Another Certificate Authority (CA) Blunder; No Hack Required
The Certificate Authority (CA) system that currently handles how we publicly interact 'securely' with web sites, mail servers, and other services around the world can't catch a break. In the latest black-eye, an Entrust bulletin speaks about how a Malaysian CA called Digicert Malaysia recently issued 22 certificates with glaring CPS violations including the usage of 512-bit RSA keys. At this time, there's no suggestion of fraud or criminal activity being involved, but it's certainly confusing why this would have happened without it.
Back in March, Comodo had a breach resulting in nine fraudulent certificates being created for major web sites (e.g. login.yahoo.com, mail.google.com). Starting in July, DigiNotar was breached resulting in over 530 certificates being created, some of which were used for man-in-the-middle attacks in Iran. Subsequently, DigiNotar went bankrupt.
The real problem here is that trust is given to companies to provide assurances to the world of the validity of servers we connect to daily to transmit personal information. Those same companies are entwined in a web of trust which if one link is weak, there can be a cascading effect for privacy depending on the attackers' capabilities after a successful breach. To that end, our inability to quickly realign our individual trusts with these pre-determined powers that be makes our potential for risk great when a compromise does occur.
Moxie Marlinspike is a familiar name if you've ever heard of sslstrip or sslsniff. His latest project is called Convergence and aims to be a replacement to our current CA reliance. By allowing trust to be quickly added and deleted, we can more easily control who we trust and not rely on seemingly random companies to do the right thing and revoke trust. Further, just getting browser updates for revocations tends to be a hassle and uncoordinated. By using the provided Firefox plug-in, end-users can replace the CA system and not have to be bothered with confusing implementation instructions to start using Convergence. A seamless transition for end-users may just be a reason Convergence could take off.
Clearly adoption of Moxie's project has an uphill battle but it's good to see someone whose made a name out of finding flaws in the very technology we trust in, trying to give us a foothold for a future with more assurance and less rigidity for something as transient as trust is.