Slashdot Mirror
SSL Certificate Authorities vs. Convergence, Perspectives
alphadogg writes "With all the publicity about breaches of SSL certificate authorities and a hack that exploits a vulnerability in the supposedly secure protocol, it's time to consider something else to protect Internet transactions. If only there were something else to turn to. Protecting SSL and its updated version TLS is vital because they support most e-commerce transactions by setting up end-to-end encrypted sessions that are authenticated, and that requires certificates that are verified by certificate authorities. One new model for authentication is called Convergence, and it similar to one being trialed at Carnegie Mellon University called Perspectives. Rather than trusted third parties whose trust can't be assured, SSL/TLS authentication would rely on a reputation system of verification."
Any reputation system that doesn't rely on some central authority to issue it can and will be gamed by crackers. With massive botnets and the like there is simply no way to rely on any number of "individuals" to issue correct information. The only way around this is to have some central authority say "your opinion matters and yours doesn't." Voila, you have the present system.
For unimportant things or things so unimportant the difficulty makes the problem not worthwhile, a distributed reputation system works. Someone above mentioned Ebay. This system works because the rating of individual sellers, while important to them, isn't terribly important to all that many people, and the system is rather difficult for an individual to game. But for a distributed SSL certificate network, not only is the incentive there, but the people involved are massive and extremely technologically sophisticated.
Convergence is unfortunately not the answer. Sure, you can say "I only trust this Notary", but how do you know that Notary is even who you think it is? You can't. The only way is if you have centrally distributed root certificates... and again, same problem you have now. Ultimately, the only real way to get guaranteed SSL security is to call up the bank/ whatever and manually verify the fingerprint. Or get the key on a USB drive at the bank. There simply isn't an easy solution.
And you won't get your average Internet browser to change. People conducting MITM attacks generally aren't concerned with people who are really security conscious. If they actually are conducting targeted attacks against you, then you should have much better security in place. Since most people simply won't switch, even if Convergence was 100% effective it wouldn't matter. Most SSL attacks would still take place just fine.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
What happens when you are a software company that will have at best 1000 clients?
That's the issue I am facing right now with Norton and SONAR. I started deploying with Clickonce since i needed to add SQLCE to our customers machines. Now SONAR pops up and deletes our software randomly. If you look at the logs, Norton actually says "YOU CHOSE TO DELETE THIS".
That's just an Antivirus company. How in the hell can I expect to be able to deliver product and keep it updated if I'll never have enough customers to "Trust" our software and build a reputation?
We cater to a pool of clients that will never go above 1100 customers. Does this mean that in addition to AV troubles, we will never get trusted because we cannot possibly get enough people to make the numbers to BE trusted?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
A more pertinent issue with Perspectives, as I see it, is that if someone MITM's very close to you
Ditto on the other side. It's impossible to distinguish a valid key change from an invalid one. Since the people attesting to the authenticity of a certificate have zero 'special' interaction, it remains feasible to fool them. It basically throws the baby out with the bathwater. The problem by and large is any singular CA can attest for any thing it feels like. A better approach would be:
-DNSSEC secured results enumerating the CAs the site selected to secure the domain. If DigiNotar signs yourdomain.com and your DNSSEC says 'Thawte', then there is an issue.
-Multiple CAs signing a certificate. If you have 3 or so CAs (all listed in your DNSSEC record of course), then compromising all three would be required to compromise your security.
-A positive OSCP response should be required. Currently, even when OSCP is checked, if some return indicates 'general error' or 'try again later', that's taken as good enough.
-Having a reputation system as an extra measure makes sense. Perhaps https without a 'padlock' given a positive reputation based read in absence of anything else, and if reputation and CA both check out, grant the visual indication of secure.
XML is like violence. If it doesn't solve the problem, use more.
The short answer is, users want a binary answer. Can this site be trusted, true/false. Every system since the "web of trust" in the early 90s that has had a fuzzy answer of "somewhat trusted" has failed. And it stands to reason that when you want such a binary answer, you'll do the minimum required to satisfy it. There's nothing today that prevents your certificate from being signed by multiple CAs, it's just that it doesn't give you anything. The line will show up green in people's web browsers whether it's signed by one or five CAs, it just adds costs with no benefit.
I can sort of understand that, if I got a company's phone number I fully expect to call them and reach that company, not getting MITM'd to some scam center somewhere. Of course there's all the other scams involved but if I type [company].com I expect there to be some trusted index that makes sure I get to the right site. If that site has been compromised that's another matter, but the sites that need to be secured are usually very secure. I just need to be sure I'm going to the right place.
Another matter is client security, if your client is compromised then it can show you anything. That's why my bank texts me to confirm payments, giving all the relevant information in the text. Like are you sure you want to transfer X to account Y, if so text OK back. That's really the only way to be sure, otherwise it could authorize some completely different transaction than what it told me, for example through a fake error message. Oh, that must have been a typo let's try again. One fake payment and one real.
Live today, because you never know what tomorrow brings
EBay doesn't have a reputation system. A reputation system requires that parties be able to add or subtract from the feedback based upon their views. There will be a few that don't match or are wrong, but over time the values will tend to reflect reality.
With eBay, they don't let sellers leave negative feedback anymore and as a result the whole system is badly flawed and tends to just reward bad behavior by buyers.
Notaries are no more trustworthy than CAs; the advantage is what Moxie Marlinspike calls "trust agility". See, if a CA is compromised, users cannot easily stop trusting the CA. The big CAs simply have too much influence. Drop a major CA, and a significant percentage of the internet's certs are no longer valid. The economic costs of replacing a CA are tremendous.
If a notary is compromised, no big deal. Notaries can be dropped and replaced without any noticeable consequence. Notaries can be just as effective as CAs, with the advantage that they can be easily replaced.