ANALYSIS A certain pesky web denizen known as ComodoHacker has been causing a commotion recently.
Then Belgian CA GlobalSign stopped issuing authentication certificates after ComodoHacker claimed to have gained access to its servers. They also claimed to have broken into three other certificate authorities outside of GlobalSign and DigiNotar.
The hacker has also threatened to use the fraudulent certificates to carry out man in the middle attacks on organisations in Europe, Israel and the US.
I don’t know if this is fixable at all, short of worldwide social changes.
Earlier in the year, another CA known as Comodo was hacked. Can you guess where ComodoHacker got their name?
Outside of the significant cyber war implications, with some saying the DigiNotar hack will have wider connotations than Stuxnet, ComodoHacker has again thrown the whole CA system’s credibility into doubt.
Time for a change
There’s little doubt something needs to change. It no longer seems sensible to carry on placing all our trust in over 650 CAs, with whom the end user never has any direct contact. They are an invisible force and, in some cases, a weak one. Given their whole business is based on trust, the CAs themselves will be feeling more than tetchy about the current situation.
There are many pertinent questions that need to be asked about the security of the CA system.
“How many of them do you know, let alone trust? Should you trust a state-owned CA more than a commercial concern, or should you trust in market forces and vested interests to override political expediency? Where is the global authority with the mandate and the impartiality to authenticate all those CAs? Who would authenticate the authenticators?” said David Harley, senior research fellow at ESET.
“The problems aren’t so much with the technicalities of SSL, as with the difficulties of implementing a system that assumes trust in the provider without a realistic mechanism for determining where you can safely invest that trust.”
Harley wasn’t sure if the system could be fixed at all. We may be stuck with a flawed framework forever.
“I don’t know if this is fixable at all, short of worldwide social changes on the scale of an accelerated continental drift (but in reverse). We’ve arbitrarily decided to invest trust in CAs, and the opportunities for withdrawing that trust (at any rate without the cooperation of the CAs) are severely restricted (i.e. to take it or leave it),” he told IT Pro.
As any IT guy knows, if you can't fix something, replace it. There are alternatives to the CA system. One of the best, at least according to some big names in the security sphere, is researcher Moxie Marlinspike’s Convergence model.
It has been designed to take out the middle men - the CAs - by giving the user greater power. With the Convergence model, users are handed the SSL certificates directly, before asking a number of “trust notaries” to download it too. It then relies on consensus from these notaries to authenticate the web transaction.
I don't believe it would be appropriate to abandon the use of certificate authorities without a clear idea of what could replace it.
To add an additional layer of security, the user goes through a proxy notary so they will remain anonymous to the trust notaries. Sounds like a fine idea, no?
Yet even that model has its limitations. “There are a couple of issues I can see,” Harley said.
“Firstly, it throws responsibility for deciding who to trust back down towards the user, whereas the public always wants technical solutions that will save it having to think for itself. Secondly, it has to fight an entrenched commercial model.”
Nevertheless, it is a viable option. Time will tell how much support it can gain.
Don’t be hasty
If we are to tear down the CA system, it needs to be approached with caution. With any project, especially those involving IT, an incremental approach is almost always best.
Some still argue the CAs have a valuable role, they simply need to be more responsible.
“I don't believe it would be appropriate to abandon the use of certificate authorities without a clear idea of what could replace it. After all, if a criminal gang successfully impersonated the police, few would suggest that we should abolish the police force,” said David Emm, senior security researcher at Kaspersky Lab.
“The key, of course, is trust. And I think a critical feature of this incident is the fact that DigiNotar massively under-played the significance of the breach. If trust in any CA is to be maintained, disclosure of any breach is essential.”
Emm is right in saying CAs need to get their act together. A number have been caught out. If any more fall at the hands of hackers, then the case for an overhaul of the current model will gain yet more momentum.
For now, the most astute way forward will be in finding the perfect replacement before any radical change is implemented. Right now, the Moxie Marlinspike model offers a real alternative. It should be explored and tested now. If the decline of the CA's reign over web authentication comes, we need to be prepared.