Feeds

Google: SSL alternative won't be added to Chrome

Path converges into security quagmire

High performance access to file storage

Still smarting from a counterfeit secure sockets layer certificate that threatened at least 300,000 of its users in Iran, Google has no plans to fortify its Chrome browser with an experimental technology that bypasses the current system for validating websites.

In a blog post published Wednesday, Google security researcher Adam Langley said he didn't think the technology known as Convergence “is something we would add in Chrome.” Moxie Marlinspike, a researcher who has made a career out of exposing huge architectural cracks in the net's foundation of trust, designed the system to address security vulnerabilities and privacy weaknesses in the current SSL system.

In a nutshell, Convergence is a crowd-sourcing technology that allows endusers to query people or organizations they trust to vouch for the validity of certificates used to authenticate Gmail, eBay, or any other website that uses an https suffix prefix. In its current incarnation, the system relies on a handful of “notaries,” including Marlinspike's organization and the the Electronic Frontier Foundation. It's capable of accommodating an unlimited number of notaries and would allow end users to query as many or as few as they want.

Convergence prevents certificate authorities from logging what trusted websites a given user accesses, and it also allows users to choose who they trust. For an in-depth description, see this video of Marlinspike's presentation at the Black Hat Security conference in August.

Google's Langley lauded the idea of “trust agility” behind Convergence, but said he didn't think the practical considerations made it a suitable addition to Chrome. Among other problems cited, he said “99.99% of Chrome users” would never change default Convergence settings designating which notaries should be queried. He continued:

Given that essentially the whole population of Chrome users would use the default notary settings, those notaries will get a large amount of traffic. Also, we have a very strong interest for the notaries to function, otherwise Chrome stops working. Combined, that means that Google would end up running the notaries. So the design boils down to Chrome phoning home for certificate validation. That has both unacceptable privacy implications and very high uptime requirements on the notary service.

Langley also said Convergence would do nothing to fix certain problems Marlinspike and others have identified in the current SSL system. They include the use of “captive portals” at Wi-Fi hotspots and elsewhere that require users to enter credit card numbers into a portal page before getting an internet connection. The lack of a link to the outside world makes it impossible for users to know they're giving their card number to a valid site, but they can't get an outside connection until they do, creating a Catch 22.

Langley also cited the problem of firewalled “internal servers,” in corporate networks that prevent notaries from seeing the sites an end user wants validated.

Langley's post comes nine days after the discovery of a fraudulent Google.com certificate that was issued in early July by DigiNotar, a Netherlands-based certificate authority whose trusted imprimatur was used to validate official websites of the Dutch government. More than 300,000 people, mostly located in Iran, were exposed to the certificate while trying to access Gmail.

A recent security audit documented weak passwords and other security lapses and the issuance of at least 531 bogus certificates at DigiNotar, which is a wholly owned subsidiary of Vasco Data Security, an Illinois-based provider of two-factor authentication services.

The incident highlighted one of the chief weaknesses of the SSL system, which is its reliance on far too many single points of trust. Users of the Convergence Firefox addon would have received warnings immediately after accessing any of the fraudulent certificates.

To be fair, a homegrown technology Google added to Chrome detected the fraudulent Google certificate, but it wouldn't have caught counterfeits for sites that aren't owned by the web giant.

For his part, Marlinspike said that Convergence is a beta that he's developed in his spare time, and that with additional work it has the potential to overcome whatever flaws it has now.

“I believe that all of the problems are very solvable, and that it is currently the best path we have out of this mess,” he wrote in an email. “I can only do so much as a lone developer without any commercial backing, however, and if the browser vendors are serious about driving innovation in this area, they're going to have to help.”

Here's hoping the developers at Google, Microsoft, Mozilla, and Opera get the memo. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.