Google researchers propose way out of the SSL dilemma

In a paper entitled Certificate Authority Transparency and Auditability, Google researchers Adam Langley and Ben Laurie have proposed new measures for improving the trustworthiness of the public key infrastructure (PKI) underpinning HTTPS. The researchers' idea is based on a public list of all certificates ever issued by certificate authorities.

There are two problems with the current system for secure web sites. Firstly, if an attacker is able to penetrate any one of the more than 100 certificate authorities and obtain a certificate for a server such as ebay.com, end users have no way of spotting the fraud. Secondly, it is also impossible for a company such as eBay to determine that a CA has issued an unauthorised certificate for its servers.

The researchers believe that a public list would help alleviate both problems. Whenever an HTTPS web page was accessed, browsers would check that the certificate supplied by the server was on one of these public lists. If the certificate was not present, the browser would treat it as untrusted. Companies would also be able to actively monitor the lists, enabling them to discover any fraudulently issued certificates. Criminals who managed to obtain fake certificates would no longer be able to make use of them. Merkle signature trees would be used to ensure the integrity of the lists.

Whether the proposal will be implemented and, if so, over what sort of timescale, is still undetermined. An alternative approach – in the form of the Firefox extension Convergence – is being pursued by security expert Moxie Marlinspike.

(sno)