Feeds

Google: SSL alternative won't be added to Chrome

Path converges into security quagmire

The Power of One eBook: Top reasons to choose HP BladeSystem

Still smarting from a counterfeit secure sockets layer certificate that threatened at least 300,000 of its users in Iran, Google has no plans to fortify its Chrome browser with an experimental technology that bypasses the current system for validating websites.

In a blog post published Wednesday, Google security researcher Adam Langley said he didn't think the technology known as Convergence “is something we would add in Chrome.” Moxie Marlinspike, a researcher who has made a career out of exposing huge architectural cracks in the net's foundation of trust, designed the system to address security vulnerabilities and privacy weaknesses in the current SSL system.

In a nutshell, Convergence is a crowd-sourcing technology that allows endusers to query people or organizations they trust to vouch for the validity of certificates used to authenticate Gmail, eBay, or any other website that uses an https suffix prefix. In its current incarnation, the system relies on a handful of “notaries,” including Marlinspike's organization and the the Electronic Frontier Foundation. It's capable of accommodating an unlimited number of notaries and would allow end users to query as many or as few as they want.

Convergence prevents certificate authorities from logging what trusted websites a given user accesses, and it also allows users to choose who they trust. For an in-depth description, see this video of Marlinspike's presentation at the Black Hat Security conference in August.

Google's Langley lauded the idea of “trust agility” behind Convergence, but said he didn't think the practical considerations made it a suitable addition to Chrome. Among other problems cited, he said “99.99% of Chrome users” would never change default Convergence settings designating which notaries should be queried. He continued:

Given that essentially the whole population of Chrome users would use the default notary settings, those notaries will get a large amount of traffic. Also, we have a very strong interest for the notaries to function, otherwise Chrome stops working. Combined, that means that Google would end up running the notaries. So the design boils down to Chrome phoning home for certificate validation. That has both unacceptable privacy implications and very high uptime requirements on the notary service.

Langley also said Convergence would do nothing to fix certain problems Marlinspike and others have identified in the current SSL system. They include the use of “captive portals” at Wi-Fi hotspots and elsewhere that require users to enter credit card numbers into a portal page before getting an internet connection. The lack of a link to the outside world makes it impossible for users to know they're giving their card number to a valid site, but they can't get an outside connection until they do, creating a Catch 22.

Langley also cited the problem of firewalled “internal servers,” in corporate networks that prevent notaries from seeing the sites an end user wants validated.

Langley's post comes nine days after the discovery of a fraudulent Google.com certificate that was issued in early July by DigiNotar, a Netherlands-based certificate authority whose trusted imprimatur was used to validate official websites of the Dutch government. More than 300,000 people, mostly located in Iran, were exposed to the certificate while trying to access Gmail.

A recent security audit documented weak passwords and other security lapses and the issuance of at least 531 bogus certificates at DigiNotar, which is a wholly owned subsidiary of Vasco Data Security, an Illinois-based provider of two-factor authentication services.

The incident highlighted one of the chief weaknesses of the SSL system, which is its reliance on far too many single points of trust. Users of the Convergence Firefox addon would have received warnings immediately after accessing any of the fraudulent certificates.

To be fair, a homegrown technology Google added to Chrome detected the fraudulent Google certificate, but it wouldn't have caught counterfeits for sites that aren't owned by the web giant.

For his part, Marlinspike said that Convergence is a beta that he's developed in his spare time, and that with additional work it has the potential to overcome whatever flaws it has now.

“I believe that all of the problems are very solvable, and that it is currently the best path we have out of this mess,” he wrote in an email. “I can only do so much as a lone developer without any commercial backing, however, and if the browser vendors are serious about driving innovation in this area, they're going to have to help.”

Here's hoping the developers at Google, Microsoft, Mozilla, and Opera get the memo. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.