The recent Comodo and DigiNotar breaches have proven that the HTTPS trust model is broken. Every browser trusts the opinion of hundreds of Certificate Authorities. If a single one of those CA’s is breached by a hacker, government, or mischievous employee, then you can’t be sure that the HTTPS connection you’re making isn’t being intercepted. To make the problem worse, if a CA (Comodo for example) has a very large share of the SSL market, the browsers can’t just “untrust” them; millions of non-technical users would suddenly start getting HTTPS errors. My proposal addresses both the issues of forgery, and the issues of CAs who are too big to fail.
The concept is quite simple. The implementation, a little more involved. Instead of requiring that a certificate is signed by a single trusted authority, require multiple independent trusted signatures.
If a browser requires that a certificate is signed by at least N trusted authorities (three maybe?), then getting forgeries signed suddenly become much more difficult. There is the problem that some states might be able to compel three different CA’s under their own influence to sign a forged certificate. This could be addressed by requiring that a certificate is signed by authorities in different states. Rather than limiting this issue to “states”, each CA could be assigned (in the browser) a list of entities under whos influence they fall. Each certificate would then have to be signed by a minimum of N authorities who don’t have any overlapping influences.
Too big to fail?
If a browser requires a certificate to be signed by a minimum of three authorities, and people get their certificate signed by four or even five authorities, then no CA is “too big to fail” anymore. Browsers can remove even the largest CA from their trusted root list, and affected certificates will still have enough signatories to be trusted. If forged certificates are found in the wild that are signed by three different CA’s, a temporary “influence” relationship could be created between the three CAs to specify that they have all been compromised by the same attacker.
X.509 certificates do not allow multiple signatories. A new format/version would need to be developed. TLS would need to be updated to support this too. All web browsers would also need to be updated to support this. On the plus side, this technology could be rolled out gradually. Once the browsers support it, they could start off with the requirement that a certificate must be signed by at least one trusted authority. A date could be set where this minimum number increases. Certificates need to be renewed anyway, so this change shouldn’t catch anyone by surprise. We would need co-operation between the major browser vendors for such a roll out; this years World IPv6 Day shows that this sort of co-operation is possible on the Internet, when the problem is large enough. Co-operation from the CAs is guaranteed; if the larger ones don’t want to take part, I’m sure there are plenty of smaller CAs who would prefer to take a larger slice of the certificate market.
Perspectives and Convergence do away with CAs altogether, and introduce the concept of “notaries.” When you visit a HTTPS URL, your browser connects to multiple notaries and asks them if the certificate you’re seeing is the same as the one that other people are seeing for that site. This solution is potentially workable, but it would require a large number of notaries to be created, and for the browser to automatically and randomly choose a default set, preferably run by entities without overlapping influences. 99.99% of end users will not pick and choose their own notaries, nor should they have to. Convergence has addressed end user privacy by configuring notaries as one hop proxies so the IP of the site visitor can’t be easily linked to the site being visited. This is the bare minimum required for privacy.