that claims to own it. It is meant to say, yes, you are indeed about to enter a secure session with your bank. The certificate authority plays this verification role and is considered a trusted third party in public key infrastructure.

The problem is certificate authorities can't always be trusted.

Earlier this year, certificate authority Comodo was breached and nine fraudulent digital certificates were issued. The certificates let the thieves trick Iranian users into thinking they were connecting to Google, Yahoo, Skype and Mozilla when they weren't. That deception would enable the thieves to gather user IDs and passwords to break into customers' real accounts with those businesses.

Later on, a similar breach at Dutch certificate authority DigiNotar yielded 500 or so fraudulent certificates that so damaged the company's credibility - and the ability of the Dutch government to function online - that the company declared bankruptcy.

These are the manifestation of problems that have been talked about for years. Security expert Moxie Marlinspike has repeatedly demonstrated weaknesses and exploits against certificate authorities in public forums and calls for replacing them altogether.

He actually recommends a new model for authentication that he calls Convergence that is similar to one being trialed at Carnegie Mellon University called Perspectives. Rather than trusted third parties whose trust can't be assured, SSL/TLS authentication would rely on a reputation system of verification.

Servers called notaries are set up to constantly ping and re-ping sites on the Internet and record what certificates they present. When asked by browsers seeking to verify sites, notaries respond with the certificates that the sites have been issuing over time. The browsers check whether the certificates issued by the notaries match the certificates sent by the sites.

So if a customer is trying to reach, the customer's browser would ask a notary what certificate it has been receiving over time from If the response matches the certificate the customer just got, that serves as verification.

Under Perspectives and Convergence models, anyone can set up a notary. Over time, the reliability of notaries will establish their reputations as deserving or not deserving trust.

An upside of the notary system is that end users get to pick which notaries they want to poll and can add or drop them as they see fit. With certificate authorities, browsers are preloaded with the certificate authorities they trust and end users can either use them or forfeit access to Web sites that use those certificate authorities.

Separating the trust decision from the browser manufacturers is a good step, says Taher Elgamal, CTO of Axway and one of the creators of SSL. He says the root of trust should be the Internet and its reputation ecosystem. Users would recognize notaries that can't be trusted and reject them.

What's needed is a way for browsers to learn when a notary's reputation has been tarnished. "And I'm not saying I know how to implement this, but it's a better model," Elgamal says.

It's pretty clear, though that the certificate authority system doesn't work, he says, and that something else is needed. The problem is that because SSL is so widely used, implementing it will require cooperation of browser vendors to support a new system or at least support add-ons that do.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySSL

More about AxwayCarnegie Mellon University AustraliaComodoGoogleLANMellonMozillaSkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place