SSL authenticity evolution

Filed Under: Data loss, Privacy, Vulnerability

I had the good fortune to recently attend GrrCON (pronounced "Grrrr Con"), one of the larger Midwestern United States information security and hacking conferences.

GrrCON logo

Moxie Marlinspike kicked off the event with his keynote presentation titled "SSL And The Future Of Authenticity."

He gave the same presentation at DEFCON, which my colleague Chester Wisniewski detailed in a fascinating article last month.

Marlinspike opened his talk by telling the tale of how a Certificate Authority (CA), which - according to Netcraft - signs roughly 20% - 25% of SSL certificates, was attacked. Not an everyday hack against a CA, but an act of war.

The CA wasn't prepared for cyberwarfare and how could they be?

They are a business and conduct security practices as a business. Only countries engage in warfare as they stated on their blog.

The moral of the story? Trust is an important part of SSL authenticity. When the trusted authorities are compromised, then where do we go?

Marlinspike continued through his presentation covering the main components of information security; secrecy, integrity and authenticity.

All of these components require equal thought and consideration in their implementation.

Moxie Marlinspike at GrrCONWhen SSL was designed back in the mid-90s, the authenticity component was given the least thought and as Marlinspike put it, "with a bit of a hand wave."

With the barrage of attacks on CAs, the hand wave is clearly useful for the flies circling what's left of authenticity; see Operation Black Tulip.

Marlinspike's approach (which builds upon the Perspectives Project with his project called Convergence) to solving the SSL authenticity problem is by replacing authorities with trust notaries.

Trust notaries are used to compare an SSL certificate downloaded by the endpoint with an SSL certificate the notary downloads. If they are a match then you know you're not on the receiving end of a man-in-ihe-middle (MITM) attack.

The notaries are owned and operated by the computing community. Anyone willing to act as a trust notary can download and install Convergence and off you go. I'll be building a notary this weekend.

The browser extension is currently in beta for Firefox. After adding the extension to Firefox, you now have a comfortable feeling knowing that you have "trust agility."

Trust agility means that you control who you trust and can change your mind at any time.

I'm also a fan of the Verification Threshold options Convergence provides. You can control how many notaries need to agree. The options are only one notary, a notary majority or a notary consensus. At the risk of sounding like Rachael Ray, "how awesome is that?"

The solution to eliminate the current method of trusting a single entity or multiple entities in the same scope is appealing. By this I mean the user is enabled to change notaries when they need to without compromising security or losing a quarter to a fifth of the Internet.

Having trust agility is absolutely a must have in this decade. Especially in the more recent example of DigiNotar and the complexities involved with revoking the digital certificates that were compromised.

A couple of kinks to work out with Convergence is how to address the issue of a website that has 100 different certificates for the same domain. Also, utilizing additional protocols, such as DNS, for endpoints that are in captive portals like those commonly found when registering for Internet access in an airport or hotel.

I leave you with this to ponder. When I asked Moxie Marlinspike what he would like to share with Naked Security readers in a context of authenticity, he replied that you need to ask yourself, "Who do I have to trust?…and for how long?"

Until text time, stay safe and secure online.

, , , ,

You might like

One Response to SSL authenticity evolution

  1. Dez · 1088 days ago

    Irregardless of what I may have ever said in the past I am glad folks like this are here to help us!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

David Schwartzberg is a Senior Security Engineer at Barracuda Networks, a security company where he specializes in network security. Utilizing his 6 years accounting experience and combined 17 years InfoTech and InfoSec experience, he speaks regularly with technology executives and professionals to help protect their corporate secrets and stay compliant. David holds a black belt in Taekwondo and is an amateur competitor. You can follow David on Twitter as @DSchwartzberg.