SSL certificates are flawed

Read time 2min 30sec

The Internet certification authorities and secure socket layer (SSL) as the current protocol for encrypting information on the Internet are strongly flawed.

During this morning's ITWeb Security Summit keynote, international white hat hacker and security researcher Moxie Marlinspike presented on the issue of trust in light of last year's Comodo hacks.

Security giant Comodo certifies a quarter of all SSL certificates on the Internet today. Marlinspike explained how, in March 2011, the firm was repeatedly hacked, consequently leading to a breach of data from Google Web sites, as well as Skype, Mozilla and Windows Live.

At the time, the Comodo founder initially called the attacks extremely sophisticated and critically executed, and later described them as cyber war, as the hacker's IP had originated from Iran.

However, Marlinspike argued that this was not a sophisticated attack at all, but was rather due to a weakness in the SSL certificates.

“After the hacks, nothing happened; Comodo didn't lose business, it didn't get sued or de-listed. The only thing that happened was that the founder was named entrepreneur of the year at the RSA 2011 conference.”

The question everyone should ask is who do I have to trust and for how long? And if it's forever, proceed with caution.

White hat hacker Moxie Marlinspike

Marlinspike points out that it is critical for any secure protocol to provide secrecy, integrity and authenticity, and if any of these break, the whole protocol breaks. He said SSL in itself is a dated technology that was first developed in the 1990s in a rushed effort by a security expert at Netscape. And yet the majority of attacks are focused on authenticity of secure protocols.

When it comes to SSL, Marlinspike said it's authenticity that is causing real security problems. “We've outgrown the circumstances through which SSL was originally designed.”

He pointed out that it's extremely easy to acquire an SSL certificate and there are countless organisations that can supply SSL certificates, and often these are not trustworthy.

According to Marlinspike, it's the individual users who should be able to decide where to anchor their trust on a Web site, and not the Web site owner.

“Client should be contacting the authority of their choosing to certify a site; this means the clients can decide what authority they want to talk to,” he added.

He called for “trust agility”, which is a system to replace SSL certification, where a user could simply un-trust a Web site as easily as it was to trust it initially. This would prevent lock-in within a group of security organisations.

Marlinspike recently started a project called Convergence, which is a new protocol that aims to replace the way SSL certificates are implemented.

“The question everyone should ask is who do I have to trust and for how long? And if it's forever, proceed with caution.”

See also