Has ComodoHacker signalled the end of the CA system?
The CA system has come under fire after ComodoHacker causes carnage, but what is the alternative?
As any IT guy knows, if you can't fix something, replace it. There are alternatives to the CA system. One of the best, at least according to some big names in the security sphere, is researcher Moxie Marlinspike's Convergence model.
It has been designed to take out the middle men - the CAs - by giving the user greater power. With the Convergence model, users are handed the SSL certificates directly, before asking a number of "trust notaries" to download it too. It then relies on consensus from these notaries to authenticate the web transaction.
I don't believe it would be appropriate to abandon the use of certificate authorities without a clear idea of what could replace it.
To add an additional layer of security, the user goes through a proxy notary so they will remain anonymous to the trust notaries. Sounds like a fine idea, no?
Yet even that model has its limitations. "There are a couple of issues I can see," Harley said.
"Firstly, it throws responsibility for deciding who to trust back down towards the user, whereas the public always wants technical solutions that will save it having to think for itself. Secondly, it has to fight an entrenched commercial model."
Nevertheless, it is a viable option. Time will tell how much support it can gain.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Don't be hasty
If we are to tear down the CA system, it needs to be approached with caution. With any project, especially those involving IT, an incremental approach is almost always best.
Some still argue the CAs have a valuable role, they simply need to be more responsible.
"I don't believe it would be appropriate to abandon the use of certificate authorities without a clear idea of what could replace it. After all, if a criminal gang successfully impersonated the police, few would suggest that we should abolish the police force," said David Emm, senior security researcher at Kaspersky Lab.
"The key, of course, is trust. And I think a critical feature of this incident is the fact that DigiNotar massively under-played the significance of the breach. If trust in any CA is to be maintained, disclosure of any breach is essential."
Emm is right in saying CAs need to get their act together. A number have been caught out. If any more fall at the hands of hackers, then the case for an overhaul of the current model will gain yet more momentum.
For now, the most astute way forward will be in finding the perfect replacement before any radical change is implemented. Right now, the Moxie Marlinspike model offers a real alternative. It should be explored and tested now. If the decline of the CA's reign over web authentication comes, we need to be prepared.
Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.
He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.