Looking for a SSL Fix

Tuesday, December 6, 2011 @ 06:12 PM gHale

To improve the security of the Secure Sockets Layer (SSL) encryption protocol that millions of websites use to protect communications against eavesdropping and counterfeiting, Google security researchers are looking at an overhaul.

The changes would fix a structural flaw that allows any one of the more than 600 bodies authorized to issue valid digital certificates to generate a website credential without the permission of the underlying domain name holder.

Targeted Attacks on Rise
Compromise: When to Revoke Certificates
Microsoft Fixes SSL Miscue
DigiNotar Out as CA Provider

The consequences of fraudulently issued certificates came to light in late August when hackers pierced the defenses of Netherlands-based DigiNotar and minted bogus certificates for Google and other high-profile websites.

One of the fraudulent credentials, for Google mail, was used to snoop on as many as 300,000 users, most of them from Iran.

Under changes proposed by Google security researchers Ben Laurie and Adam Langley, all certificate authorities would have to publish the cryptographic details of every website certificate to a publicly accessible log cryptographically signed to guarantee its accuracy. The overhaul, they said, should make it impossible – or at least much more difficult – for certificates to go out without the knowledge of the domain name holder.

“We believe that this design will have a significant, positive impact on an important part of the internet security and that it’s deployable,” Langley said. “We also believe that any design that shares those two properties ends up looking a lot like it.”

Some of the ideas overlap with recommendations recently published by the Electronic Frontier Foundation for improving the security of SSL.

While few disagree that SSL in its current form is broken, finding agreement on a way to fix the fragile certificate authority infrastructure has been difficult. Indeed, within hours of Laurie and Langley’s plan going public, critics were already saying it was unworkable. Among the complaints was the idea it would require the divulging of information considered proprietary in the fiercely competitive market for SSL certificates.

“I assume that CAs wouldn’t agree to provide their entire customer data to the public (and competition),” Eddy Nigg, COO and CTO of StartCom, the Israeli-based operator of StartSSL. He held out a voluntary set of baseline requirements recently adopted by the CA/Browser Forum as a more effective fix. Members of the forum hope to make the requirements mandatory for all CAs.

Nigg also said Laurie and Langley’s proposal could place significant technical burdens on website operators and browser makers. One or more authorities would have to be established to compile the lists around the clock and make them available to millions of users each time they access an SSL-protected page, and both activities would require considerable bandwidth and processing resources to be done properly.

Leave a Reply

You must be logged in to post a comment.