Giovanni Bajo's swapfile
At DEFCON 2011, Moxie Marlinspike presented a possible solution to the “big SSL problem”: Convergence, a clever way to remove the need of certificate authorities. But is it really going to solve it?
Let’s step back a little. We all know that SSL is kind of broken because of the need to rely on certificate authorities. Moxie himself has a great blog post on the subject. In a word, we don’t want to pay certificate authorities, we have too many of them (up to 70 in recent browsers/OS), we can’t really trust all of them, and we don’t have an easy way to revoke trust in the certificates they issue.
Convergence starts from the idea that it would be really great to avoid CAs altogether and use self-signed certificates, but self-signed certificates are vulnerable to man-in-the-middle (MITM) attacks. So the clever idea is noting that MITM is a local attack: it’s either someone next to you drinking a coffee at Starbucks, or someone that hacked your ISP’s DNS, or maybe someone working for a corrupted government that’s hijacking traffic at the BGP level. It’s unrealistic that the same MITM attack can affect you, someone in Iceland, someone in China, someone in West Virgina, and someone in Italy at the same time, right? And that’s what Convergence exploits: it gives you a way to compare SSL certificates fetched from the website you want to visit from many different servers in the world, called “notaries”. If they all match, a MITM attack is impossible, and you can trust the self-signed certificate and proceed logging in into your bank. Right?
Wrong. Because you know what else self-signed certificates are vulnerable too, in addition to MITM? Lies. And you know who lies? A phisher. So if a phisher registers bankoffamerica.com (pay attention to the typo!) and self-signs the website with a SSL certificate saying that the organization behind the website really is Bank of America Corporation incorporated in Delaware, all notaries will report that the certificate is exactly the same as fetched from different parts of the world, and you will get absolutely no warning.
And what is worse is that you will lose any EV indication while browsing with Convergence, since Convergence simply does not currently support any way to validate the identity of the website. As Moxie himself says, “Convergence does not enable EV for self-signed certs. It is concerned with authenticity, not identity”.
So to clarify: if you start browsing today with Convergence (and assuming you get a good set of notaries to bootstrap), you get the following effects:
- You will be immune to MITM attacks with rogue certificates, like in the current Diginotar’s debacle.
- The CA list in your browser will be effectively ignored.
- You will stop seeing any information from EV certificates (identities of the sites your browse).
I personally don’t consider this a good compromise. It might be that I don’t live in China or Iran, but MITM attacks are an order of magnitude less common than phishing attacks, and people are slowly learning to trust EV certificates when browsing the Internet. It’s true that EV SSL certificates could be forged as well, I don’t dispute that. But right now with Convergence, I’m going to trade a simple protection against a common set of attacks with a good protection against a rare set of attacks.
I reached Moxie with these concerns, and he clarified that, technically speaking, Convergence could be enhanced to check for existing EV SSL certificates (through a custom notary), but that he doesn’t see EV certificates as solving any real problem nowadays. I beg to disagree: I don’t like EV per-se as well, but I think the identity problem is still something that must be solved on the Internet, and it’s probably even more important than solving the MITM problem.
Given that the number of websites which are targets of phishing attacks are relatively small because it’s mainly a group of high-profile sites (banks, web mails, social networks, etc.), and given that SSL certificates do not change so often (usually no more than once in a year for a high-profile website), there must be a way to conceive a global list of validated certificates for which an identity can be certified, even through a crowd-sourced mechanism. It has to be simpler than what GPG attempts to do with key-signing parties, because we don’t need to certify the identity of Mr John Green that you never met before, plus other 1 billion people; you just need to certify that Google is Google and PayPal is Paypal, for a one thousand of high profile websites. If you ask 10 people in 10 different countries to give you the SSL fingerprint for “Google, Inc.”, and you get 10 identical fingerprints, you can be 100% sure that the certificate you get is really for “Google, Inc.”. And if Google commits to use the same certificate for the next 3 months, you could globally cache this information, and distribute it to web users through notaries in a way that their address bar says “This is a certified Google Inc. website”. Or, in other words, “This is the same Google Inc. website that 1 million of people have visited in the last 2 hours, and 100 millions in the last 24 hours”.
If Convergence could be augmented to do something similar, I think we would be getting closer to the final solution of the SSL problem.
Search
Follow me
 |  |  |  |
Short mindswaps
- love people that insist typing the wifi password themselves on my computer… like I couldn't view it afterwards 1 day ago
- RT @Claudiogiua: L'ex CEO di Google,Eric Schmidt,sta vendendo 1,5 miliardi d'azioni del motore di ricerca.Avete capito bene:1,5 miliardi ... 4 days ago
- RT @Iabicus: Usi twitter x dire che stai guardando in tv qualcosa che non ti piace. Non puoi guardare qualcosa che ti piace, senza rompe ... 1 week ago
- RT @europython: Here we are: #EuroPython 2012 is coming, Florence (Italy), July 2nd-8th. #PyCon US sold out too early? Look no further! ... 1 week ago
- RT @stevebanfield: Deleting old app permissions from my Facebook and Google accounts is like walking through a graveyard of the next big ... 1 week ago
- RT @Digeratii: Before and after the iPhone: http://t.co/wz9TpipC 1 week ago
- Guys, @gandibar just BROKE ALL OUR SERVICES by arbitrary changing DNS during a domain transfer to them 1 week ago
- RT @beverloo: Microsoft and Mozilla feel forced to implement certain -webkit- prefixed CSS properties. "Zero is no longer an option". ht ... 2 weeks ago
strings | sort | uniq
Recent Comments
- Rounded Corners 288 — /proc /by @assaf on Golomb-coded sets: smaller than Bloom filters
- somebody on Is Convergence really solving the SSL problem?
