Skip to content
Biz & IT

SSL fix flags forged certificates before they’re accepted by browsers

An IETF proposal hopes to mend cracks in the Internet's foundation of trust.

Dan Goodin | 27
Credit: tack.io
Credit: tack.io

Researchers have proposed an extension to the Internet's foundation of trust that's designed to root out fraudulent secure sockets layer (SSL) certificates before attackers can use them to impersonate online banks and other sensitive websites.

The proposal, which was submitted Wednesday to the Internet Engineering Task Force, is designed to mend a fundamental crack in the SSL system, which is also referred to by a successor protocol called TLS, or transport layer security. With some 650 entities around the world authorized to issue digital certificates trusted by Internet Explorer, Chrome, Firefox, and other browsers, all it takes is the incompetence or malfeasance of one of them to bring the system down. That single point of failure was underscored by last year's breach of certificate authority DigiNotar, which led to the issuance of a fraudulent credential used to snoop on 300,000 Google Mail users, most of whom were in Iran.

The lightweight extension, known as TACK or Trust Assertions for Certificate Keys, was devised by independent cryptographers Moxie Marlinspike and Trevor Perrin. The opt-in system works by allowing SSL sites to sign valid SSL certificates, the domain name, and an expiration date with a TACK key. Once an end user has visited the site a few times using a TACK-compatible browser, a "pin" for that site is activated on the user's computer. If the end user later encounters a forged certificate for that same site—as was the case when DigiNotar was breached—the browser will reject the session and return a warning to the user.

"In the TACK world, the only real role the certificate authority plays is in that first time you connect to a website, that first leap of faith you have to take," Marlinspike told Ars. "You can imagine that being a much easier problem to solve than every time you connect to a website validating that this is correct."

Ars Video

 

Like Google certificate pinning—only different

TACK is in some ways akin to a certificate-pinning mechanism Google has built into its Chrome browser. The feature attaches a static list of certificate authorities that are allowed to sign certificates for Google.com and a limited number of other domains. If a Chrome user is presented with a credential from a different authority, the session is blocked. It was this feature that led to the discovery of last year's fraudulent Gmail certificate in the first place. (Google engineers have submitted their own IETF proposal that in many ways resembles TACK.)

Unlike Chrome certificate pinning, TACK is designed to be dynamic, so people using compatible browsers can activate pins automatically. That means the proposed system can potentially scale to accommodate millions of sites and multiple browsers. Web masters need only to add an "end-entity certificate" to their TLS configuration, and developers need to add code that allows their browsers to process the additional information on the TACK-protected servers.

"TACK is an extremely simple protocol, and the messages are tiny," Nate Lawson, a cryptographer who has reviewed the proposal, wrote in comments submitted to Hacker News. "It is really one of the few initiatives in recent times to have a huge impact on your family's actual security, as well as dissidents in countries like Iran."

Other cryptography or security experts who have reviewed the proposal include Adam Langley and Chris Palmer of Google, and Cambridge University PhD recipient Joseph Bonneau.

While Chrome users who were presented with the fraudulent Gmail certificate from DigiNotar were warned, people using Firefox, Internet Explorer, or other browsers received no such alert. What's more, Chrome's certificate-pinning mechanism wouldn't have warned of fraudulent certificates impersonating other forged credentials that resulted from the same hack. Under TACK, things could have been much different. People who used a compatible browser to successfully visit a TACK-compliant site more than once or twice would have received a warning that the credential didn't match the digitally signed information stored on the underlying server.

TACK is backward compatible with the current SSL system, meaning sites or browsers that don't adopt the new protocol will work exactly as they did before.

"What we're saying is that in addition to [or perhaps instead of] having the website certificate signed by some certificate authority... this public key is also signed by a TACK key," Marlinspike said. "It definitely takes a step away from certificate authorities in the sense that you're not depending on the security of CAs for all of your SSL traffic. And it provides a nice mechanism for other proposals that are trying to replace certificate authorities altogether."

Marlinspike, whose security company Whisper Systems was recently acquired by Twitter, is the author of one such SSL proposal, called Convergence. (His IETF proposals are independent of his work for Twitter.) A separate alternative is dubbed Mutually Endorsing CA Infrastructure by open-source software developer Kai Engert.

Listing image: tack.io

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
27 Comments
Prev story
Next story