Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Moxie Marlinspike's Solution To the SSL CA Problem

timothy posted about 3 years ago | from the disaggregate-someone-today dept.

Security 189

Trevelyan writes "In his Blackhat talk on the past and future of SSL (YouTube video) Moxie Marlinspike explains the problems of SSL today, and the history of how it came to be so. He then goes on to not only propose a solution, but he's implemented it as well: Convergence. It will let you turn off all those untrustable CAs in you browser and still safely use HTTPS. It even works with self-signed certificates. You still need to trust someone, but not forever like CAs. The system has 'Notaries,' which you can ask anonymously for their view on a certificate's authenticity. You can pool Notaries for a consensus, and add/remove them at any time."

cancel ×

189 comments

Sorry! There are no comments related to the filter you selected.

Yes! (-1)

Anonymous Coward | about 3 years ago | (#37340308)

We have no bananas.

Pooling Opinions... (4, Funny)

mfh (56) | about 3 years ago | (#37340336)

I always trust what Blackhats tell me.

Re:Pooling Opinions... (2)

Trevelyan (535381) | about 3 years ago | (#37340582)

Well one interesting configuration is to use untrustable notaries (or notaries using untrustable sources), such PRC, DHS, FSB, etc. If any one is trying to trick you with a fake certificate for a MITM attacks, the others are not likely to agree that the certificate is genuine. Unless you believe such state powers would co-operate on getting at your encrypted sessions.

Re:Pooling Opinions... (0)

ags1 (1883204) | about 3 years ago | (#37340980)

So I hijack the router that website is using to access the internet. I install some software on the router to return a fake cert. I see the fake cert. All of the other notaries see the fake cert. It this is popular site the notaries might notice a cert change, but if its a low volume site that the notaries never go to. We all agree the fake cert is valid. How is this more secure? Or I hack the router you use to access the internet... all of the notaries you try to talk to I redirect to me. I say every site is valid regardless if it is or not. How is this more secure?

Re:Pooling Opinions... (0)

Anonymous Coward | about 3 years ago | (#37341072)

How is this more secure?

Presumably because the CA would be running its own notary (or notary check), and thus is able to detect certificate variations?

Wouldn't have helped in the DigiNotar case though, because that CA was already aware of false certificates a month before the shit hit the fan and deliberately kept quiet.

Re:Pooling Opinions... (1)

Hatta (162192) | about 3 years ago | (#37341092)

These days the "black hats" are more likely to be trustworthy than the "white hats".

Notaries... (2)

Wattos (2268108) | about 3 years ago | (#37340338)

I havent watched the video, but my first question would be:
How do you know the Notaries are who they say they are? How can you prevent a (wo)man in the middle attack?

Re:Notaries... (3, Insightful)

Tribaal_ch (1192815) | about 3 years ago | (#37340414)

You don't really need to: You are expected to have more than one notary, so you will only trust the certificate if a majority of your notaries say it's legit. It's actually user-settable: a certificate is considered valid if a "majority say yes" or "at least one say yes" or "consensus is required". Having many notaries reduces the probability of MITM attacks, since the paths from notaries to target certificates are multiple, it's very improbable to MITM all of them at once.

Re:Notaries... (1)

Dogun (7502) | about 3 years ago | (#37340436)

More likely:
If my notaries disagree, let me know. Then you can make a decision - whether it's the BOFA problem (thousands of certs), or a genuine anomoly.

Lserver attack (2)

tepples (727027) | about 3 years ago | (#37340462)

since the paths from notaries to target certificates are multiple

Not necessarily. The server with the target certificate has only one path to the Internet proper, namely through its ISP. Compromising the ISP, which is trivial for a government that maintains a Great Firewall, allows what the whitepaper about Perspectives [wordpress.com] calls the "Lserver" attack: "A compromise of the server’s local link lets an attacker inject arbitrary keys when either clients or notaries contact the server."

Re:Lserver attack (1)

Tribaal_ch (1192815) | about 3 years ago | (#37340518)

In which case, in layman terms, "you're fucked" regardless of whether you're using Convergence or not...

Re:Lserver attack (0)

Anonymous Coward | about 3 years ago | (#37340636)

In which case, in layman terms, "you're fucked" regardless of whether you're using Convergence or not...

No, you're not fucked in the traditional system, the keys for trusted CAs are stored locally, a government could force computer manufacturers to backdoor the machine, or intercept browser downloads to defeat this, but the truly paranoid would do their own OS installs and get their browser executables from a trusted source if they don't trust the ISP.

Re:Lserver attack (1)

maxwell demon (590494) | about 3 years ago | (#37340710)

In which case, in layman terms, "you're fucked" regardless of whether you're using Convergence or not...

