Feeds

Google researchers propose fix for ailing SSL system

Changes would overhaul net's foundation of trust

Security for virtualized datacentres

Security researchers from Google have proposed an overhaul to improve the security of the Secure Sockets Layer encryption protocol that millions of websites use to protect communications against eavesdropping and counterfeiting.

The changes are designed to fix a structural flaw that allows any one of the more than 600 bodies authorized to issue valid digital certificates to generate a website credential without the permission of the underlying domain name holder. The dire consequences of fraudulently issued certificates was underscored in late August when hackers pierced the defenses of Netherlands-based DigiNotar and minted bogus certificates for Google and other high-profile websites. One of the fraudulent credentials, for Google mail, was used to snoop on as many as 300,000 users, most of them from Iran.

Under changes proposed on Tuesday by Google security researchers Ben Laurie and Adam Langley (PDF here), all certificate authorities would be required to publish the cryptographic details of every website certificate to a publicly accessible log that's been cryptographically signed to guarantee its accuracy. The overhaul, they said, is designed to make it impossible – or at least much more difficult – for certificates to be issued without the knowledge of the domain name holder.

“We believe that this design will have a significant, positive impact on an important part of the internet security and that it's deployable,” Langley wrote in a blog post. “We also believe that any design that shares those two properties ends up looking a lot like it.” Some of the ideas overlap with recommendations recently published by the Electronic Frontier Foundation for improving the security of SSL.

While few disagree that SSL in its current form is hopelessly broken, finding agreement on a way to fix the fragile certificate authority infrastructure has proven to be elusive. Indeed, within hours of Laurie and Langley's plan going public, critics were already saying it was unworkable. Among the complaints was the critique that it would require the divulging of information considered to be proprietary in the fiercely competitive market for SSL certificates.

“I assume that CAs wouldn't agree to provide their entire customer data to the public (and competition),” Eddy Nigg, COO and CTO of StartCom, the Israeli-based operator of StartSSL, told The Register. He held out a voluntary set of baseline requirements recently adopted by the CA/Browser Forum as a more effective fix. Members of the forum hope to make the requirements mandatory for all CAs.

Nigg also said that Laurie and Langley's proposal could place significant technical burdens on website operators and browser makers. One or more authorities would have to be established to compile the lists around the clock and make them available to millions of users each time they access an SSL-protected page, and both activities would require considerable bandwidth and processing resources to be done properly.

“If browsers would have to ping this data upon every first connection per day per site, this would require lots of resources,” Nigg said. “This is something Google might be able to do, but not that many other entities will have those capabilities and interest.”

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.