The SSL certificate authority system is broken and it's time to move on, security researcher Moxie MarinSpike told the Black Hat conference in Las Vegas.
Certificate authorities (CAs), which issue the digital SSL certificates used by websites to validate their identity to visitors, suffer from a myriad of problems, Marlinspike, co-founder and CTO of security and management solutions provider Whisper Systems, said during his presentation titled “SSL and the Future of Authenticity.”
For starters, he said, too many organisations today are capable of issuing a certificate for any domain name. Moreover, while some CAs are considered to be more reputable than others, all such companies “have dirt on their hands,” Marlinspike said.
The latest CA to suffer a public trust issue is Comodo, which in March revealed that it had mistakenly issued nine fraudulent certificates for big-name sites like Google, Yahoo, Skype and Hotmail.
“There isn't anyone doing a great job,” he said.
“It's not realistic that any organisation today, or a set of them, can look at sites as carefully as necessary to certify them.” As a potential solution, Marlinspike on Thursday released a tool designed to replace the CA system.
The tool, called Convergence, is an add-on for the Firefox web browser, which essentially inverts the current CA system, giving more power to users.
The tool allows users to decide which organisations to trust, instead of having to rely on the decisions of a site's administrator. Users would be able to take their pick of so-called “trust notaries," which would authorise their communications by default. The program aims to address what Marlinspike calls the lack of “trust agility” offered by CAs, he said. Currently, if a user decides to not trust Comodo, VeriSign or any other CA, there isn't much that can be done.