SSL Certificate Authorities vs. Convergence, Perspectives

alphadogg writes "With all the publicity about breaches of SSL certificate authorities and a hack that exploits a vulnerability in the supposedly secure protocol, it's time to consider something else to protect Internet transactions. If only there were something else to turn to. Protecting SSL and its updated version TLS is vital because they support most e-commerce transactions by setting up end-to-end encrypted sessions that are authenticated, and that requires certificates that are verified by certificate authorities. One new model for authentication is called Convergence, and it similar to one being trialed at Carnegie Mellon University called Perspectives. Rather than trusted third parties whose trust can't be assured, SSL/TLS authentication would rely on a reputation system of verification."

Reputation system

[Ayourk]

Reputation systems seem to have worked quite well for eBay and other similar sites, I don't see why it can't work for some sort of SSL.

Re:Reputation system

[hedwards]

EBay doesn't have a reputation system. A reputation system requires that parties be able to add or subtract from the feedback based upon their views. There will be a few that don't match or are wrong, but over time the values will tend to reflect reality.

With eBay, they don't let sellers leave negative feedback anymore and as a result the whole system is badly flawed and tends to just reward bad behavior by buyers.

Why use a reputation system?

[impaledsunset]

A reputation system is good if you have a distributed anonymous network of sites, and it will perhaps do a great job there. But it has the potential to be abused and it is way too complicated. Why not go with something simpler?

1. Use the DNS CERT record and ensure that we use dnssec with all zones up to the root signed (or another DNS security scheme).
2. Remember the last certificate and warn the user every time when it changes. Notify the user that he should signal for an issue if it changes too often.

Of course, that's vulnerable of the root servers are cracked, but if that happens, you're fucked anyway. It's much more difficult to exploit than multiple certificate authorities which sign certificates when you have *no* way to detect a failure on their part.

I heard that there could be issues with dnssec, but there are also solutions offered, so, why go with something far more complicated?

So why do I trust the notaries?

[pathological+liar]

These systems depend on notaries, why do I trust them any more than the CAs? The Perspectives notaries are... AWS and a handful of servers from a single American university (MIT)

Not exactly diverse.

Re:So why do I trust the notaries?

[Junta]

A more pertinent issue with Perspectives, as I see it, is that if someone MITM's very close to you

Ditto on the other side. It's impossible to distinguish a valid key change from an invalid one. Since the people attesting to the authenticity of a certificate have zero 'special' interaction, it remains feasible to fool them. It basically throws the baby out with the bathwater. The problem by and large is any singular CA can attest for any thing it feels like. A better approach would be:
-DNSSEC secured results enumerating the CAs the site selected to secure the domain. If DigiNotar signs yourdomain.com and your DNSSEC says 'Thawte', then there is an issue.
-Multiple CAs signing a certificate. If you have 3 or so CAs (all listed in your DNSSEC record of course), then compromising all three would be required to compromise your security.
-A positive OSCP response should be required. Currently, even when OSCP is checked, if some return indicates 'general error' or 'try again later', that's taken as good enough.
-Having a reputation system as an extra measure makes sense. Perhaps https without a 'padlock' given a positive reputation based read in absence of anything else, and if reputation and CA both check out, grant the visual indication of secure.

Re:So why do I trust the notaries?

[GrievousMistake]

if someone MITM's very close to you (think the people who own/control the AP you're connecting through at a hotel), they could MITM *all* of the notaries as well

The communication with the notaries is in all likelihood encrypted and signed with predistributed keys, similar to CA certificates today. That's not a large problem, because ultimately you have to trust the software you are running anyway.
That still retains all the benefits over the CA system that you mention; you get multiple points of trust that all have to be compromised, and if one is compromised you can distrust it with minimal consequences.

Re:So why do I trust the notaries?

[GrievousMistake]

-DNSSEC secured results enumerating the CAs the site selected to secure the domain. If DigiNotar signs yourdomain.com and your DNSSEC says 'Thawte', then there is an issue.
-Multiple CAs signing a certificate. If you have 3 or so CAs (all listed in your DNSSEC record of course), then compromising all three would be required to compromise your security.

