Black Hat: Researcher releases tool for replacing certificate authorities

Share this article:

The SSL certificate authority system is broken and it's time to move beyond it, a security researcher said Thursday at the Black Hat conference in Las Vegas.

Certificate authorities (CAs), which issue the digital SSL certificates used by websites to validate their identity to visitors, suffer from a myriad of problems, Moxie Marlinspike, co-founder and CTO of security and management solutions provider Whisper Systems, said during his presentation titled “SSL and the Future of Authenticity.”

For starters, he said, too many organizations today are capable of issuing a certificate for any domain name. Moreover, while some CAs are considered to be more reputable than others, all such companies “have dirt on their hands,” Marlinspike said.

The latest CA to suffer a public trust issue is Jersey City, N.J.-based Comodo, which in March revealed that it had mistakenly issued nine fraudulent certificates for big-name sites like Google, Yahoo, Skype and Hotmail.  

“There isn't anyone doing a great job,” he said. “It's not realistic that any organization today, or a set of them, can look at sites as carefully as necessary to certify them.”

As a potential solution, Marlinspike on Thursday released a tool designed to replace the CA system. The tool, called Convergence, is an add-on for the Firefox web browser, which essentially inverts the current CA system, giving more power to users.

The tool allows users to decide which organizations to trust, instead of having to rely on the decisions of a site's administrator. Users would be able to take their pick of so-called “trust notaries," which would authorize their communications by default.

The program aims to address what Marlinspike calls the lack of “trust agility” offered by CAs, he said. Currently, if a user decides to not trust Comodo, VeriSign or any other CA, there isn't much that can be done.

Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.

Backdoors in Wi-Fi routers, said to be closed, can be reopened

Backdoors in Wi-Fi routers, said to be closed, ...

Although said to be patched, researcher Eloi Vanderbeken discovered during the Easter holiday that backdoors existing in certain wireless routers can be reactivated.

Apple ships Mac OS X updates, fixes several code execution bugs

Apple ships Mac OS X updates, fixes several ...

Among the addressed vulnerabilities, was a bug affecting WindowServer, which could allow an attacker to execute malicious code outside the sandbox.