Not necessarily. If you have contacted the server before the Lserver attack was started, the information you got from there was not yet compromised. A protocol could use such information to determine whether the current certificate is valid. For example, a new certificate could always get signed with the previous one, so you can verify that even though the site uses a new one, whoever issued that had also access to the previous (which together with the notary system makes Lserver attacks almost impossible unless the attacker also has access to the private key of the previous certificate, because generally many notaries will have contacted the server earlier).

I don't know if Convergence includes such measures, though.

Re:Lserver attack (1)

LBArrettAnderson (655246) | about 3 years ago | (#37340826)

"Not necessarily . . . " Let me stop you there.

Re:Lserver attack (1)

tepples (727027) | about 3 years ago | (#37340850)

because generally many notaries will have contacted the server earlier

Unless an Lserver MITM is in place from day one, which is not unthinkable in the case of a national firewall.

Similarly... (1)

Junta (36770) | about 3 years ago | (#37340556)

If you control the *client's* ISP, you can MITM every single last connection to any number of notaries.

Notaries' public keys (1)

tepples (727027) | about 3 years ago | (#37340648)

If you control the *client's* ISP, you can MITM every single last connection to any number of notaries.

Unless the notaries' public keys (or certificates that verify them) are already on the client's computer somehow.

Re:Notaries' public keys (1)

0123456 (636235) | about 3 years ago | (#37341056)

Unless the notaries' public keys (or certificates that verify them) are already on the client's computer somehow.

But what if those are fake?

Again, you're replacing a broken but kind of works most of the time system with a hand-waving belief that if you trust more people it will all work out OK.

Re:Notaries' public keys (1)

tepples (727027) | about 3 years ago | (#37341180)

In Perspectives, at least, several notaries' public keys are hardcoded into the download, and the download from mozilla.org is secured with traditional HTTPS. So someone would have to forge a certificate for addons.mozilla.org. I don't know whether Convergence solves this problem; I haven't been able to read the article because it's a video, and I haven't been able to find a transcript of the video on the site.

Re:Notaries' public keys (1)

MightyMartian (840721) | about 3 years ago | (#37341324)

I think the idea is that because you would be using multiple notaries and working from a consensus, even if a couple of notaries were undermined, the system would still be more rigorous then the single-point-of-failure system we have now. I think, to assure statistical rigor, you're going to need several notaries, but by spreading the decision point out along a curve, you make the job of any hacker attempting undermine the CA system impressively harder. Say you had ten notaries. It would mean he would have to get into five, or more likely six of them.

I think the idea has some merit.

Re:Similarly... (0)

Anonymous Coward | about 3 years ago | (#37341676)

That gave me the greatest idea: BlackHat ISP - The only ISP you can trust because we're the only ISP being completely honest about reading all your mail, sniffing all your passwords, monitoring all your connections, ... .

Re:Notaries... (1)

chronoglass (1353185) | about 3 years ago | (#37340768)

but knowing a few notaries ip's just means you have to include DNS in your attack now..
I mean, I guess it DOES add one more thing to do raising the fruit a bit.. but I can't say it's that much of a step forward.

come to think of it, I wonder how difficult it would be to create a mask dns server that covered all of the current CA's and always returned that a cert was valid...

Certificates included in extension download (1)

tepples (727027) | about 3 years ago | (#37340430)

As I understand it, certificates of active notaries are included in the download of the Perspectives extension for Firefox [perspectives-project.org] . This download takes place over an HTTPS channel with a TLS certificate verifiable to VeriSign.

Re:Certificates included in extension download (1)

Junta (36770) | about 3 years ago | (#37340600)

So, it's the CA system (a blessed number of authorities with pre-distributed keys), but without any initial validation of the target by people vouching for it? Brilliant!

Embrace certificates signed by multiple CAs and poof, you've added the biggest potential value of this approach while taking on none of the negatives/unknowns.

Re:Certificates included in extension download (1)

LordLimecat (1103839) | about 3 years ago | (#37340640)

Er, Self-Signed certs work, so long as you KNOW you want to trust them. Any attempt to use a different self-signed cert will throw an error, since the cert thumbprints wont match the "trusted" ones.

Re:Certificates included in extension download (1)

0123456 (636235) | about 3 years ago | (#37340922)

Er, Self-Signed certs work, so long as you KNOW you want to trust them. Any attempt to use a different self-signed cert will throw an error, since the cert thumbprints wont match the "trusted" ones.

And, uh, how do you know to trust the key?

You've solved the problem of untrustworthy keys by... ignoring it away.

No, he said you have to KNOW to trust them (1)

YesIAmAScript (886271) | about 3 years ago | (#37341360)

First step thus is to ensure you know you want to trust them.

A great way to do that would be to verify the fingerprint of the cert with someone you trust. You can do this over the phone if you'd like (and trust the phone).

And then once you mark to trust that one, your browser will only trust that one, not derived certs, not bogus certs that match the same site name but are from other CAs.

Re:Certificates included in extension download (1)

LordLimecat (1103839) | about 3 years ago | (#37341398)

At some point you will be downloading either a binary browser, or its source code, or an OS distribution with the browser on it. You MUST be able to trust whatever channel you got them from, otherwise neither SSL nor anything else can work.

Ditto here, you need to have some initial way to get the keys, which is generally with current browsers visiting the site and manually importing its cert, or with the keys being preinstalled on various browsers, and the browser's hash available on the site for comparison to make sure that the binary wasnt modified. Of course, if you cannot trust that the site wasnt hacked, or that your communication with the site tampered with....

Youre right that there is a fundamental problem if you can never trust any mediums ever, then you cant have any kind of workable security-- how do you know a CA wasnt compromised, and DNS compromised, and that youre actually at Gmail.com? Well, in that case, SSL doesnt work. How do you know that GPG key youre importing wasnt tampered with? Well, i guess at that point you cant have a secure GPG setup.

Re:Certificates included in extension download (1)

iluvcapra (782887) | about 3 years ago | (#37341464)

And, uh, how do you know to trust the key?

You confirm the certificate out-of-band by calling the named entity on the phone or meeting them, and comparing the key fingerprint. Only way to do it, really. That's why it doesn't scale.

The US Post Office had a plan... (1)

Maximum Prophet (716608) | about 3 years ago | (#37340520)

How do you know the Notaries are who they say they are?

There was a plan, over a decade ago, where the US Post Office would issue certs to people, sort of the way they issue passports now. You'd go to a PO in person, verify you are you, and they issue you a cert on a floppy. (It was that long ago)

Not a completely bad idea. I wouldn't trust any random POcert to be who they say they are, just that Xyzzy today, is the same Xyzzy as yesterday, unless their cert has been revoked.

From there, you set up a chain or web of trust. I know my friend certs, they know people and so on. If a cert is compromised, the Post Office can revoke it and let everyone know.

Re:The US Post Office had a plan... (1)

houstonbofh (602064) | about 3 years ago | (#37340610)

Wow... A whole chain of people who never read what they are commenting on.

It does not prove that X really is X. It proves that the cert you got for X website is the same as the certs others got for X website. It prevents an unnoticed cert swap. There is no "issuing" of the cert. It can be self signed... Just checking to make sure it is the same cert as yesterday, and for all places. No special cert for the hidden proxy in Iran.

Unless it's a reverse proxy (1)

tepples (727027) | about 3 years ago | (#37340870)

Just checking to make sure it is the same cert as yesterday, and for all places. No special cert for the hidden proxy in Iran.

Unless it's a reverse proxy, MITMing all sites hosted in Iran [slashdot.org] .

Re:The US Post Office had a plan... (1)

heypete (60671) | about 3 years ago | (#37340954)

Interestingly enough, the Swiss Post Office provides that same service [postsuisseid.ch] . One goes to the local post office, shows a valid ID card/passport for identity validation, and can then apply for the certificate (contained in a smartcard, smartcard-on-a-USB-stick, or the "SwissStick" [which has a built-in browser and some other tools]).

The certs chain back to SwissSign, a widely-deployed CA owned by the Swiss Post Office.

I have no idea how widely used such certs are in Switzerland (I only moved here a month ago), but it still seems like a good idea as post offices are available in essentially every town, so validation is easy (compare to finding notaries for the now-defunct Thawte client cert system outside of major metro areas).

If the US Post Office offered such services at a reasonable cost, I would definitely get such a cert. The US State Department would also be a good choice for an issuer, as they already process passport applications (which requires identity verification) so a similar process could be done for certificates as is done for passports.

Re:The US Post Office had a plan... (1)

interval1066 (668936) | about 3 years ago | (#37341312)

This is probably a good idea except for the fact that the USPO is desperately out of cash; there was a report out just yesterday about how they are not able to fund their retirement accounts, and will probably go to 4 day a week service soon. The entire USPO system is going to get re-org'd some time in the not too distant future, and adding a new burden to their portfolio is probably not going to fly any time soon.

Re:The US Post Office had a plan... (1)

MightyMartian (840721) | about 3 years ago | (#37341374)

It certainly underlies the current problem, which is that we've basically opened up cert issuing so widely now that we've undermined the underlying trust. Short of certs you issue yourself, it's getting quite worrisome. The problem, to a degree, is that everyone wanted cheap certs and were pissed off that the old big guys like Thawt and Verisign were charging a lot of money. But the point back then was proof of identity, and not just some guy going on to GoDaddy and buying a cert for $10, or encouraging some absolutely appalling security by firms (like that Dutch firm, whose principles should be taken out and shot).

I almost wonder whether we do need to start insisting on a reasonable level of verification. I mean, passports and drivers licenses are not invulnerable, but there is at least some rigor, and maybe that should be applied to issuing certs.

It reminds me of Perspectives (2)

tepples (727027) | about 3 years ago | (#37340390)

The Perspectives add-on uses notaries scattered throughout the Internet to see if the certificate changes for different routes through the Internet, or if it has changed over time. This detects some man-in-the-middle attacks, but it doesn't detect what the Perspectives project calls the "Lserver attack": a man in the middle placed in the server's only upstream connection to the Internet. Users who have posted comments to recent Slashdot discussions appear to think that governments will mount an "Lserver attack" inside the country's firewall.

Re:It reminds me of Perspectives (1)

houstonbofh (602064) | about 3 years ago | (#37340626)

You can querry the notaries directly when you start up. If there is no match, than you know there is a lserver attack in place, and you move the box.

Move the box out of the country (1)

tepples (727027) | about 3 years ago | (#37340694)

You can querry the notaries directly when you start up. If there is no match, than you know there is a lserver attack in place, and you move the box.

Only the operator of the server can do this or even know that an Lserver attack is in progress. And the operator of a server in a given country that mounts a nationwide Lserver attack is likely going to have a hard time moving a box out of the country.

Re:Move the box out of the country (1)

houstonbofh (602064) | about 3 years ago | (#37340728)

Of course, in that case, the government can just come in and say "Give us root." Or use the ubiquitous xkcd password recovery technique with a wrench. There is no technical fix for that.

Re:Move the box out of the country (1)

Sloppy (14984) | about 3 years ago | (#37341764)

There's no technical fix for it, because one isn't needed. If a government does that on a country-wide scale, too many people know that it's happening, for it to remain a secret.

Re:It reminds me of Perspectives (1)

Svartalf (2997) | about 3 years ago | (#37340668)

They've said it was derived from Perspectives on the website. I'm curious as to what changes they've made.

A solved problem? (1)

afidel (530433) | about 3 years ago | (#37340408)

Isn't this what CRL's are for? I mean some fraudulent certificates have been issued by compromised or seedy CA's, remove the seedy ones from the trust chain and the compromised ones can add the fraudulent certs to their CRL's and improve their security and/or process to make sure it doesn't happen again.

Re:A solved problem? (1)

houstonbofh (602064) | about 3 years ago | (#37340666)

This is just Enumerating Badness. http://www.ranum.com/security/computer_security/editorials/dumb/ [ranum.com] In other words, it is a game of whack-a-mole where you do not know there is a problem until after lots of people have been fucked. Like in AV software before heuristics.

Re:A solved problem? (1)

afidel (530433) | about 3 years ago | (#37340766)

I disagree, a handful of bad certificates have been issued in the entire history of public PKI. If the CA's do their job it should remain this way. Throwing out the entire system because there have been mistakes makes no sense to me. Trust is a difficult subject and I don't see how the proposed system is superior to PKI, asking users who to trust is probably inferior to a hierarchy of responsible parties as users are notoriously bad at filtering bad actors from good.

Enumerating Goodness (1)

tepples (727027) | about 3 years ago | (#37340812)

From the page you linked: "you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness." There are more than 30 pieces of Goodness in existence; everybody just uses a different set of 30. So what infrastructure allows a home user to enumerate Goodness in a fair, reasonable, and non-discriminatory way?

Re:A solved problem? (0)

Anonymous Coward | about 3 years ago | (#37341370)

I liked that site until he trashed hackers. And the problem with his handling of e-mail attachments is precisely the same sort of badness he decries in "enumerating badness."

bootstrap problem. (1)

characterZer0 (138196) | about 3 years ago | (#37340444)

Sure, I'll download and run code without a crypto hash from a non-HTTPS site.

https://addons.mozilla.org (1)

tepples (727027) | about 3 years ago | (#37340490)

Answer here [slashdot.org] .

Re:https://addons.mozilla.org (1)

maxwell demon (590494) | about 3 years ago | (#37340526)

But isn't that a separate project (although operating on the same idea)?

Convergence vs. Perspectives (1)

tepples (727027) | about 3 years ago | (#37340620)

Perspectives appears to be a more mature project that also operates on the "route diversity" principle of verifying a server's X.509 certificate through notaries scattered throughout the Internet. Does the article say what advantage Convergence has over Perspectives, and specifically to what extent it solves the "Lserver" problem of a MITM between a server and its only link to the Internet?

Re:Convergence vs. Perspectives (0)

Anonymous Coward | about 3 years ago | (#37341002)

Convergence doesn't solve the "Lserver" problem, but CAs don't really solve this problem either.
Convergence is faster than perspectives through the use of caching and doesn't leak your browsing history to your notaries like perspectives.

Re:Convergence vs. Perspectives (1)

tepples (727027) | about 3 years ago | (#37341242)

Convergence doesn't solve the "Lserver" problem, but CAs don't really solve this problem either.

A traditional certificate authority solves the problem by having the server operator generate a certificate signing request (CSR) from his local copy of the certificate. Or are you claiming that the connection in which the CSR is sent and the connection in which the certificate is downloaded will be intercepted?

and doesn't leak your browsing history to your notaries like perspectives.

Does Convergence solve the problem that DNS leaks your browsing history to your DNS server?

Re:bootstrap problem. (1)

houstonbofh (602064) | about 3 years ago | (#37340692)

Sure, I'll download and run code without a crypto hash from a non-HTTPS site.

And you think https is more secure? Have you been reading the news? I think the period should have gone directly after "crypto hash."

Web Of Trust (2, Informative)

hjf (703092) | about 3 years ago | (#37340458)

Web Of Trust, really, are you fucking kidding me? This has been implemented for how long already? Thawte personal certificates for e-mail work like that, with "trusted" notaries and shit.

And this is somehow a NEW AND REVOLUTIONARY idea, because it has a Web 2.0 name like "Convergence"?

Sheesh, the shit one has to put up with.

Re:Web Of Trust (0)

Anonymous Coward | about 3 years ago | (#37340506)

Not to mention that he seems to make a big deal about turning off untrusted CAs in your browser, um, couldn't you do that for pretty much as long as browsers have existed?

Re:Web Of Trust (2)

sgbett (739519) | about 3 years ago | (#37340510)

It's mainly because he's called Moxie Marlinspike.

Only people with cool names can invent things.

Re:Web Of Trust (0)

Anonymous Coward | about 3 years ago | (#37340622)

You people are fscking ignorant. Learn how your shizz works before you try to compare it with new and unique research.

Re:Web Of Trust (1)

CarsonChittom (2025388) | about 3 years ago | (#37340910)

Admittedly, it's a really cool name.

Re: cool names (0)

Anonymous Coward | about 3 years ago | (#37341226)

Moxie is a fairly cool individual, and a better than average sailor.
However, like so many cool people, he was a bit arrogant in person and on thee water.

I would imagine his tech has similar, ahhhhh, moxie!

Re:Web Of Trust (0)

Anonymous Coward | about 3 years ago | (#37341392)

He's kind of a dick, I've lived with him.

City-wide vs. global webs (1)

tepples (727027) | about 3 years ago | (#37340558)

Web Of Trust, really, are you fucking kidding me? This has been implemented for how long already?

A city-wide web of trust is easy: all participants arrange a key-signing party in the city. But a city-wide web of trust allows authentication of a channel only between participants living in the same city. Far fewer participants regularly travel to key-signing parties in foreign countries, mostly maintainers of high-profile free software projects, so the resulting web of trust will have those people as choke points when trying to establish multiple paths through the web of trust between any two given participants.

Re:City-wide vs. global webs (1)

betterunixthanunix (980855) | about 3 years ago | (#37340804)

However, things like FUDCon are held in different places each year, and there are enough people who travel to such things that the web of trust can indeed become global. Whether or not this can scale to the billions of non-technical users in the world is another story.

Re:City-wide vs. global webs (1)

DrXym (126579) | about 3 years ago | (#37341132)

A city-wide web of trust is easy:

Most cities have notaries. Why shouldn't it be possible to turn up at your local notary with your credentials and get them to digitally sign your key? I'm sure there would be other ad hoc ways to bestow some trust. e.g. your ISP / host might sign your cert since you're running on their site, or your business suppliers might sign your key and you theirs. Basically the web of trust could have a formal network of signers and an informal network of signers which would form the web of trust.

I also wonder how big a deal trust actually is for many sites. Many sites run plaintext because trust doesn't matter so much or the hassle of getting a cert is greater than the requirement for trust. So what does it really matter if they run a cert which has not been signed by anyone else. At the very least it would also allow encryption where none existed before which hopefully everyone (except governments, nosy enterprise admins) would see as a good thing.

HTTPS in the address bar (1)

tepples (727027) | about 3 years ago | (#37341400)

Most cities have notaries. Why shouldn't it be possible to turn up at your local notary with your credentials and get them to digitally sign your key?

