Black Hat Conference Highlights SSL Trust Issues

Researchers have long highlighted some of the security issues with the Secure Socket Layer system used to secure Internet communication. One of the issues happens to be one of trust as the SSL Certificate Authorities have been compromised in recent months, a researcher told Black Hat attendees.

The attack on certificate authority Comodo in March highlights the problems with the current CA system and the need for replacing it, Moxie Marlinspike, co-founder and CTO of Whisper Systems, said on 4 August at the recent Black Hat security conference in Las Vegas. An Iranian hacker claimed responsibility for the attack in which he managed to trick Comodo into issuing valid certificates for major websites belonging to Google, Microsoft, Yahoo and Mozilla. Comodo did not face any lawsuits or suffer any other consequences for the incident, Marlinspike said.

Trust issues

For the SSL system to work properly, security, integrity and authenticity are needed, according to Marlinspike. Currently, the system does not work as well it was supposed to because authenticity is the weak link, he said. CAs have to ensure that sites are authentic and prevent man-in-the-middle attacks where malicious web sites trick users into accessing a fraudulent page instead of the real site.

“The real story with the Comodo attack is that it’s not unique,” Marlinspike said, noting that it is “happening every day”.

The SSL structure has not been fundamentally altered since the early 1990s, and Marlinspike claimed the original SSL authors told him the security technology used to secure web communications was developed almost as an afterthought. The sheer number of certificate authorities – approximately 650, according to the Electronic Frontier Foundation – means there are plenty that can provide signed certificates to cyber-attackers or maliciously intercept Internet communications.

Comodo’s feisty chief executive Melih Abdulhayoglu agreed with Marlinspike’s assessment in an interview with eWEEK earlier this year. While defending Comodo’s security and practices, he offered a scathing commentary on “fly by night operators offering certificates for $10 (£6)” without any verification process to ensure domain ownership.

Comodo is likely not as trustworthy as it should be, but there is nothing the user can do under the existing system, Marlinspike said. Removing Comodo, the second largest certificate authority, from the list of trusted authorities in the web browser would mean the user would no longer be able to access “a quarter of the Internet”, which is why browser vendors haven’t already done so, he said.

Agility

“The truth is, somewhere along the line, we made a decision to trust Comodo”, Marlinspike said, adding, “And now we are locked into trusting them forever, and this is the essence of the problem.”

The current system doesn’t support “trust agility”, or the flexibility to revise the list of who to trust and who not to trust, according to Marlinspike. Comodo may have been trusted at one point, but now it’s near impossible to remove from the list without making large swathes of Internet “disappear”, he said.

Users also do not have a choice of which certificate authorities to trust under the current CA system, Marlinspike said. When a user accesses a website it connects to the CA authority, which authenticates the SSL certificate. Marlinspike wants to change the system so that the user decides which CA authority to connect with to authenticate the site’s certificate.

Convergence, a Mozilla Firefox add-on released by Marlinspike, is intended to replace CAs. Instead of a certificate authority, there is a notary server that checks SSL authenticity on the user’s first visit to the site. Certificates are locally cached on the browser side and checked on repeated visits. As long as the certificates match, there is no need to access the notary server again. Web site administrators won’t have to make any changes to be available to users using the Convergence plugin to bypass CAs altogether, Marlinspike said.

Implementation questions

While Marlinspike’s ire was directed at Comodo, he distrusted all certificate authorities, including VeriSign. “There isn’t anyone doing a great job,” he said, noting that it was not realistic to expect that any organisation can look at sites “as carefully as necessary” to certify them.

Other issues with SSL were highlighted during Black Hat. According to a survey from Qualys, a significant majority of supposedly SSL secured sites are not actually fully secured, Philippe Courtot, chairman and chief executive of Qualys, told eWEEK. Organisations are implementing the security technology incorrectly, making the websites insecure despite claiming to have SSL. Mixing encrypted and unencrypted data puts users at risk for session hijacking, for example.

“If anyone is trying to convince you to use a trust system, you have to ask, who do I have to trust and for how long?” Marlinspike said at the end of his presentation.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

View Comments

  • Marlinspike and one of the IOActive guys name Mike Ridpath research this year in SSL has literally changed the game. From agility, trust issues to pattern matching SSL can and will be broken. I enjoyed both of these talks on SSL thoroughly at Blackhat - Ridpath's demo was awesome. The way Marlinspike spoke 'bout SSL was uberleet.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago