SSL And The Future Of Authenticity: Moving beyond Certificate Authorities

Video thumbnail (Frame 0) Video thumbnail (Frame 6832) Video thumbnail (Frame 8229) Video thumbnail (Frame 12938) Video thumbnail (Frame 14048) Video thumbnail (Frame 18148) Video thumbnail (Frame 30142) Video thumbnail (Frame 31537) Video thumbnail (Frame 33637) Video thumbnail (Frame 35693) Video thumbnail (Frame 37064) Video thumbnail (Frame 39405) Video thumbnail (Frame 40941) Video thumbnail (Frame 42244) Video thumbnail (Frame 43701) Video thumbnail (Frame 47398) Video thumbnail (Frame 49608) Video thumbnail (Frame 52610) Video thumbnail (Frame 54885) Video thumbnail (Frame 56675) Video thumbnail (Frame 58520) Video thumbnail (Frame 61063) Video thumbnail (Frame 62114) Video thumbnail (Frame 64318) Video thumbnail (Frame 65828) Video thumbnail (Frame 67064)
Video in TIB AV-Portal: SSL And The Future Of Authenticity: Moving beyond Certificate Authorities

Formal Metadata

SSL And The Future Of Authenticity: Moving beyond Certificate Authorities
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have recently started to cause real problems. This talk will examine authenticity within SSL, shed new light on the current problems, and cover some new strategies for how to move forward.
Point (geometry) Greatest element Multiplication sign Uniqueness quantification Moment (mathematics) Numbering scheme Bit Open set Neuroinformatik Type theory Pi Quicksort Table (information) Freeware Information security
Authentication Internetworking Authorization Public key certificate Descriptive statistics
Point (geometry) Server (computing) Service (economics) Code State of matter Cybersex Hidden Markov model Set (mathematics) Web browser IP address Public key certificate Number Web 2.0 Hypermedia Videoconferencing Traffic reporting Metropolitan area network Cybersex Incidence algebra Connected space Arithmetic mean Blog Telecommunication Internet service provider Statement (computer science) Website Quicksort Hacker (term) Intercept theorem Window
Point (geometry) Functional (mathematics) Multiplication sign Event horizon Public key certificate Direct numerical simulation Internetworking Hacker (term) Googol Videoconferencing Communications protocol Information security Cellular automaton Moment (mathematics) Total S.A. Maize Telecommunication Direct numerical simulation Statement (computer science) Website Codec Quicksort Hacker (term) Table (information) Communications protocol RSA (algorithm)
Greatest element INTEGRAL Code Multiplication sign Decision theory Direction (geometry) Price index Mereology Public key certificate IP address Web 2.0 Sign (mathematics) Different (Kate Ryan album) Matrix (mathematics) Cuboid Information Series (mathematics) Information security Data integrity Algorithm Public key certificate Bit Connected space Web application Type theory Wave Internetworking Order (biology) Website Self-organization Right angle Quicksort Web page Domain name Functional (mathematics) Server (computing) Link (knot theory) Barrelled space Login Event horizon Number Hypothesis Internetworking Term (mathematics) Authorization Communications protocol Metropolitan area network RSA (algorithm) Authentication Domain name Demon Scaling (geometry) Graph (mathematics) Key (cryptography) Validity (statistics) Information Interactive television Theory Plastikkarte Directory service Cryptography Friction Software Integrated development environment Password Game theory Object (grammar) Pressure Communications protocol
Root Key (cryptography) Internetworking Telecommunication Order (biology) Projective plane State of matter Authorization Right angle Icosahedron Permian Public key certificate
Graph (mathematics) Internetworking Telecommunication Authorization Self-organization Total S.A. Quicksort Figurate number Public key certificate
Authorization Self-organization Website Right angle Instance (computer science) Mereology Public key certificate Information security
Service (economics) State of matter Multiplication sign Physical law Sheaf (mathematics) Instance (computer science) Public key certificate Sign (mathematics) Internetworking Telecommunication Authorization Self-organization Website Right angle Game theory Intercept theorem
State of matter Telecommunication Order (biology) Authorization Website Database Web browser
Dependent and independent variables Decision theory Decision theory Multiplication sign Control flow Database Web browser Line (geometry) Public key certificate Web browser Category of being Internetworking Authorization Website Self-organization Codec
Facebook Facebook Personal digital assistant Telecommunication Self-organization Set (mathematics) Website Web browser Public key certificate
Category of being Web service Inversion (music) Context awareness Decision theory Different (Kate Ryan album) Decision theory System administrator Website Bit Web browser
Direct numerical simulation Server (computing) Inversion (music) Decision theory Authorization Website Right angle Database transaction Client (computing) Public key certificate Physical system
Server (computing) Distribution (mathematics) Numbering scheme Client (computing) Public key certificate IP address 2 (number) Session Initiation Protocol Web 2.0 Direct numerical simulation Centralizer and normalizer Internetworking Authorization Row (database) Information Social class Physical system Authentication Time zone Dependent and independent variables Public key certificate Information Bit Mountain pass Word Root Direct numerical simulation Compilation album Website Right angle Physical system Session Initiation Protocol Row (database)
Domain name INTEGRAL Code Weight Personal digital assistant Internetworking Telecommunication Operator (mathematics) Self-organization Website Game theory Whiteboard Information security
Domain name Regulator gene Weight Physical law Electronic mailing list Bit Price index Mereology Public key certificate Message passing Root Personal digital assistant Authorization Self-organization Quicksort Routing Session Initiation Protocol Social class Physical system
Code View (database) System administrator Web browser Client (computing) Public key certificate Perspective (visual) Number Different (Kate Ryan album) Formal verification Authorization Form (programming) Authentication Email Uniqueness quantification Projective plane Connected space Perspective (visual) Software Personal digital assistant Internet service provider Order (biology) Revision control Website Normal (geometry)
Implementation Dependent and independent variables Multiplication sign Content (media) Web browser Information privacy Complete metric space Perspective (visual) Public key certificate Entire function Information privacy Connected space Perspective (visual) Gaussian elimination Medical imaging Authorization Website
Implementation Dependent and independent variables Server (computing) Server (computing) Complete metric space Client (computing) Perspective (visual) Public key certificate Connected space Perspective (visual) Order (biology) Website Communications protocol Physical system
Server (computing) Key (cryptography) Multiplication sign Chemical equation Set (mathematics) Web browser Information privacy Mereology Public key certificate Information privacy Connected space Cache (computing) Mathematics Cache (computing) Auditory masking Personal digital assistant Authorization Website Information security Proxy server Local ring
Different (Kate Ryan album) Telecommunication Normed vector space Authorization Content (media) Convex hull Right angle Web browser Public key certificate Physical system
Default (computer science) Implementation Server (computing) Service (economics) Open source Set (mathematics) Control flow Instance (computer science) Public key certificate Perspective (visual) Thresholding (image processing) Front and back ends Number Electronic signature Direct numerical simulation Ring (mathematics) Software Different (Kate Ryan album) Telecommunication Order (biology) Authorization Freeware Communications protocol Physical system
Server (computing) Public key certificate Multiplication sign Coma Berenices Web browser Public key certificate Web browser Web 2.0 Mathematics Internetworking Internetworking Different (Kate Ryan album) Personal digital assistant Website Right angle Implementation Physical system
Authentication Web portal Service (economics) Beta function Web portal Set (mathematics) Plastikkarte Connected space Number Direct numerical simulation Type theory Software Internetworking Order (biology) Communications protocol Physical system
okay so there's a well-known problem for speakers at conferences like these you know def cons a big place people are spread out people are still coming and going and you know at the beginning of your talk probably there's still people coming in everyone hasn't really made it yet and so what speakers do is they try and start slow so that nobody misses any of the interesting stuff so you know they'll start with a tedious bio about their background or go into the you know the history of the problem that they're going to be talking about but I don't really I don't really like that stuff so I want to try something a little different or I'm just gonna tell for the first three minutes here a completely unrelated totally random story that has nothing to do with computer security or this talk here we go story goes like this okay so just after I'd gotten out of high school me and some friends had this harebrained scheme where we thought that we were going to travel to the Caribbean find an uninhabited island and like colonize it yes I know I blamed idiocy on my youth so you know this is you know a long time ago and back then driving was cheaper than flying so we drove all the way to Miami before getting on an airplane for a short flight into the Caribbean where we tried to find a boat etc and it didn't really work out obviously we were very hungry and so then you know on the way back we were driving back up north through Florida you know feeling somewhat defeated and we decided to stop for lunch at some point and we actually wanted to you know stop and get out of the car so we we saw this like kind of tex-mex type restaurant you know the kind of place with like chips and you sit down that country so you know we stopped we got out of the car we started walking towards this restaurant and you know through the parking lot about halfway there I was with two friends and and one of them realized that he'd left something in the car or that he'd left it unlocked or something like that so he turned around went back to the car while my other friend and I went into the restaurant and when we got into the restaurant we caught the end of their birthday ritual you know ever I feel like these restaurants all have their own sort of unique birthday ritual they have like a special song or something that they sang when people come out and so we caught the end of theirs and it was the strangest thing I've I've ever seen in a restaurant so they came out you know singing and there's two waiters and one of them stood in front of the woman whose birthday it was with a little like saucer you know plate type you know almost like you put a teacup on it but with just a little dab of whipped cream on it and a spoon and held it in front of her and asked her to close her eyes and open her mouth as if he was going to feed her this whipped cream meanwhile there was another waiter standing behind her with a full peyten full of whipped cream and she closed her eyes and opened her mouth and the dude reaches around it just slams her in the face what with the whipped cream you know I mean this lady's shocked you know it's her birthday she's dressed up she just gets like a pie to the face you know no warning at all and so my friend and I are standing there like you know looking at this you know mouths open and my other friend is still at the car so seeing how my friend is staying there looks at me says hey I think it might be Jack's birthday today so you know we come in and we sit down and I surreptitiously during the meal get up and go and talk to the waiter I'm like hey you know it's my friend's birthday today I don't know if you do anything here he's like oh yeah we got a thing we do you know well you know we'll come out and so I was like great you know I go in sit back down we're waiting eventually you know they come out singing the song and everything and you know our friend is looking a little bit bewildered did you know and he later confessed that he thought that we had told them that it was his birthday so that we could get like free cake or something like that so he starts you know willingly playing alone and they put a little hat on him and then sure enough they they do the thing where they you know hold the little dab of whipped cream in front of him and closes his eyes he opens his mouth and the dude reaches around bottom just slams him in the face and you know I knew this was coming so I had one of those disposable cameras you know that he used to use it back then you know and I had it under the tables already and so I got him right right at the moment you
know just the look on his face was just pure shock all right anyway I hope that
was more interesting than that three minute you know description of my background okay let's talk about SSL on the future of authenticity and really this talk is about trust and I want to start this talk out with another story it's kind of a downer but I feel like it's illustrative of the situation that we're in and the story is about a company called Komodo they're a certificate authority and according to net craft they certify somewhere between a quarter and a fifth of the certificates on the Internet today so the second-largest certificate authority in the world and in March of this year they were hacked the attacker was able to make off with a number of