It should be possible, but it isn't yet.

your ISP / host might sign your cert since you're running on their site

Web hosts such as Go Daddy already charge extra for a certificate, and they charge extra for the dedicated IP address needed to use the certificate. (Go Daddy is known to host upwards of a thousand sites on a single IP address, but Internet Explorer on Windows XP and Android Browser on Android phones still don't support SNI and thus can't see any certificate other than the first certificate on a given IP.) I'd bet ISPs would likewise charge extra for signing customers' OpenPGP certificates in the same way that they charge extra for a static IP.

Many sites run plaintext because trust doesn't matter so much or the hassle of getting a cert is greater than the requirement for trust.

The rise of tools for web session identifier sniffing and replay, such as Firesheep, has caused some sites, such as bugzilla.mozilla.org and addons.mozilla.org, to go all HTTPS all the time.

At the very least it would also allow encryption where none existed before

The rationale I've always seen for throwing up a big warning for self-signed certificates and not for plaintext is that HTTPS in the address bar with an unverifiable public key gives the end user a false sense of security.

Re:Web Of Trust (1)

Anonymous Coward | about 3 years ago | (#37340750)

You should probably watch the video, it's not "web of trust." In fact, the author explicitly talks about why WoT solutions won't work.

Re:Web Of Trust (1)

tepples (727027) | about 3 years ago | (#37340886)

Does this video have a transcript that I can read?

Re:Web Of Trust (1)

sconeu (64226) | about 3 years ago | (#37341524)

Yeah, everyone knows that the REAL thing is the Circle of Trust [imdb.com] !!!

Re:Web Of Trust (0)

Anonymous Coward | about 3 years ago | (#37341122)

You mean you still trust Thawte? Now THIS, is newsworthy!

/there be layers to this post

Re:Web Of Trust (0)

Anonymous Coward | about 3 years ago | (#37341230)

The worst part, is that this is not a web of trust at all!
It still relies on "authorities" (those notaries) and thereby kills the very point of a web of trust!

Trust is inherently personal. Someone's trusted people NEVER can be assumed to be the same as someone else's.

The only proper way to do this, is to create what I have said since more than a decade: PERSONAL webs of trust. Where one personally defines the people one trusts, and how much one trusts them. And those people do the same. And so on.
This renders a list of people with associated trustworthiness based on all the trust factors (Range: [0..1]) in the chain of people multiplied by each other.
If the peer you are connecting to is in that list, the trust in the connection equals the trust in the peer according to that list.
Done.

This will naturally create "authorities" too. But they will be actual authorities, who earned the trust, and were personally chosen by their peers.
But the key difference is that it is impossible to abuse.
Because each and everyone for himself can stop trusting someone he thinks is untrustworthy. And only one person in the chain needs to do this.
So this exponential behavior of growing distrust balances the power of being trusted by a whole tree of peers out. One distrust is just as powerful as one trust.

P.S.: No, this does not protect idiots from trusting the wrong people.
This is deliberate, as otherwise natural selection would be turned on its head.
If one fails, it has to hurt. That is a good thing. If it hurts, normal people learn from that. And if one is too dumb to learn from one's failures, it is morally deeply wrong to support that. Such people are supposed to lose and die out. That is the whole point of evolution. (Well, in this aspect.)
And that specifically includes myself! If I'm too retarded to not act like an idiot, I deserve to feel the pain!
Everything else would be anti-social.

Re:Web Of Trust (1)

elsurexiste (1758620) | about 3 years ago | (#37341670)

P.S.: ...

Wow, if I had to choose a Slashdot comment for the Summer of 2011, this would be it. Is it morally wrong to prevent damage to people who wouldn't know better? I can cite dozens of examples on how a society or service based on the assumption that people should fail, feel the pain and learn is psychopathic. But your comment made me apathetic, so I'll just go for an ad hominem. You are the anti-social here.

Re:Web Of Trust (1)

kangsterizer (1698322) | about 3 years ago | (#37341416)

As far as I can remember there is some kind of mod_gpg for apache that does exactly that. web of trust, but using pgp. its free, and pretty good in fact.
can't seem to find the link tho, probably didn't really get many users.

haha, nerds are so dumb (-1)

Anonymous Coward | about 3 years ago | (#37340502)

The system has 'Notaries,' which you can ask anonymously for their view on a certificate's authenticity. You can pool Notaries for a consensus, and add/remove them at any time."

haha, you nerds can't even figure out how to give me a secure connection to my bank, without me having to micromanage it. no wonder I get the big bucks.

Re:haha, nerds are so dumb (1)

LordLimecat (1103839) | about 3 years ago | (#37340684)

1/10. Troll will possibly garner a little rage, but on the whole easy to spot and not terribly imaginative.

