The SSL certificate authority system is broken and it’s time to move beyond it, a security researcher said Thursday at the Black Hat conference in Las Vegas.
Certificate authorities (CAs), which issue the digital SSL certificates used by websites to validate their identity to visitors, suffer from a myriad of problems, Moxie Marlinspike, co-founder and CTO of security and management solutions provider Whisper Systems, said during his presentation titled “SSL and the Future of Authenticity.”
For starters, he said, too many organizations today are capable of issuing a certificate for any domain name. Moreover, while some CAs are considered to be more reputable than others, all such companies “have dirt on their hands,” Marlinspike said.
The latest CA to suffer a public trust issue is Jersey City, N.J.-based Comodo, which in March revealed that it had mistakenly issued nine fraudulent certificates for big-name sites like Google, Yahoo, Skype and Hotmail.
“There isn’t anyone doing a great job,” he said. “It’s not realistic that any organization today, or a set of them, can look at sites as carefully as necessary to certify them.”
As a potential solution, Marlinspike on Thursday released a tool designed to replace the CA system. The tool, called Convergence, is an add-on for the Firefox web browser, which essentially inverts the current CA system, giving more power to users.
The tool allows users to decide which organizations to trust, instead of having to rely on the decisions of a site’s administrator. Users would be able to take their pick of so-called “trust notaries,” which would authorize their communications by default.
The program aims to address what Marlinspike calls the lack of “trust agility” offered by CAs, he said. Currently, if a user decides to not trust Comodo, VeriSign or any other CA, there isn’t much that can be done.