certificates you know log and Skype basically everything that the attacker would need to intercept logging credentials to all of the popular webmail providers and a few other services and so immediately after the attack the founder and CEO of Komodo issued a statement where he said this attack was extremely sophisticated and critically executed it was a very well orchestrated clinical attack and the attacker knew exactly what they needed to do and how fast they had to operate he went on to add that all of the IP addresses involved in the attack were from Iran you know what this means cyber but he didn't leave it at any window he actually spelled it out he said all of the above leads us to one conclusion only that this was likely to be a state driven attack so he's painting a pretty complete picture for us here right this isn't just a hat this is war and he was to blame komodo for falling under the full assault of a you know a state-sponsored invasion you know from a cyber army and so ironically it was these statements that really catapulted the story out of the trade press and into the mainstream media and so a number of reporters called me and they all have the same question you know what does this mean what can this attacker do and I said well you know it means they can intercept communication to these websites and the reporters would say well well how you know how would they use these certificates to do that and I would say well you know I keep just commercial solutions you know that the blue code and a few other you know kind of scary interception devices out there and I was talking to one reporter who asked you she said no what is the easiest way what is the most straightforward way that an attacker would leverage these certificates and I thought about and I said well you know the attacker had just used SSL snail which was a tool that I wrote to perform animal attacks against SSL connections now interestingly enough when komodo published their incident report they also published the IP address of the attacker which is somewhat unusual but i think they were doing this to you know sort of underscore the iran iran iran iran thing you know because this is the IP address is registered to a block in iran and so you know i was thinking about that reporters question you know you know as this Elson ethanol that's done and so you know i thought well I wonder so I went and I looked at my web logs for my web server where I host as a sales man and sure enough the day the morning after the attack the same IP address the Komodo had published downloaded SSL snap from my website now there's some other interesting things in here first of all the attackers running Windows and also interestingly the attackers web browser is localized to us English hmm but the most interesting thing was the refer so I went back to my web logs and I found the point that the attacker you know initially made a connection with my web site so that I could see that the web site that they had been that they had visited before and so that it refer was a hack five video
on using as a sales trip for those of you who don't know hack five is sort of like a it's like a set of video tutorials that are pretty introductory material for you know people that are just getting interested in this kind of thing so just to break this down for you on one hand we have the CEO kimono
nothing this is a clinical attack and on the other hand you know we see that the attacker is literally following video tutorials on the internet I mean maybe that was a great video I don't know I haven't watched it yet it could have turned him into a clinical attacker I'm not sure and then there were a number of
other sort of embarrassing searches that led them to the my same website and again and again throughout the day so I saw I caught the Google search refers which were things like SSL protocol man-in-the-middle how to iptables pre routing apparently he was having some trouble setting up their IP tables yeah so I was kind of chuckling about this to myself you know and then the attacker posted a communique and it could not have been more embarrassing I mean he alternated between making these grandiose impossible claims about how he's hacked RSA and all this stuff while simultaneously very proudly declaring that he's capable of doing extremely trivial things like you know he can export functions from dll's and create his own silk BP eyes and stuff like that so this could not could not have been more embarrassing for really anybody involved you know the attacker Komodo and but what was worse he just wouldn't shut up he just kept posting communicates each one more embarrassing than the last and I think he posted six in total he also did interviews with the press and all the stuff was ridiculous and so the comodo CEO and Founder responded to these events by making a statement where he said if this were a secure and trusted DNS this issue would be a moot point exclamation point we need a secure interested dns exclamation point so this guy is just very enthusiastically declared that he does not understand the business that he's in on one hand he's seems to be suggesting that DNS tampering is the only way to perform a man-in-the-middle attack which is just not true and on the other hand even if that were true the reason that we have SSL Certificates is to stop man-in-the-middle attacks if man-in-the-middle attacks weren't possible we wouldn't need the certificates that he's selling us leave it that month they got hacks two more times and the next month they got hacked again now you know normally I wouldn't take this much time to be so critical of a company like Komodo but I think it's an interesting story because I think there's an interesting question here which is what happened to Komodo you know after all of this it couldn't have been more embarrassing could not have been worse really you know what happened to them nothing you know business didn't suffer they didn't lose customers leaving it sued you know really the only thing that happened to Komodo this year was they were the CEO was named Entrepreneur of the year at the RSA Conference and so I think that this is the the essence of the problem that we're looking at you know this is the problem with as a cell today so let's let's take a moment and just sort of step back and look
