Has ComodoHacker signalled the end of the CA system?

The CA system has come under fire after ComodoHacker causes carnage, but what is the alternative?

As any IT guy knows, if you can't fix something, replace it. There are alternatives to the CA system. One of the best, at least according to some big names in the security sphere, is researcher Moxie Marlinspike's Convergence model.

It has been designed to take out the middle men - the CAs - by giving the user greater power. With the Convergence model, users are handed the SSL certificates directly, before asking a number of "trust notaries" to download it too. It then relies on consensus from these notaries to authenticate the web transaction.

I don't believe it would be appropriate to abandon the use of certificate authorities without a clear idea of what could replace it.

To add an additional layer of security, the user goes through a proxy notary so they will remain anonymous to the trust notaries. Sounds like a fine idea, no?

Yet even that model has its limitations. "There are a couple of issues I can see," Harley said.

"Firstly, it throws responsibility for deciding who to trust back down towards the user, whereas the public always wants technical solutions that will save it having to think for itself. Secondly, it has to fight an entrenched commercial model."

Nevertheless, it is a viable option. Time will tell how much support it can gain.

Don't be hasty

If we are to tear down the CA system, it needs to be approached with caution. With any project, especially those involving IT, an incremental approach is almost always best.

Some still argue the CAs have a valuable role, they simply need to be more responsible.

"I don't believe it would be appropriate to abandon the use of certificate authorities without a clear idea of what could replace it. After all, if a criminal gang successfully impersonated the police, few would suggest that we should abolish the police force," said David Emm, senior security researcher at Kaspersky Lab.

"The key, of course, is trust. And I think a critical feature of this incident is the fact that DigiNotar massively under-played the significance of the breach. If trust in any CA is to be maintained, disclosure of any breach is essential."

Emm is right in saying CAs need to get their act together. A number have been caught out. If any more fall at the hands of hackers, then the case for an overhaul of the current model will gain yet more momentum.

For now, the most astute way forward will be in finding the perfect replacement before any radical change is implemented. Right now, the Moxie Marlinspike model offers a real alternative. It should be explored and tested now. If the decline of the CA's reign over web authentication comes, we need to be prepared.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

How to share your Google Calendar
email providers

How to share your Google Calendar

11 Jun 2021
How to delete a Gmail account
email providers

How to delete a Gmail account

26 Feb 2021
CloudHQ fully integrates Gmail with Google Sheets
email delivery

CloudHQ fully integrates Gmail with Google Sheets

9 Feb 2021
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

22 Jan 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021