SSL Certificate Authorities vs. Convergence, Perspectives 127
alphadogg writes "With all the publicity about breaches of SSL certificate authorities and a hack that exploits a vulnerability in the supposedly secure protocol, it's time to consider something else to protect Internet transactions. If only there were something else to turn to. Protecting SSL and its updated version TLS is vital because they support most e-commerce transactions by setting up end-to-end encrypted sessions that are authenticated, and that requires certificates that are verified by certificate authorities. One new model for authentication is called Convergence, and it similar to one being trialed at Carnegie Mellon University called Perspectives. Rather than trusted third parties whose trust can't be assured, SSL/TLS authentication would rely on a reputation system of verification."
Won't work (Score:5, Insightful)
Any reputation system that doesn't rely on some central authority to issue it can and will be gamed by crackers. With massive botnets and the like there is simply no way to rely on any number of "individuals" to issue correct information. The only way around this is to have some central authority say "your opinion matters and yours doesn't." Voila, you have the present system.
For unimportant things or things so unimportant the difficulty makes the problem not worthwhile, a distributed reputation system works. Someone above mentioned Ebay. This system works because the rating of individual sellers, while important to them, isn't terribly important to all that many people, and the system is rather difficult for an individual to game. But for a distributed SSL certificate network, not only is the incentive there, but the people involved are massive and extremely technologically sophisticated.
Convergence is unfortunately not the answer. Sure, you can say "I only trust this Notary", but how do you know that Notary is even who you think it is? You can't. The only way is if you have centrally distributed root certificates... and again, same problem you have now. Ultimately, the only real way to get guaranteed SSL security is to call up the bank/ whatever and manually verify the fingerprint. Or get the key on a USB drive at the bank. There simply isn't an easy solution.
And you won't get your average Internet browser to change. People conducting MITM attacks generally aren't concerned with people who are really security conscious. If they actually are conducting targeted attacks against you, then you should have much better security in place. Since most people simply won't switch, even if Convergence was 100% effective it wouldn't matter. Most SSL attacks would still take place just fine.
Re:So why do I trust the notaries? (Score:2, Insightful)
Another is that you don't have to trust any particular notary. You can add/drop them quite easily. With CA's, however, if you chose you don't trust a CA you can't really be confident you're not being MITM'd at any website which has that CA sign their cert.
Basically, with notaries, you don't really have to trust any one in particular. You just have to have some that you do trust. Not even that, actually - you just have to trust that from the pool of notaries you're using not all are comprimised. Presumably if people support this, more notaries will become available and you'll get the diversity you want. Well, hopefully.
A more pertinent issue with Perspectives, as I see it, is that if someone MITM's very close to you (think the people who own/control the AP you're connecting through at a hotel), they could MITM *all* of the notaries as well. With the CA model, so long as the location you got your browser/certs/OS was from was secure - and all of the CA's are reliable - you're fine even through an evil hotel connection.
Re:So why do I trust the notaries? (Score:4, Insightful)
A more pertinent issue with Perspectives, as I see it, is that if someone MITM's very close to you
Ditto on the other side. It's impossible to distinguish a valid key change from an invalid one. Since the people attesting to the authenticity of a certificate have zero 'special' interaction, it remains feasible to fool them. It basically throws the baby out with the bathwater. The problem by and large is any singular CA can attest for any thing it feels like. A better approach would be:
-DNSSEC secured results enumerating the CAs the site selected to secure the domain. If DigiNotar signs yourdomain.com and your DNSSEC says 'Thawte', then there is an issue.
-Multiple CAs signing a certificate. If you have 3 or so CAs (all listed in your DNSSEC record of course), then compromising all three would be required to compromise your security.
-A positive OSCP response should be required. Currently, even when OSCP is checked, if some return indicates 'general error' or 'try again later', that's taken as good enough.
-Having a reputation system as an extra measure makes sense. Perhaps https without a 'padlock' given a positive reputation based read in absence of anything else, and if reputation and CA both check out, grant the visual indication of secure.
It's more than e-Commerce (Score:2, Insightful)
To keep saying only that the flaws in SSL/TLS protocols and trust infrastructure affect e-Commerce is untrue and trivialises the scope of the issue. And yet this seems to be the only example ever trotted out with these stories.
People need to realise that it's more than web sites that are affected, it's everywhere that SSL/TLS is used including secure e-mail, VPN infrastructure and the like. Start telling your CIOs and CEOs that their secure IMAP can be sniffed by NewsCorp so they can publish news of their office romances, or that the VPN tunnels between offices can be sniffed by competitors leading to the theft of billion dollar trade secrets and you might start to see some buy-in on the problem.
Users want a binary answer (Score:4, Insightful)
The short answer is, users want a binary answer. Can this site be trusted, true/false. Every system since the "web of trust" in the early 90s that has had a fuzzy answer of "somewhat trusted" has failed. And it stands to reason that when you want such a binary answer, you'll do the minimum required to satisfy it. There's nothing today that prevents your certificate from being signed by multiple CAs, it's just that it doesn't give you anything. The line will show up green in people's web browsers whether it's signed by one or five CAs, it just adds costs with no benefit.
I can sort of understand that, if I got a company's phone number I fully expect to call them and reach that company, not getting MITM'd to some scam center somewhere. Of course there's all the other scams involved but if I type [company].com I expect there to be some trusted index that makes sure I get to the right site. If that site has been compromised that's another matter, but the sites that need to be secured are usually very secure. I just need to be sure I'm going to the right place.
Another matter is client security, if your client is compromised then it can show you anything. That's why my bank texts me to confirm payments, giving all the relevant information in the text. Like are you sure you want to transfer X to account Y, if so text OK back. That's really the only way to be sure, otherwise it could authorize some completely different transaction than what it told me, for example through a fake error message. Oh, that must have been a typo let's try again. One fake payment and one real.
Names (Score:3, Insightful)
Can't people start using names that MAKE SENSE again?
Who the hell cares how cool it sounds. It's a technical thing, the public doesn't care. Convergence. Perspectives. Seriously? How do one figures any of those name is related to security?
Heck SSL was called Secure Socket Layer. That makes sense. Computer, is a thing that computes. Make sense. :(
Keyboard is a board full of keys. TLS is Transport Layer Security. Goes on and on.
Then bang, now you get "convergence" and such crappy names that means nothing. Annoying