generally and secure protocols any secure protocol needs to provide three things secrecy integrity and authenticity it has to provide all three if one of these fails the whole protocol will fall apart but we need to remember the SSL which is a secure protocol and it's trying to meet these objectives was designed in the early 90s and things were different there you know there there wasn't a lot of information available on how to design a secure protocol you know books like applied cryptography had not been published yet you know if you wanted to use RSA the algorithm you had to license the patent from RSA the company you had to pay money in order to just even you know perform these type of this type of cryptography ecommerce didn't exist the idea of transmitting your credit card number of the internet was totally foreign there were no such things web applications really you know people weren't really transmitting their login and password credentials through websites and the Internet itself is tiny you know in 94 that according to IFC there were less than five million hosts on the entire Internet compare that to today where the you know we're about to run out of public facing IP addresses at more than four billion or add four billion you know at the time they're probably less than ten secure sites that you could think of less than ten sites that for some reason you in traffic to be encrypted to these websites or as today they're more than 2-million certificates on the internet more than 2 million sites that are using SSL at the same time you know it's worth remembering that SSL was developed at Netscape and this was an environment of really intense pressure you know the game the race was really on then and this is the same place where the series of 4 a.m. decisions gave us JavaScript and we're still dealing with that today so you know actually when you look at it the designers of SSL were actually pretty heroic you know they didn't have a lot to work with and they were working in circumstances that are totally different than our circumstances today and yet it served us pretty well you know when it comes to these first two things secrecy and integrity they did it okay there been some problems and there's still some problems but you know the the piece that has always caused some real friction is now causing real problems is the authenticity peace now authenticity is important of course because you know normally if you establish a secure session with a website the problem is that if you don't have authenticity someone could have intercepted your connection to that website they established a secure session with you they make their own secure session with the website and just shuttled data back and forth logging it in between but you know what's easy to forget is that this attack a man-in-the-middle attack was entirely theoretical in 94 or 95 you know the network tools didn't exist this wasn't the kind thing it was actively happening this is thought of as like an academic thing you know it's like oh well there's this other thing called the man-in-the-middle attack and you know we need to design something you know theoretically to prevent against that and so the designers came up with a solution that was certificates and certificate authorities where every site has a certificate and you know it's known to be authentic because it's assigned by a certificate authority which is you know just some organization that we decided to trust so you know I had this hypothesis that you know that we vote out ground the stir-up outgrown the circumstances in which SSL was originally imagined and it is a different world today and then I thought well I wonder if that's true you know I wonder what they were actually thinking and so I thought well I should talk to the people that designed as a sound and so I did some research and I figured out that SSL was originally designed by this guy Kip Hickman who was a Netscape employee back in the day and the last thing that Kip Hickman posted to the Internet was in 1995 so it was difficult to find him you know I talked to the people in Netscape who liked pointing me in the right direction and eventually I tracked him down and I basically just cold called him and you know I talked him on the phone and he's a great guy and you know and hey you know he's like Oh SSL yeah I thought about that in a long time Wow okay you know and he's like he's like oh yeah you know and I sex Oh certificate authorities what's the deal he's like oh that whole authenticity thing is I can't we just threw that in at the end it's like you know SS uh it was never designed assigning it to prevent passive attacks for the most part you know we heard about this thing the man in the middle attack and so we just sort of threw that in at the end he's like really that whole thing with certificates you know it was a bit of a hand wave it's like we didn't think was gonna work we didn't know you know and you know like the idea back then you could you could say made sense right you know if you look at the number of domain names on the Internet you know back in 94 when that number of the graph is approaching zero you know it makes sense that okay maybe you have 10 sites that you could identify as secure sites and so you have one organization that just looks at those 10 sites really carefully and you know makes a decision and signs those certificates but you know if you try and scale that up over time you know today to today when there's almost a billion domain Ian's on the Internet and ideally we'd like all of them to be secure it seems a little bit unrealistic to think well what we're gonna have an organization or even a sediment organisations that's gonna look you know appropriately closely at all of these domain names it when I asked Kipp about how he saw the scaling over time he's like Oh scaling we didn't really think about it he was like you got to remember at the time when this was designed Yahoo was a web page with 30 links on it it's like that's what Yahoo was ok yeah that's different and history has really borne this out I've been ristic put together a nice little threat matrix of you know all of the possible problems with SSL that have cropped up in the past and you know up over here in this corner you see some of the problems with secrecy and integrity that have come up but you know it's managed to sort of squeak by and down here there's some of the problems with the you know user interaction these are things like SSL strip but in terms of the protocol itself this stuff up here with the authenticity piece has been where all the real problems are and I think you know looking back to the comodo thing you know you lesson from these events shouldn't be that this was cyber war because I think pretty clear it wasn't but that this is happening every day you know that's the real story you know one of these domains the attacker logging I mean you know we should remember that Mike Sussman got this just by asking for it you know he didn't have to export functions from dll's or Caritas and Silvie pis or whatever you know he just sent in a request you know Eddie Nate got Mozilla comm with no validation at all just asked for it Vera sighing issued a code signing certificate for Microsoft Corporation two attackers that are still unidentified you know they were never they were never discovered I mean this kind of thing happens all the time just recently I needed to get an SSL certificate so I went to this website SSL in a box comm you know straight to the bottom of the barrel and you know I it's one of these things where you have to like create an account in order to you know submit anything so I go to create the account and when I click you know create it just log me into someone else's account it's like that was broken you know and I was like well you know I'm not even trying to hack this I just want a certificate so you know I logged out and I like crit you know tried to create account and logged me to someone else's account and every time I did it I just got a different account you know just like and the thing is it's like I didn't even bother emailing them about it because you know I'm sure that they don't even care right you know there's this certificate authority that published the key to their certificate in the public directory of their web server this is a certificate authority and the thing is like you could you could kind of understand I mean not really but you might be able to understand how it's possible that someone could have made this mistake but it's still there you know it's not like they like we're like oh crap you know and like removed it it's since in 2009 the key to the certificate has been available for the public you know Starcom recently got hacked we
don't really know what happened and you
know you don't even have to hack anybody like if you've got the money you can just buy a certificate authority you can get a CA cert from GeoTrust I think it's 50 grand anybody has 50 grand has been around see a cert intercept all the communication on the Internet I really like their iconography in the top right corner because it really is you know it's just like we're giving you the key to the world you know they're not they're not hiding anything and what if this were a
state-sponsored attack this whole comodo thing no I think it's worth realizing that the only reason that Iran would have to hack a certificate authority in order to order it in order to issue certificates is because they don't have a certificate authority of their own but you know many other countries do the AFF put together an excellent project called the SSL Observatory where they scan the Internet and they put together a map of
all the countries in the world that are currently capable of issuing certificates and thus intercepting secure communication and it looks like this I mean I don't know if you can see but way out in the middle of the Atlantic there there's a little little red speck that's Bermuda Bermuda can issue certificates so I think the good
news is that the vibe around the sort of thing seems to be shifting from the old vibe of total ripoff which I think was just the general perception of certificate authorities to the new vibe of total ripoff and mostly worthless but so there's been a lot of talk about you know moving forward and replacing certificate authorities with something else but I think that if we're going to do that it makes sense to really accurately identify the problem and you know figure out what it is that we're trying to solve so that we don't end up in the same situation again now there have been I think a few sort of general perceptions of what the problem might be the first is people look at the e FF SSL observatory data so the AFF scan the internet and we put together a graph of all of the organizations in the world that are currently capable of signing certificates and it's a lot of organizations in fact it's six hundred and fifty different organizations are currently capable of intercepting communication and so I think one simplistic reaction to this is just to say well the problem is that there's too
many certificate authorities there's just too many of them what we need as fewers are the authorities but I you know I feel like this might be a little simplistic you know like for instance remember when there was only one and
they could charge as much do really whatever they want it and if part of the problem here is really a scaling issue where we've gone from maybe 22 seat secure sites to two million secure sites and ideally we'd like a billion secure sites you know it seems like less is not really the answer right if anything we would want more organizations that are capable of being on the ball here another kind of general perception is that there's just a few
bad apples that most of the certificate authorities are cool and there's just a few certificate authorities that have have you know given the whole thing a bad rap for everybody else but you know I also I don't know if this is true I think that if you look closely there's there's really nobody here that does not have dirt on their hands you know even Verisign back when they were the only game in town at the same time that they had a business issuing certificates and securing communication had another section of their business where they were managing so-called lawful intercept services for governments you know so the same organization that we had entrusted to secure our communication was also simultaneously making money by intercepting secure communication and I think if you look closely there's really nobody here that that isn't similarly distressed another idea is that it's a scoping issue right that the problem is
that the authorities are all in the same scope so for instance today two authorities who can sign certificates and just intercept secure communication on the Internet are the Department of Homeland Security and the state of China and so this is idea well the problem is that the DHS can sign Chinese sites as China can sign u.s. sites and really if we just separated the scope and you know China could only sign sites in China and the Department Homeland Security could only sign sites in the United States everything would be cool and while this might be an improvement I feel like it's
kind of a low bar I think there plenty of people in China that probably don't trust the state of China to certify sites even within their country and likewise I did feel like there are plenty of people in the United States who don't trust the Department of Homeland Security to be certifying their communication item so in order to answer this question I'm you know what is the problem I think it's a good idea to look back at this the first question what
happened to comodo will nothing happen to come out of but why why did nothing happen you know what could we have done if I decide that I don't trust Komodo and I don't the very best thing that I can do is remove them from the trust database in my web browser I could say okay they are no longer a trusted Authority the problem is that if I do that somewhere between a quarter and a
fifth of the internet just disappears
totally breaks I can't visit those sites anymore I'm sure I could take an ideological stance to never visit those
sites again because they're mixed up in the comodo cabal of whatever but really there's no appropriate response and the thing to remember is that this is as true for browser vendors as it is for you are meaning you know a browser vendor cannot remove Komodo from their trust database because they're just gonna be breaking somewhere between a quarter and a fifth of the internet for all of their users they're in the exact same situation that you and I are the truth is that somewhere along the line along the line we made a decision to trust Komodo and now we are locked into trusting them forever and I think that this is the essence of what we're looking at today that we can void on all the problems that we've had to with certificate authorities to a single missing property and I call this property and Trust agility the idea is that trust agility provides two things one that a trust decision can be easily revised at any time that I you know there are plenty of people that say Oh Moxie you don't trust anybody even that's not true I mean they're plenty of organizations that I could identify
today that I trust to secure my communication for me you know but what seems insane is to think that I could
identify an organization or set of organizations that I would be willing to trust not just now but forever regardless of whether they continue to warrant my trust and without any incentive to continue behaving in a trustworthy way the second property of
trust agility is that individuals individual users can decide where to anchor their trust and this could be the same thing as saying individual browsers can decide where to anchor their trust and and I think this is important you know right now there's this idea of as a
scoping problem you know that varisai niihka motor and are in the same scope and that well if we just separated the scopes then if Verisign did something particularly egregious you know a site like Facebook could switch to a different certificate and this would actually have some significance because Verisign would be unable to continue signing certificates for facebook which is currently not the case but you know i think you know if it's been a struggle to get websites to
deploy HTTPS or SSL to begin with it seems a little bit far-fetched to think that they're going to continue making really active decisions in our best interests and what's worse in this increasingly globalized world it doesn't
seem like there's really it's really possible to make one trust decision for
everybody that you know different people live in different contexts with different threats and you know haven't have different needs and probably trusted for name two individuals and so you know what's more it's our data it's our data that's at risk you're not the site administrator it's not the company that's you know operating this web service it's the users data and I feel like it should be the users for the browser's who get to decide you know who to trust this this property the individual users decide where they can anchor their trust it's really just a simple the powerful inversion of the way that things already work you know currently there's three
entities involved in any one of these transactions you know there's the clients the server and the authority and that this trust relationship is initiated by the server the server you know talks to an authority that says hey please certify me the authority responds with a certificate that is eventually given back to the user through the site and you know what we're talking about here is just doing a simple inversion where it's the user or the client that initiates this trust transaction and talks to the authority the authority and says please certify the site for me the authority certifies that site and responds back to the user the reason this is so powerpuffs because now this means it could be the user can decide what authority they need to talk to which means that this issue of scoping is not such a big deal right the fact that the Department of Homeland Security can sign sites you know in China it's not an issue because users in China will just ignore it and talk to some Chinese authority or they might decide they don't trust Johnny either and they talk to some NGO or something else instead I think that these two components of
trust agility are really powerful and I think that they are exactly what's missing from the CA system today and and that is where all our problems have have come from so I want to take a few minutes to talk about DNS SEC because there's been
a little bit of talk recently about using DNS SEC to replace the authenticity piece of SSL and the basic idea is this you take your SSL certificate on your site and you shove it in your DNS record that's basically the gist of it so you have a cert in your DNS record that way when a client goes to contact a site it does a DNS lookup it gets back a DNS response and with not only the IP address but also the server certificate embedded in the DNS response that way when they connect to the server they just make sure that the certificate they see is the same thing they got in the DNS response and this thing is known to be authentic because it's signed because we're using DNS a now this scheme has a really immediately kind of visceral appeal and I think it's because people tend to mentally associate DNS with the word distributed and distributed sounds really good right now you know it sounds like exactly what we need after suffering under the centralized yoke of certificate authorities for all these years it would feel good to just wipe them off the page and replace them with a distributed system instead but when you start to look closely at it the way that DNS works and DNS set works is that it's the information that is distributed the information in the DNS records is distributed across the various zones on the internet but the trust is incredibly centralized and hierarchical and this is actually exactly how the CA system works today right the information the certificates are distributed across the web servers of the sites that are serving them on the internet and the trust is highly centralized in this hierarchy of certificate authorities so the next question is well okay if it's still centralized trust maybe there's something about the people that we have to trust or maybe there's some increased trust agility here that would be appealing so let's look at the the trust requirements there are three main classes of people that you have to trust under DNS SEC the first is the registrar's you know I feel like if CAS are sketchy these people are they're taking it up a notch you know personally I think it should be laughable that the current first step in deploying DNS SEC is to create an account with GoDaddy I think that should
be laughable the second class of people
that we have to trust here are the TLDs so these are the companies that manage the top-level domains so in the case of dot-com and net the you know largest TLDs on the internet the company that manages those is Verisign same player same game if you look at other TLD is like org and edu the you know the companies that manage them are probably not companies that you've ever heard of if I I would at least suggest that if you were to think of who's like a really trustworthy company you know who's really you know you know have it has a strong sense of integrity these companies are probably not the first that would come to mind you know take a minute to look at the organizations that manage the other TLDs and look at the executive boards look at the people managing operations and ask yourselves are these the people that I want to trust with all of my security communication in the future there's also the country code top-level domains so does everyone that's using TLDs that are kind of shaped like a OCC and ly trust the corresponding governments for these countries to secure all of their communication what about TLD is like that IR NCN should the citizens of these countries have to trust their governments with all of their secure communication to local sites you know this is the current picture of what
countries around the world are capable of intercepting secure communication based on the AFF SSL observatory data this is what that picture would look
like under D NSA and if the recent
domain seizures are any indication of the future it seems like these TLDs could be dangerous and then the third class of people that we have to trust here is the route and that's I can now you know I don't have any particular beef with ICANN but while I can has made you know a great effort to be a sort of global organization as far as I know and I could be wrong but as far as I know you know fundamentally they are just a California 501c3 nonprofit which as far as I know means that they have to abide by laws in the United States and you know if this legislation that's been coming up recently like KOICA protect IP and this kind of thing you know if to me the real lesson here isn't you know whether this passes are not because there's been you know some kind of heroic efforts to prevent this legislation from going through but I think you know the thing to take away from this is that they're trying to pass legislation that messes with this stuff and maybe one day they'll succeed and I think you know I can would be subject to that regulation in that case you know the worst part about you know all of these organizations is that this system actually provides reduced to trust agility that today even as unrealistic as it might be I could still choose to remove Verisign from my list of trusted certificate authorities but there is nothing that I can do to stop Verisign from being the company that manages the Commandant net TLDs so if we sign up to trust these people we're signing up not to trust them just now but forever regardless of whether they should can eat it continue to warn our trust with no ability to change our mind about whether we should continue trusting them without any incentives to continue behaving appropriately so let's talk about things that I'm a little bit more inspired by
there's a project called perspectives which came out of Carnegie Mellon University and it was done by Dan winland David Anderson and Adrian parrot and it was originally a paper that was published on using multipath probing in order to provide authenticity for SSH and SSL and the concept is fundamentally about perspective the basic idea is this you want to you connect to a secure site you get back a certificate and you think wow I wonder I wonder if the certificate is good or not how do I validate it well what you do is you contact an authority then you say hey what certificate do you see for in this case the authority makes its own connection to the site gets its own certificate back just like a normal web browser would and then since that certificate back to you is the client now you compare the thing you got from the authority with the thing you got from the site and you make sure that they're the same and so what you're essentially doing is you're using some network perspective to get a different view on the same site you know that you have a different network path from wherever the authority is communicating from and we don't we call these authorities notaries and you can't you don't have to talk to just one notary you could talk to any number of notaries and they can be distributed around the world so they each have their own unique network path to the same destination you're essentially building a constellation of trust this idea of using perspective is actually not new it's how SSL works right now you know right now if a site administrator wants
to get a certificate for its site you know what does the administrator do they contact an authority and they say hey could you please issue a certificate for my site and what does the Authority do they send an email to the site with a verification code in it and if the administrator can receive the verification code and you know send it back to the authority the authority issues the certificate so it's just using another form of network perspective to do the same thing we're just trying to invert this relationship
so that instead of being cited site initiated it's user initiated now perspectives when it was released came within implementation but the implementation was kind of limited it was initially designed for self-signed certificates and so it has had some challenges the first big challenge is completeness since it was initially designed for at self-signed certificates it only works for the initial connection on the euro browser sense so it doesn't work for any of the background content the images CSS javascript all that stuff so it's not possible to really eliminate certificate authorities completely using perspectives the second problem was privacy if every time I you know connect
make a secure connection to a website I have to make another connection to a notary I'm now leaking my entire connection history to the notary and that seems a little bit unfortunate and the last problems responsiveness
perspectives suffered from this idea of notary lag what would happen is you get
a certificate you contact a notary and you say hey what do you see for and the notary would make a connection to and see a certificate the problem is the notary would cache the response so that it wasn't constantly having to connect out to all of these sites and then just periodically at some interval pull the site you know like once a day or something like that all the sites that it had certificates for in order to see you know whether the site had switched to a different certificate promise the different site did switch to a different certificate your responses from a notary would be invalid for the duration of the the poll interval so what I've done is I've taken you know this concept of using perspective and I've built on it to create a system that I call convergence convergence is a new protocol a new client implementation and a new server server and plenty implementation of this concept the first thing that we do is try and address the prospective challenges we eliminate notary lag by basically when you contact the notary
you also send what you saw so now the notary doesn't have to do any polling it just has to contact the server in the case of the cash cash mask or cash mismatch there's no more notary lag the next thing that we did was add privacy
so we this is two parts the first part was through local caching so now
