Skip to content

Bit9

← Back to Blog
5 Aug 2011

Convergence: Another Way to Trust

Dan Brown

Moxie Marlinspike’s Black Hat talk was one of the most significant this year, since it proposes a solution to arguably the most troublesome issue with web security today. You may recall that major Certificate Authority Comodo (or one of its many sub-entities) was breached, resulting in the theft of certificates for major domains: login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org, and “Global Trustee” (uh, ok, that last one’s weird). The certificates were not technically stolen – they were fraudulently issue, or forged, using stolen system credentials at the Certificate Authority.

The breach means that the thief has the ability to perform man-in-the-middle (MITM) attacks on visitors to those sites, assuming that the thief is in a position to be the MITM, stealing even encrypted content. How is this possible? Quick review:

Web sites provide digital certificates to visitors, cryptographically proving their identity (read: domain name) and forming the basis for an encrypted channel. That’s not sufficient to authenticate identity, however. If all a web site provides is a “self-signed” certificate, it’s akin to trying to walk through airport security by saying “I’m Dan Brown and I am who I say I am” without any further proof of identity. What’s needed for web security is a Certificate Authority – a trusted verifiable third party that provides attestation about the certificate for the web site being visited. In the airport security example, I can provide proof in the form of my driver’s license that some authority, in this case the Commonwealth of Massachusetts, attests that my likeness is associated with my name, using a document that is ostensibly difficult to forge.

A successful MITM attack can succeed if either the web site’s certificate is self-signed, or the certificate chain to the Certificate Authority has been compromised, including forged certificates. I’ll skip the tedious details of the cryptographic techniques involved in the attestation as they’re a bit daunting for a blog post. Suffice it to say, your browser is preloaded with all of the trusted third party certificates required to take part in this web security scheme. When the web site you browse to uses self-signed certificates, you get a warning which most users will click through without thinking much about. When the MITM has forged a certificate – no warning; your browser thinks the MITM is google.com or live.com, etc.

And so we come back to the problem – stealing certificates. The problem that Moxie points out (and has been well known for a long time) is that the system of trust breaks down if I can easily steal your driver’s license and paste my picture on it (the analogy is starting to break down at this point, but hopefully you get the idea). Moxie proposes a solution to the problem – a solution available now, with no modification to the way certificates are used, servers are implemented, or any other architectural changes. In fact, I am writing this post via a web app over a secure web connection authenticated without the use of any Certificate Authorities.

Significant enough?

How does it work? We need to go back to the problem that certificates were meant to solve – the MITM attack. To break web security, the MITM attacker provides you with a different (forged) certificate. It has to – since the cert must include its own cryptographic key pair in place of the original web site’s pair. Now, what is the MITM in the “middle” of? It’s between the client and the web server. This means that other clients, not subject to the MITM attack, have access to the original web site certificate. Moxie’s solution takes advantage of this fact.

“Convergence”, as he calls it, is a Firefox browser plugin that replaces the traditional certificate verification process that involves Certificate Authorities. Instead, the client checks with other nodes, called “notaries”, asking them whether they see the same certificates that the client sees. If there isn’t a match, it’s likely that there is a MITM attack. In one elegant stroke, Convergence does away with Certificate Authorities, certificate chain verification, and makes self-signed certificates just as valid as CA-issued certificates. No more warnings about web sites that generate scary warnings in your browser when you visit them.

One downside at the moment is that this only applies to web traffic. “Web” does not equal “Internet”. What about other protocols that use certificates, like VPN? The approach used by Convergence would apply equally well but the clients would need to be changed, in the same way that the Convergence plugin modifies Firefox’s behavior. There are other potential subtle issues involving vulnerabilities with DNS which need to be addressed – perhaps subject for a future post.

For now, this is largely a proof-of-concept. There are only two notaries, presumably run by Moxie. So for the moment, using Convergence means trusting Moxie’s plugin and notaries instead of the plethora of Certificate Authorities listed in my browser’s database… I can live with that.

How happy do you suppose the Certificate Authorities are about this? How bad do you suppose I feel for them? I’ll give you a hint – both questions have the same answer.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US