The movement began last summer at the Black Hat Briefings where Moxie Marlinspike introduced Convergence, his proposal for a CSA alternative. Convergence is a secure protocol that includes a client and server implementation that enables users to rely on a network of notary servers to validate the authenticity of SSL certificates rather than certificate authorities. Convergence, he said, gives users the ability to choose which CA to trust and be agile enough to revise that decision at their discretion.
“All of your trust isn’t isolated in a single bad actor,” he said.
Certificate authorities had a particularly bad year in 2011. Dutch CA DigiNotar was breached in September and eventually filed for bankruptcy after the major browser vendors pulled their support for DigiNotar-signed SSL certificates. The DigiNotar breach came on the heels of a similar intrusion at Comodo reported last March. Nine fraudulent SSL certs were issued to sites in seven domains as a result of the Comodo breach, the company wrote on its blog March 23. Comodo was subsequently attacked three more times last year.
Comodo is one of 650 CAs issuing SSL certificates today, Marlinspike said. This is the fundamental issue with the CA infrastructure in place, he said; you need to trust all of them. Comodo, for example, issues SSL certs for one quarter of the Internet.
“I can remove Comodo from my trust database, but if I do that, one quarter of the Internet is no longer accessible. Yes I can take the ideological stance to never visit them again, but in reality, this is not an appropriate response,” Marlinspike said. “This is true for the browser vendors too; they cannot remove them. Comodo knows this. We made a decision to trust Comodo and we’re locked into trusting them forever. This is the essence of the problem.”
What Convergence does is put the ability to choose a trusted CA in the hands of the user, he said.
“People may say I’m being paranoid, but I’m not. Why should I trust them forever without the opportunity to revise my choice or [CAs] having any incentive to operate appropriately?” Marlinspike asked.
Convergence is based on a similar project called Perspectives, released in 2008 by researchers at Carnegie Mellon University. Perspectives also uses notaries, not authorities to validate SSL certs. There are performance and privacy challenges, however, including the leakage of browsing history to a third party notary as it’s contacted. Convergence avoids this by using multiple notaries, encrypting the connection to the first notary it hits. That notary then contacts other notaries; the notary doesn’t know who you are, just what you’re asking.
“Two notaries would have to collude to know your bouncing history is encrypted,” Marlinspike said, adding there are 200 notaries listed on the Convergence website.
Fundamentally, like most early Internet protocols, SSL was not designed with ecommerce in mind. When it was introduced in the mid-1990s, credit card numbers were not transmitted over the Internet, Web applications did not exist and credentials were not exchanged online. There were fewer than 10 secure websites on the Internet when SSL was designed, Marlinspike said.
“Certificates and CAs were the solution,” he said. “Wouldn’t it be great to implement something like Convergence into the four major Web browsers and be done with it and put the CAs out of business?”
View all of our RSA 2012 Conference coverage.