whenever you contact a notary and you say hey what do you think of the certificate if it says hey this is a ok you go ahead and cash that certificate locally that way the next time you connect to the site you get the same certificate back all you have to do is check the local cache and say yeah this thing is good and you don't even have to talk to a notary so now you're only leaking your connection history the first time you visited a secure site or whenever the secure sites certificate changes but so that still doesn't seem that great so the next thing we do is implement notary bound so the idea is that you have a set of notaries that you have configured as notaries that you trust and you want to talk to all of them and the first thing that you do is randomly select one of the notaries and assign it as a bounce and you connect to that notary and then you tunnel SSL through the notary to all the notaries that you want to talk to so the bounce notary is just a dumb proxy shoveling bytes around and it doesn't have any visibility into what you're querying about the notice that you're talking to know what you're asking about but they don't know who you are and the balance notary knows who you are but they don't but it doesn't know who you're asking about these ssl connections to the destination node research are done using static pre-shared keys that are configured whenever you add the notary to begin with in your browser just like with certificate authorities now convergence is a Firefox add-on and it looks exactly like the normal Firefox
experience the only difference is in the upper right hand corner you get this little convergence button if you click this button and enable convergence you are completely divorced from the co system everything foreground content background content the certificate authority certificates in your web browser are completely ignored everything looks exactly the same the
only difference is that you know normally if you visit a secure site and
you put your mouse over the favicon you'll see a little tooltip about who has certified this canvas communication the only difference with convergence is we are taking the certificate authorities completely out of the picture everything else works the same
the notary implementation is available free open source anybody can run their own notary it requires very little resources and it's designed to be extensible the protocol is a rest protocol and the idea is to design a protocol that supported a number of different backends so by default the default back end for the notary is to use network perspective but you could write any number of other backends for the node ring for instance if you like DNS SEC the notary could do DNS Inc to validate the certificate on the backend it wouldn't have to use network perspective if you're crazy it could use CA signatures to validate certificates and you could even use notaries as fraud ends two other services like a notary front-end to the EFS SSL Observatory which the eff eff has volunteered to run and you can configure notaries that do different things you could have a set of trusted notaries each one does a different thing and the convergence implementation also has a a threshold that you can set on you know whether how what percentage of the noodles have to agree in order for things to be secure I think the default is consensus so what this means is that you know in the current ca system you know you have some number of certificate authorities and if one of them is a bad actor you're completely out of luck and we're inverting that here where the more authorities that you have the more notaries that you can figure the better off you are because it means that all of
them have to be in cahoots to misbehave and intercept your SSL communication and we have full trust agility if we decide we don't like one of these people we can just remove it and there are no implications everything continues to work exactly as it normally would nothing breaks and if you like you could replace it with a different one that does the same thing because you think they're more trustworthy other nice things here are that the server's do
nothing you know people's web servers you don't have to make any changes which means we don't have to migrate the internet to anything else all we have to do is implement convergence in the four major browsers and be done that would be it that would be the end of the CA system right there we don't have to make any changes across the internet anywhere else other nice things that you don't get any more self signed certificate warnings the concept of a self signed certificate does not exist in the convergence system certificates or certificates that's it there are few problems the first is the Citibank problem what's known as the Citibank problem right now if you're running convergence and you visit Citibank com
you will get a certificate warning you know an untrusted certificate warning and the problem is that Citibank apparently has like a couple of hundred different SSL certificates and each one is on a different like SSL accelerator so every time you connect you get a different certificate which means that all the notaries see different certificates your browser sees a different certificate and it looks identical to a the case of being attacked the good news is that there aren't many sites like this on the Internet in fact Citibank is the only one that I could find I'm sure that there are others but they're pretty rare and so while we might not need to migrate the Internet we you might have to ask a few of these sites to use same practices like not having a hundreds of different SSL certificates the other problem right now
is captive portals so if you're running convergence right now and you're like in an airport in a hotel you know you want to connect to the internet and you'll get redirected of this captive portal where you have to type in your credit card number before you can actually access the Internet now you want to secure this connection with the captive portal but the captive portal is not letting Internet traffic out so you can't contact your notaries and so you know right now you have to actually just unclick convergence in order to deal with this thing but you know the good news is that almost always these in these captive portal situations they let DNS out which means that we only have to treat you know we'd have to build a convergence protocol over DNS and it'll work in a captive portal situation as well you can download the software I released it yesterday from convergence io and try it out it's in beta look at the service stuff if you want to run a notary set one up talk to people who might trust you and ask them to configure you as a notary if even if you're not going to try convergence or you're not into it the one question that I want to leave you with here today is whenever someone is proposing another authenticity system I think the question that we should all ask is who do we have to trust and for how long if the answer is a prescribed set of people forever proceed with caution in the meantime trad convergence thank you