The Blackhat Briefings consistently impacts the computer security landscape year after year, and 2011 is no different. One of the most important talks this year was Moxie Marlinspike’s SSL And The Future Of Authenticity. This talk blew the doors off of the entire Certificate Authority system that is place today for the Secure Sockets Layer (SSL), and proposed a viable (and better I might add) alternative called Convergence. The basic idea behind Convergence is that certificate authorities have too much power in the SSL system in that they cannot easily be distrusted and continue to have the Internet function properly. That is, once a CA becomes rather large and is used by the major browsers to verify SSL certificates for a significant portion of the Internet, there is no mechanism in SSL to be able to remove the CA from the browsers if the CA becomes untrustworthy. A bad CA can just be deleted from the browser CA list, but then the browser would generate SSL certificate warnings for any site that uses a cert that is supposed to be validated by the CA. This, by itself, may not sound so bad, but the real problem is that without a way to validate site certificates, anyone could issue a “valid” cert for a site and the hapless user would have no way to know it isn’t real. SSL essentially forces users to trust CA’s indefinitely. So, if a CA does something that demonstrates to users that it is untrustworthy – such as getting hacked, behaving badly, or both as in Comodo’s case – there is no alternative but to continue “trusting” the CA.
This is where Convergence comes in. Under the Convergence model, SSL certificates are no longer required to be verified by a CA. So, how can a user be confident that SSL communications with a site are using the proper certificates? The answer is that Convergence uses a set of intermediate nodes called “Notaries” that exist on various locations around the Internet. For any SSL connection initiated by a user to an SSL-protected site, Convergence downloads the site certificate from all of the configured Notaries and a comparison is performed. If the certificate is identical across all Notaries, then the user can have a lot of confidence that a MITM attack is not underway. At least, the user can certainly have more confidence in this validation than the validation performed by any hacked certificate authority. And, even if a user trusts that a CA hasn’t been hacked, the user doesn’t really know for sure. (Can any entity prove that it isn’t hacked at any given time?) For any given CA, there is an excellent chance that it will be hacked at some point in the future too.
Convergence offers some nice additional features, such as anonymization of SSL connections made through the Notaries, and it is easy for users to change the list of trusted Notaries. Moxie refers to the later as “trust agility”, and is one of the key reasons that replacing the CA system with Convergence is not just a different architecture – it fundamentally means that the power is put in the hands of users instead of the CA’s. What happens if a Notary is hacked? No problem – the user can simply remove that one from the list (and maybe add a new one) and everything continues to work.
What are the downsides to Convergence? In the short term there will be some growing pains as Convergence is ported to all of the major browsers. The version of Firefox that I run on Ubuntu is not supported yet for example. Some people have concerns over performance because now instead of a single SSL connection there are multiple connections involved as a site certificate is validated by multiple Notaries. However, Moxie has implemented a robust caching mechanism that addresses this concern, and in some cases this makes SSL connections faster.
Incidentally, according to Moxie, Comodo currently signs over one quarter of the SSL-enabled sites on the Internet. So, in the current model, if a user deletes Comodo from the browser CA list then one quarter of Internet SSL sites break. Comodo is not the only instance of a certificate authority getting hacked either – just two months ago in mid-July, 2011, a Dutch CA called “DigiNotar” was hacked as well and has gone bankrupt as a result. Just imagine would would happen if Verisign – which had over 47% of the SSL verification market in 2009 and was acquired by Symantec – were to get hacked as well. Users need an alternative for SSL certificate verification, and Convergence looks like an excellent solution. The bottom line is that even if the current CA system remains in place, as a frequent user of SSL, I would still want a way to verify that an SSL certificate looks the same from multiple locations regardless of what a CA tells me. In this sense, there is a good case for Convergence whether or not it is broadly adopted.
On a final note, Moxie presented Convergence at both Blackhat and Defcon, and as a bonus he was asked to participate on a panel discussion at Defcon with the legendary Whitfield Diffie of Diffie-Hellman key exchange fame. During this panel, Moxie hinted that a current CA is looking at deploying Convergence. This is perhaps a validation that Convergence is a shot across the bow of certificate authorities in general, and that they should pay close attention.