14 DAY TRIAL // Security researcher Moxie Marlinspike has developed a new system which he claims could solve many of the trust issues of the current Public Key Infrastructure.
The most common way to authenticate websites and encrypt traffic is via SSL certificates. These certificates are issued by a number of Certificate Authorities (CAs) that browsers trust by default.
The problem is there are currently over 600 CAs around the world and some of them belong to governments known for their invasive Internet surveillance practices.
In theory, these CAs could issue a duplicate certificate for say google.com which could be used to pull off man-in-the-middle attacks.
This does not even have to happen willingly. There have been cases when hackers managed to break into a CA's infrastructure and issue rogue certificates for popular domains.
Moxie Marlinspike, who is renowned for his work with secure protocols, cryptography, privacy and anonymity, is proposing a new system that solves these trust issues by using a network perspective.
His project is called Convergence and relies on third-party notaries (servers) to validate certificates. The concept is inspired by Carnegie Mellon University's Perspectives project which uses a similar technique to validate self-signed certificates.
The whole idea is to compare a certificate served by a website to a client with one received from the same destination by a notary. If the client is surfing from a compromised network and gets served a fake certificate, it won't match with the one from the notary, triggering an alert.
The trust can be further enhanced by using multiple notaries and comparing certificates between all of them to make sure the user received the correct one. Convergence can also be configured to use multiple methods of certificate validation including DNSSEC, BGP data, SSL observatory results and even CA validation.
In order to protect their privacy, users who fear that notaries could build their browsing history profile, can use a proxy mode to hide their real IP addresses.
"Convergence is fully backward compatible with the existing deployment of certificates, and doesn't require website operators to change anything. Just install the Firefox add-on, select who you trust, and be done with Certificate Authorities forever. Everything will look exactly the same, and you'll never get a self-signed certificate warning again," the researcher says.
The Convergence extension for Firefox can be downloaded from here.