SSL Is Not An Adequate Site Identification System
Posted by Terry Smith on 03/27/2011 at around 7:24 PMI’m back! After over a year of this blog being down, being used a testing ground for new projects, and having no content, I’m hoping to make a return to semi-regular blogging.
To kick things off I want to discuss the fiasco that is happening with SSL. A while ago, one of Comodo’s certificate authority servers which generates SSL certificates was hacked and used to generate real certificates for some top sites including Yahoo and Windows Live Mail, Google, and Skype. Those certificates have now been revoked, and Comodo has blamed “evil” governments abroad, and the issue had finally started to blow over.
And then, today, an Iranian hacker came out claiming that it was him, a single person who had perpetrated the attacks and vowing more of them. And this hacker is right about one thing: who knows how many of these happen non-publically. Ars Technica says that the CA trust system is broken, and in part I agree. But I don’t think the issue is trust from a root Certificate Authority to it’s resellers, I think the issue is that we use SSL as a site verification system at all.
SSL does a really good job with what it was originally intended for: encryption. Data is encrypted on the client, decrypted on the server, and vice versa. My payment information cannot be read by someone in between or who is monitoring data on an open wireless connection, and as we’ve all heard over and over again it would take 1000 servers a million years to crack the code (or something like that).
But then browsers and certificate authorities started using SSL as a means for verifying that the site they were connected to was the right one, which to me is a separate issue. It was certainly a logical step at the time, and it makes sense that the actual site should be the only one who has an SSL certificate. But with recent vulnerabilities like the NULL byte attack a few months ago, and this recent attack of “trusted” resellers and certificate authorities, I think it’s time to re-think the way we verify a site’s identity.
There’s a huge market opportunity here and now is the perfect time to capitalize on it (and I imagine it’s going to continue to be a good time until another solution comes along). While I don’t yet have an idea on implementation, I will follow up if I do.
I’m excited to see what you guys come up with.