- Giovanni Bajo on Is Convergence really solving the SSL problem?
- Peter on Is Convergence really solving the SSL problem?
- Joerg on Is Convergence really solving the SSL problem?
Copyright © 2010 - Giovanni Bajo's swapfile - is proudly powered by WordPress
InSense 1.0 Theme by Design Disease brought to you by HostGator Web Hosting.
9 Responses
Justen
06|Sep|2011 1Seems to me like the root of the problem here is trying to solve two completely separate issues with the same piece of technology. Namely, authentication and privacy. The CA system provides reasonable third party verification of identity (authentication) but it is clearly inadequate at privacy (due to MITM vulnerabilities). Convergence solves privacy concerns but it’s completey useless at authentication. While privacy and authentication are not mutually exclusive they’re separate concerns that can’t be adequately addressed by a single technology. You need one tool to provide air-tight authentication and another to provide privacy. Simple enough. Quit trying to make a perfect pancake-and-waffle-maker, in other words, and make a perfect pancake maker *and* a perfect waffle maker.
Jon
08|Sep|2011 2You’re not taking into account the collectively run notaries that would spawn out of something like Convergence.
Jeff Cutsinger
08|Sep|2011 3I would be willing to bet money that users don’t pay attention to EV certificates, and that they do not statistically reduce the effectiveness of phishing attacks.
Giovanni Bajo
08|Sep|2011 4@Jeff, yes, that’s obviously a good point. I personally know non-technical people who checks the green bar, but the real question is obviously whether they would notice whenever it’s missing.
Giovanni Bajo
08|Sep|2011 5@Jon, I’m not sure I understand, can you elaborate?
Joerg
09|Sep|2011 6I still believe that convergence is a first step into the right direction. A small step technically, a big step regarding CA business models.
Let´s have one more look at the DigiNotar case. Some hacker penetrated their whole infrastructure and issued over 500 rogue certificates. DigiNotar did not disclose this “incident” and therefore those rogue certificates were fully trusted ones. The hacker seems to live in Iran and support the regime there. Maybe more kind of self-employed than being a paid “digital soldier”. Nevertheless, Iran on the one hand wants to control communication of the political opposition and on the other hand would love to strike back as a revenge for the SCADA attack against their atomic program. We are facing a period with a high amount of “rogue energy”.
SSL, DNSSEC and whatever else we currently do for Information security and privacy on the Internet is not designed to withstand this kind of attacks.
Trust relationships need to be based on “crowd intelligence” and they need to be agile also in a way that trust levels appropriate to the protected process can be defined.
Peter
13|Sep|2011 7I think you criticism of Convergence is a bit misplaced. You are correct, that convergence does not help with phishing attacks, and that someone with a self-signed cert with a doppleganger domain would show up as legitimate. But this is a problem with all solutions! Right now I could register bankoffamerica.com, set up an email address, and get a certificate issued from a CA because I’ll respond to the confirmation email. CA’s have _never_ provided authentication in the sense that “this is who you think it is”. They have only provided authentication in the sense that “This certificate came from the domain owner”. Basically, Phishing is a separate issue that would require it’s own solution. Convergence aims to solve the MITM and Trust agility problems.
I do agree that loosing the EV info with the certificate is unfortunate, and Convergence would be well served to carry this extra validation forward. However, as has been noted, almost no one _depends_ on EV certs, and most people don’t miss the green bar should it not be there.
Giovanni Bajo
13|Sep|2011 8It’s true that you can’t register bankoffffamerica.com, and you can get a DV for it, but you can’t get an EV certificate for it. That’s my point: Convergence effectively disables EV certificates altogether, removing this safety barrier for end users. The fact that people might or not might depend on EV is a factor of how much we want to trust EV and CAs in providing EV, and thus how we build browsers around this concept. The end of the blog post hints at a system to provide EV information with crowdsourcing.
somebody
19|Sep|2011 9I have been working with computers for decades and haven’t even heard of EV certs until reading this article. So, I am pretty sure 99% of the average users out there have not heard of EV certs as well. They have even done studies that show that EV certs do not provide anything to stop phishing because 1. very few people know about them and 2. even if they did, the people who would actually check are pretty much non existent.
So your argument that convergence is worse then the current SSL system b/c it doesn’t support a technology that practically no one uses is pretty crap in my opinion.
Also, if a user doesn’t recognize the url is bankoffamerica.com, then the user is most likely not going to know about ssl to begin with, let alone ev certs.
and the fact that you think that phishing is a bigger threat than mitm is scary….