Re:haha, nerds are so dumb (0)

Anonymous Coward | about 3 years ago | (#37340708)

Not even that. I almost posted before you did, because that troll was so much of a failure I was starting to pity it.

Re:haha, nerds are so dumb (1)

hedwards (940851) | about 3 years ago | (#37340788)

Citation necessary, just leave your bank account information here so that the admins can verify the big bucks. I'll do it first.

2******************
7**********
3***************

S****

The cool thing is that the software automatically replaces it with stars when displaying.

It'll work when people use it..... like bitcoin... (1)

djsmiley (752149) | about 3 years ago | (#37340588)

And it'll fail when they don't.

I want it to work, but you need to convince some sites to use it first, such as I dunno...

google.com
hotmail.com
facebook.com...

I didn't check any of these sites, but lastpass caused it to error out, and then every ssl cert ever is invalid. So very much kind of pointless currently, and I can't see the SSL cert providers being very friendly to it either?

Once its actually validating a sensible number of sites then I'll give it another try, for now I just stick to my paranoid "don't trust anyone!" self. I mean hell yeah google have ssl..... doesn't mean I trust them ;)

Re:It'll work when people use it..... like bitcoin (1)

Tribaal_ch (1192815) | about 3 years ago | (#37340646)

This is precisely not required, and does validate those sites just fine. Maybe you should actually RTFA about it before making assumptions?

Re:It'll work when people use it..... like bitcoin (0)

Anonymous Coward | about 3 years ago | (#37340658)

You should watch the video, since it seems like you might not understand how Convergence works. The point is that the site operators don't have to opt in or do anything differently.

A site op needs to check his own site frequently (1)

tepples (727027) | about 3 years ago | (#37340744)

The point is that the site operators don't have to opt in or do anything differently.

Other than use it frequently to see if MITM attacks are in progress. If the majority of notaries are reporting a certificate other than the actual certificate for your site, then your server's connection to the Internet is itself being MITM'd [slashdot.org] .

Re:It'll work when people use it..... like bitcoin (1)

ccguy (1116865) | about 3 years ago | (#37340828)

I want it to work, but you need to convince some sites to use it first

I'll save a couple of steps by saying "I must be new here".

OCSP + Convergence? (0)

Anonymous Coward | about 3 years ago | (#37340664)

A browser plugin is okay to demonstrate the technology, but it doesn't scale and my grandma (bless her heart) won't like it. I'd like to see an OCSP server that uses Convergence under the hood.

Re:OCSP + Convergence? (1)

hedwards (940851) | about 3 years ago | (#37340800)

That's sort of the problem, this is a bit like cod liver oil back in the say, they may not like the medicine, but for everybody's well being they need it. Allowing people to get online who have no idea what they're doing is a recipe for bad things happening.

Use TOR (1)

crow (16139) | about 3 years ago | (#37340822)

One way to improve security is to use TOR to get the certificate as well as getting it directly. This way, if you have a man-in-the-middle attack, you will likely detect it.

This doesn't do anything against someone who is hijacking the entire web site (though DNS hacks, for example), but it does help catch one category of possible attacks.

Of course, browsers should also cache certificates and notice when they change, so you would only need to use multiple paths to get certificates when they change or when visiting a site for the first time.

Re:Use TOR (1)

betterunixthanunix (980855) | about 3 years ago | (#37340874)

This way, if you have a man-in-the-middle attack, you will likely detect it.

Except that it is entirely possible that your Tor exit was performing the MITM, and I would bet that is more likely to happen.

Re:Use TOR (1)

crow (16139) | about 3 years ago | (#37341034)

Yes, but the point is that it is unlikely that a man-in-the-middle attack would catch both your direct connection and a connection routed through TOR. And if the certificates don't match, you know you have a big problem.

Deciding on what to do if you detect a problem is another matter. Perhaps try a wide assortment of TOR exit nodes to get a better world-wide view.

Be my own CA (1)

Lorens (597774) | about 3 years ago | (#37340824)

And when will one be able to one's own CA for one's own domain... I'd be prepared to pay good money for verification of my example.com cert, as long as it can sign certs for NNN.example.com, instead of either buying/getting a cert for every single NNN, or getting a wildcard cert for *.example.com. But no, the common name is just a string, nothing learned from the distributed nature of DNS.

So a web of trust then (1)

DrXym (126579) | about 3 years ago | (#37340834)

I want to know why browsers don't extend SSL to support PGP signed certs. Browsers would allow users to browse a web of trust, including perhaps "notaries" to establish whether they trust the site or not. Obviously it wouldn't be suitable for every site, but it would certainly would for personal sites where the hassle of obtaining a CA signed cert means many sites don't even bother with encryption at all.

