Following a further security certificate breach, is it time to accept that the SSL ecosystem is broken?
SSL is responsible for many things such as to
- encrypt information to prevent snooping;
- prevent the replay of packets;
- authenticate the server, and
- authenticate the client.
However, all web browsers have a built-in list of top-level certificates they trust to perform the authentication of servers. Any of these certificates can be used to authenticate the connection to any secure web server. How can the client computer know if the www.google.com certificate should be signed by one authority or another? How do you know the public computer you are using does not have another authority certificate loaded? Certificate Revocation Lists are rarely useful as browsers typically ignore them and they are useless if the authority is suspect. Users do not check the certificate chain on every connection, nor know which authority should have signed the certificate.
What's the solution? If we assume that DNS can be trusted, then DNS could serve the relevant certificates, or fingerprints. This could have the added advantage that organisations can issue their own certificates which would enable SSL implementation on a much larger scale.