In 2011, in the US, Moxie Marlinspike made a presentation in the Black Hat convention talking about SSL and the Future of authentication. In his presentation, he mentioned how authentication is made, how authentication works, the current situation with certification and a number of solutions.
The SSL is a protocol which was developed by the Netscape Corporation in the early 90s, in order to make the web safer. SSL, if analyzed, provides Secrecy, Integrity and Authentication. In other words, it is an accreditation showing that a connection established by a user with the server is secure. For example, a website with SSL authentication should provide a safe communication path from M.I.T.A (Man in The Middle Attack).
Nowadays, in order for a secure line to be established the following are bound to take place.
1) A website makes a request to be certified by a company (certificate authorities) which provides certification.
2) The certification is given and the site earns the credentials of the particular company.
3) The user makes a request to access a web page.
4) The credential will get to the user through the website (Each site issues a certificate when a user is connected).
5) The certificate is valid because it is given by a company
Mr. Marlinspike in his presentation supports the idea that the current state of the credential industry has to change. His arguments are:
• Too many companies are able to provide credentials (about 650), in some cases the companies cannot be trusted,
• Many issue credentials which are useless, offer no protection at all and the reliability of certificate authorities is questionable,
• The user doesn’t have any choice to change the authority if he/she doesn’t trust it.
• The way the system works is not safe, not even for the certification authorities.
On the other hand, Mr. Marlinspike proposes a different pattern that is modern and solves a number of issues. The model is called “Trust Agility”. The title is not a random one. The specific model is all about the user and his/her capability to have the power to ask for a certification company of his/her own preference. That way, the user can choose the company that trusts the most and offers valid credentials. Furthermore, if for any reason the user stops trusting the specific authority, switching to a different provider is as easy as a walk in the park.
Bottom line: our data has to be protected and the trust issue is very important.
In plain words:
1) The user initiates the trust relationship instead of the website
2) The user asks a certificated authority to validate a website
3) Finally, the certificate is given to the user directly
In addition, another recommendation is a Firefox add-on which is called Convergence. This add-on implements a new protocol, introducing new client and server implementations. Furthermore, Local caching is now stored, and SSL memory-leaking is now prevented through the use of Notary Bounce. This add-on offers completeness, anonymity/ privacy and responsiveness. The software is a creation of Mr. Marlinspike, based on another previous add-on, and he has compiled it in a way that it is extensible for future changes and threats.
Finally, this presentation was very interesting and educative. The current systems of authentication and companies involved have to change in a way, so as to be able to be more agile and trustful. Every six months a new threat is revealed and it will harm our valuable personal data unless we place ourselves on top of this game.