Never mind malware or phishing attacks, the foundational assurance of the internet is in doubt these days, following attacks against certificate authorities (CA) Comodo and DigiNotar.
CAs, or companies that sell the digital SSL certificates used by websites to validate their identity to visitors, play a pivotal role in what is trusted online, said Roel Schouwenberg, senior researcher at Kaspersky Lab.
“When we look at the CA infrastructure, it really is a tangled web of trust,” he said. For starters, when the CA system was invented, the internet was a fraction of its current size, and only a few sites required secure communications.
Fast forward to today, and there are some 650 trusted CAs – a number experts believe is too high. They operate with various levels of security, yet browsers treat them all about the same.
This can lead to bad things happening. In March, Comodo revealed that hackers gained access to its system and fabricated nine certs for some top-tier sites. Experts believe the Iranian government carried out the Comodo, and more recent DigiNotar, attacks to spy on private communications.
Critic Moxie Marlinspike, co-founder and CTO of Whisper Systems, said the existing CA protocol lacks the ability for users to easily revise which companies they trust.
“Someone made the decision to trust Comodo and we are locked into trusting them forever,” Marlinspike said.
Comodo, one of the world’s top five CAs, certifies somewhere between a quarter and a fifth of the internet. If browser companies revoked trust in Comodo, a large portion of the internet would “break,” Marlinspike said.
Experts agree that the current system is badly broken, but warn there will be no easy fix. Schouwenberg suggested that browser makers perform additional checks on the certs provided for domains that are currently being targeted in spying operations.
Marlinspike, meanwhile, released a free add-on for the Firefox web browser called Convergence, which essentially inverts the current CA system, giving more power to users. With the tool, users can take their pick of so-called “trust notaries” to authorize their communications, and then revise their choices at any time. There are about 30,000 active users of Convergence, but Marlinspike hopes it will become more widespread.
“If the four major browser vendors shipped it with the browser, that would be it, problem solved, end of the CA system in one fell swoop,” he said.