What does this gain you over storing the cert signature itself in DNSSEC?

Since the people attesting to the authenticity of a certificate have zero 'special' interaction, it remains feasible to fool them.

Nothing prevents a notary from taking extra steps to verify the authenticity of a certificate. That is one of the advantages of the concept: other methods of authentication can be added in a modular way.
In some ways the notary system gives you the security of the strongest of the notaries you trust, and the CA system gives you the security of the weakest of the CAs you trust.

Re:So why do I trust the notaries?

[MSG]

Notaries are no more trustworthy than CAs; the advantage is what Moxie Marlinspike calls "trust agility". See, if a CA is compromised, users cannot easily stop trusting the CA. The big CAs simply have too much influence. Drop a major CA, and a significant percentage of the internet's certs are no longer valid. The economic costs of replacing a CA are tremendous.

If a notary is compromised, no big deal. Notaries can be dropped and replaced without any noticeable consequence. Notaries can be just as effective as CAs, with the advantage that they can be easily replaced.

Won't work

[Baloroth]

Any reputation system that doesn't rely on some central authority to issue it can and will be gamed by crackers. With massive botnets and the like there is simply no way to rely on any number of "individuals" to issue correct information. The only way around this is to have some central authority say "your opinion matters and yours doesn't." Voila, you have the present system.

For unimportant things or things so unimportant the difficulty makes the problem not worthwhile, a distributed reputation system works. Someone above mentioned Ebay. This system works because the rating of individual sellers, while important to them, isn't terribly important to all that many people, and the system is rather difficult for an individual to game. But for a distributed SSL certificate network, not only is the incentive there, but the people involved are massive and extremely technologically sophisticated.

Convergence is unfortunately not the answer. Sure, you can say "I only trust this Notary", but how do you know that Notary is even who you think it is? You can't. The only way is if you have centrally distributed root certificates... and again, same problem you have now. Ultimately, the only real way to get guaranteed SSL security is to call up the bank/ whatever and manually verify the fingerprint. Or get the key on a USB drive at the bank. There simply isn't an easy solution.

And you won't get your average Internet browser to change. People conducting MITM attacks generally aren't concerned with people who are really security conscious. If they actually are conducting targeted attacks against you, then you should have much better security in place. Since most people simply won't switch, even if Convergence was 100% effective it wouldn't matter. Most SSL attacks would still take place just fine.

A reputation system?

[the_Bionic_lemming]

What happens when you are a software company that will have at best 1000 clients?

That's the issue I am facing right now with Norton and SONAR. I started deploying with Clickonce since i needed to add SQLCE to our customers machines. Now SONAR pops up and deletes our software randomly. If you look at the logs, Norton actually says "YOU CHOSE TO DELETE THIS".

That's just an Antivirus company. How in the hell can I expect to be able to deliver product and keep it updated if I'll never have enough customers to "Trust" our software and build a reputation?

We cater to a pool of clients that will never go above 1100 customers. Does this mean that in addition to AV troubles, we will never get trusted because we cannot possibly get enough people to make the numbers to BE trusted?

Monkeysphere as a good alternative?

[jbaach]

I just came accross http://web.monkeysphere.info/why/, which looks to me like an interesting idea: delegate the trust issue to the PGP web of trust. Maybe this would be a sane alternative?

Re:Monkeysphere as a good alternative?

[turbidostato]

"OpenPGP is too hard for normal people"

And that's exactly the point.

Security is not easy. Not in the physical world, not in the intertubes. And people don't really worry about security (not in advance, at least), so they deem to be "too hard".

It's more than e-Commerce

To keep saying only that the flaws in SSL/TLS protocols and trust infrastructure affect e-Commerce is untrue and trivialises the scope of the issue. And yet this seems to be the only example ever trotted out with these stories.

People need to realise that it's more than web sites that are affected, it's everywhere that SSL/TLS is used including secure e-mail, VPN infrastructure and the like. Start telling your CIOs and CEOs that their secure IMAP can be sniffed by NewsCorp so they can publish news of their office romances, or that the VPN tunnels between offices can be sniffed by competitors leading to the theft of billion dollar trade secrets and you might start to see some buy-in on the problem.

