Feeds

Marlinspike asks browser vendors to back SSL-validator

'Convergence' open source dev needs vendors to balance the load

Seven Steps to Software Security

Analysis Moxie Marlinspike is encouraging browser developers to support an experimental project to shake up the security of website authentication by moving beyond blind faith in secure sockets layer (SSL) credentials.

The Convergence open-source project is designed to address at least some of the main shortcomings that underpin trust in e-commerce and other vital services, such as webmail. The technology, available as a browser add-on for Firefox, allows users to query notary servers – which they can pick – to make sure the SSL certificate served up by any particular site is kosher.

Marlinspike described the Firefox add-on as a proof-of-concept, adding that he was talking to other browser vendors. "Browser vendors should lead because this is the only way that Convergence can become an 'invisible platform' where surfers can use it without knowing that's what they are relying on," he said.

"We've got the ball rolling and its now up to vendors to do the bulk of the work," he added.

The approach, first outlined by Marlinspike in August 2011, is designed to flag up man-in-the-middle attacks that rely on forged credentials from any one of hundreds of organisations authorised to cryptographically sign the certificates that Amazon, Skype Gmail and countless other e-commerce services rely on to re-assure customers that their secure sites are genuine. About 650 organisations are authorised to sign certificates.

Hackers able to break into the systems of any of these certificate authorities would be able to issue counterfeit credentials, subverting the whole system of trust. The problem was graphically illustrated by hacks against Comodo, the second largest certificate authority, and DigiNotar.

Convergence, rather than relying on the public key infrastructure that ties together the current SSL system, utilises a loose confederation of notaries that independently vouch for the integrity of a given SSL certificate.

Marlinspike told delegates at the recent CSO Interchange conference in London that SSL was designed at Netscape in the early 90s when e-commerce didn't exist. "SSL was only designed to prevent passive attacks," Marlinspike explained. "Authenticity was thrown in at the end as a hand-wave."

Having so many certificate authorities is only part of the problem, according to Marlinspike: "Nobody has a great track record. For example, VeriSign is in the lawful interception business so how can the same organisation be responsible for securing traffic?"

Many sites are broken because they rely on outdated certificates or they support insecure versions of SSL. The problem is further compounded by shortcomings in the certificate revocation process. "You can't revoke trust – that's the essence of the problem," Marlinspike explained.

Trust agility

Convergence provides "trust agility" essentially by letting users decide which notaries they trust to vouch for the authenticity of digital certificate credentials and making it straightforward to swap notaries. "Even if one notary goes bad it doesn't break the system," Marlinspike said. "You can simply replace the notary."

Around 50 organisations have signed up to become notaries, including privacy advocates such as the EFF and technology firms including Qualys. Running a notary requires very little resources, according to Marlinspike. "Most people visit only 20 or so sites and the certificates rarely change," he told delegates at the CSO Interchange conference.

Marlinspike told El Reg that the project, though well documented, was currently largely experimental. Around 24 developers are working on Convergence. "We're changing and adding functionality. It's not currently an IETF standard but we are headed in that direction."

Google Chrome team lead developer Adam Langley has expressed reservations about supporting the crowd-sourcing technology, for a variety of practical reasons, in particular the possibility of notary servers failing under heavy demand. Marlinspike described these concerns as valid for mainstream use of the technology in its present form. "We're testing the waters on what works and what doesn't," Marlinspike explained. "There's still a lot of work to be done on how users interact with the technology."

"The industry can't expect a fully packaged thing from a small team of developers working on an experimental project without getting involved," he added.

Qualys Director of Engineering Ivan Ristic told El Reg that the main problem with Convergence was its "hard fail" functionality. "If you can't reach a notary you can't reach a secure web site."

One approach to solving the availability problem might be to use thousands of notaries, hooked up in a peer-to-peer network, to balance the load.

Nonetheless Ristic praised the project as a "radical" and "promising" approach to solving problems with the internet's trust infrastructure. He says he is convinced that stability and performance issues can be ironed out, but that "the only way to make production successful is to get browser vendor involvement," he added.

Convergence is partly based on the Perspectives Project developed at Carnegie Mellon University. More detail on Convergence can be found at the project's home page here. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.