Re:So a web of trust then (1)

tepples (727027) | about 3 years ago | (#37340942)

Please see replies to hjf's comment [slashdot.org] .

MITM on Website's End? (1)

LBArrettAnderson (655246) | about 3 years ago | (#37340936)

I made this comment on the youtube video about a week ago, but perhaps I'll get better responses on /. .

What happens when the MITM is on the website's end of things? The notaries will all get the same information. The CA system is able to work around this (mainly by telling you that the certificate isn't valid). How does a notary system know when all of the notaries are being lied to?

Re:MITM on Website's End? (1)

mangobrain (877223) | about 3 years ago | (#37341182)

This is an interesting point, and one I wonder about myself... however, since anyone can be a notary, it may eventually prove infeasible to determine from the server end whether any given connection is from a notary (and hence should present the real certificate) or from a client (and hence should present a falsified certificate, allowing MITM). However, even if the attacker bites the bullet and just presents the falsified certificate to all comers, there are three time windows I can think of when a falsified certificate has a chance to become trusted: when a new notary is asked its opinion of a site for the first time (and hence has no prior record of what the certificate *should* be), when certificates get replaced following expiry/revocation/etc., and when new sites appear. In these last two cases, existing notaries are effectively tasked with determining whether a certificate nobody's seen before is valid, which sounds intractable to me.

I haven't made time to read the research this system is based on, but am very interested in how initial trust in brand-new certificates - whether for new sites, or replacement certs for existing sites - is supposed to be established.

Is it just me or (0)

Anonymous Coward | about 3 years ago | (#37340964)

should we just generate a 16,384 bit RSA key pair transferring it with snail mail and building on that?
Or if every so loves AES why not a 16,384 bit AES key?

After all this is hashed out and communications are working proper then it goes live.

It's all very well... (2)

Alioth (221270) | about 3 years ago | (#37341014)

This project is all very well, but we want SSL to solve two problems today: prevent MITM attacks (which Convergence can do) and *also* identification (in other words, EV certificates) to prevent phishing or at least reduce the chances of phishing.

Unfortunately Convergence only does one of them (prevent the MITM attacks). A much bigger problem, certainly in the west, is phishing rather than MITM attacks. I'd suggest for many people Convergence still needs quite a bit of work before we can start using it in place of the current method of CAs (which I agree is broken).

Why no SSL on the download page? (0)

Anonymous Coward | about 3 years ago | (#37341050)

Some could be altering the plugin during download.

And then what we need... (1)

skrimp (790524) | about 3 years ago | (#37341112)

And then what we need is an "Auto-Notary-Approval-And-Removal" service so that we don't have to do maintenance on our approved list of notaries.

i trust moxie (0)

Anonymous Coward | about 3 years ago | (#37341278)

i trust moxie more than i trust any saas corporation, security consulting company, or government organization.

ta30 (-1)

Anonymous Coward | about 3 years ago | (#37341358)

DNSSEC (0)

Anonymous Coward | about 3 years ago | (#37341448)

Why go to all this trouble? If we have DNSSEC and, store the ssl certificate for each domain in dns as a new type of record then we automatically get a scalable trust network. With this method you don't need any certificate authorities, all domains can use self signed certificates. The browser can simply check that the servers certificate matches the one specified in the DNS which the browser already trusts due to DNSSEC.

PGP + social network signing (0)

Anonymous Coward | about 3 years ago | (#37341632)

Why not use PGP combined with social networks? "All my friends and everybody that works at that bank has signed this key, I suspect that it may be authentic". You can allways trust your friends, relatives and local society more than any CA by the basic principle that it is something you know. My first impression is that this 'Convergence' bring nothing new to the table, only new branding.

Possible problems? (1)

whois (27479) | about 3 years ago | (#37341648)

The concept is sound, but the practice is probably too lofty to take off (armchair assessment)

The problem I foresee is that users won't change notaries based on trust. Most users click yes to anything, don't know what's going on 99% of the time and have no clue/don't want to know how crypto works on the internet. Asking my mom to manage trust relationships is what I am imagining is ridiculous.

So, you need a mediator to manage notaries for you. Your browser vendor can do it, but trusting them is no more a reasoned argument than trusting a CA.

I'm also curious what the analytical benefits would be of running a notary. You wouldn't be able to know exactly who's trusting you for what, but you would be getting lots of information all the time about what users are doing.

I. R. Vindicated (1)

sgt scrub (869860) | about 3 years ago | (#37341768)

I've always trusted self signed certs on machines I know because nobody can request a cert from an unknown entity. I feel vindicated.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?