Users want a binary answer

[Kjella]

The short answer is, users want a binary answer. Can this site be trusted, true/false. Every system since the "web of trust" in the early 90s that has had a fuzzy answer of "somewhat trusted" has failed. And it stands to reason that when you want such a binary answer, you'll do the minimum required to satisfy it. There's nothing today that prevents your certificate from being signed by multiple CAs, it's just that it doesn't give you anything. The line will show up green in people's web browsers whether it's signed by one or five CAs, it just adds costs with no benefit.

I can sort of understand that, if I got a company's phone number I fully expect to call them and reach that company, not getting MITM'd to some scam center somewhere. Of course there's all the other scams involved but if I type [company].com I expect there to be some trusted index that makes sure I get to the right site. If that site has been compromised that's another matter, but the sites that need to be secured are usually very secure. I just need to be sure I'm going to the right place.

Another matter is client security, if your client is compromised then it can show you anything. That's why my bank texts me to confirm payments, giving all the relevant information in the text. Like are you sure you want to transfer X to account Y, if so text OK back. That's really the only way to be sure, otherwise it could authorize some completely different transaction than what it told me, for example through a fake error message. Oh, that must have been a typo let's try again. One fake payment and one real.

Re:Users want a binary answer

[scdeimos]

Yes, users want a binary answer, but they have no understanding of what's going on behind the scenes to arrive at that answer. As far as they're concerned "it just works" and they leave the details up to people smarter than themselves.

Example: the line showing up green in the user's browser is only indicating that the presented certificate is trusted by a CA somewhere in the user's browser certificate cache. It might be that the presented certificate is signed by DigiNotar, even though the correct certificate should have been signed by Thawte, but the user agent doesn't do that check - it only knows that DigiNotar is trusted - so the presented certificate is shown to be OK.

Having multiple CAs signing a certificate isn't going to help anybody, as the browsers don't check that a certificate is signed by the correct CA (or collective). What is needed is something to confirm that the presented certificates are genuine, not just that they're signed by someone we supposedly trust. That's what Convergence and Perspectives seem to be trying to achieve, but now you're needing to trust them instead of the CAs.

All I want is an encrypted link

[Beeftopia]

I can register a domain, get a small server on the internet and serve malware. I can easily get a certification authority to give me a certificate.

All I've ever wanted a certificate for is so that users don't get the freak out security warning saying that "this certificate is not issued by a known certifying authority." I can just as easily self sign a certificate and get the encrypted link, but all the popular browsers will check their internal list of certifying authorities and show the warning.

The only reason I've wanted certificates is so that users can get a strongly encrypted link with the website and use it over wireless/sketchy networks. I really don't see the purpose of having the third party certifying authority in the picture, other than the browser warning.

Re:All I want is an encrypted link

[jbolden]

The point of the authority is to verify you are who you claim to be. For example if you set up a website and called yourself IBM

Names

[kangsterizer]

Can't people start using names that MAKE SENSE again?

Who the hell cares how cool it sounds. It's a technical thing, the public doesn't care. Convergence. Perspectives. Seriously? How do one figures any of those name is related to security?

Heck SSL was called Secure Socket Layer. That makes sense. Computer, is a thing that computes. Make sense.
Keyboard is a board full of keys. TLS is Transport Layer Security. Goes on and on.
Then bang, now you get "convergence" and such crappy names that means nothing. Annoying :(

Re:oh look

[fluffy99]

this story again.

Yup, another summary that doesn't understand the difference between using a cert for authentication and using SSL/TLS to encrypt the connection. If using TLS with Diffe-Hilman key exchange, the connection is securely encrypted regardless of whether an attacker has the servers private key.

Re:Meh

[Znork]

Increasing the number of parties involved is the point; they have to agree to clear a site.

As it is, even besides getting hacked, there isn't a registrar that won't hand over false keys to any security agency in a country they're based. But it might be a bit more difficult for one party to lean on notaries in the US, Russia, China and Switzerland at the same time. Once they don't agree, you know that there's something going on.