Black Hat: Researcher releases tool for replacing certificate authorities

Share this article:

The SSL certificate authority system is broken and it's time to move beyond it, a security researcher said Thursday at the Black Hat conference in Las Vegas.

Certificate authorities (CAs), which issue the digital SSL certificates used by websites to validate their identity to visitors, suffer from a myriad of problems, Moxie Marlinspike, co-founder and CTO of security and management solutions provider Whisper Systems, said during his presentation titled “SSL and the Future of Authenticity.”

For starters, he said, too many organizations today are capable of issuing a certificate for any domain name. Moreover, while some CAs are considered to be more reputable than others, all such companies “have dirt on their hands,” Marlinspike said.

The latest CA to suffer a public trust issue is Jersey City, N.J.-based Comodo, which in March revealed that it had mistakenly issued nine fraudulent certificates for big-name sites like Google, Yahoo, Skype and Hotmail.  

“There isn't anyone doing a great job,” he said. “It's not realistic that any organization today, or a set of them, can look at sites as carefully as necessary to certify them.”

As a potential solution, Marlinspike on Thursday released a tool designed to replace the CA system. The tool, called Convergence, is an add-on for the Firefox web browser, which essentially inverts the current CA system, giving more power to users.

The tool allows users to decide which organizations to trust, instead of having to rely on the decisions of a site's administrator. Users would be able to take their pick of so-called “trust notaries," which would authorize their communications by default.

The program aims to address what Marlinspike calls the lack of “trust agility” offered by CAs, he said. Currently, if a user decides to not trust Comodo, VeriSign or any other CA, there isn't much that can be done.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.