Home / News

Proposal on How SSL Certificate Industry Should Be Replaced Gains Some Momentum

SSL replacement proposal made by security expert Moxie Marlinspike, last August at the Black Hat Conference (called 'Convergence'), is gaining some momentum, particularly after the recent hacker attacks on DigiNotar, GlobalSign, Comodo and other SSL certificate authorities that have resulted in fake certificates coming into use on the web, including a fake Google certificate, since revoked. Marlinspike thinks this whole system — which props up the multi-million-dollar certificate authority business today — should be dumped in favor of the idea of the user more directly controlling how the browser trusts certificates based on so-called Convergence "notaries" proving online feedback about what to trust.

Read full story: Network World

Related topics: Cyberattack, Cybercrime, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Two things David A. Ulevitch  –  Oct 12, 2011 10:48 AM PST

This has been in the works for a LONG time, and discussed for a while.  SSL has always been a sham.  Momentum had been quietly building for a while, and it just took a few CAs to bring it into the mainstream light.  The idea of embedding SSL fingerprints in DNS has been discussed for years, for instance.

So my two thoughts:
1) This is definitely going to happen.  Chrome will be pushing it the Google way, and Moxie (and many others) will push it the other ways.  Both will probably gain traction.
2) This makes Verisign look very smart for selling off the SSL business to Symantec.  And makes Symantec look like the goofballs they usually are.  Their absolute lack of real security vision is second to none.

IETF DANE Paul Vixie  –  Oct 13, 2011 6:10 AM PST

The certificate authority system used by the web's e-commerce system is indeed weak.  What's less certain is that it ought to be replaced by multiple approaches, one from Moxie, one from Google, and so on.

The Internet Engineering Task Force (IETF) has a DNS-based Authentication of Named Entities (DANE) working group and is a dozen revisions into a DNSSEC profile for authenticating the certificates needed for e-commerce.

This protocol will work, it will be as secure as DNSSEC itself, and it will scale.  I urge the technical and business communities to get behind a single global standard to replace the X.509 certificate authority system.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Introducing the Verisign Quarterly DDoS Trends Report

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics

dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNS Security

Sponsored by
Afilias
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign