Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

5 Schemes For Redeeming Trust In SSL


While many pundits would agree the SSL and certificate authority (CA) trust model has some serious flaws, the ubiquitous protocol isn't going anywhere anytime soon. As a result, various members of the security community have dreamed up a number of different solutions to "fix" SSL--primarily by making adjustments to how public keys and certificates are created and processed in order to better secure users' Web experiences.

Some ideas look similar, others are mutually exclusive, and each has its own pros and cons. For those trying to keep all these proposals straight, the following round-up offers a quick cheat sheet to get a taste for the ideas and plans with the most momentum at this time.

1. Public Key Pinning
The idea behind key pinning is to give website operators more control over which certificate authorities can issue certificates for their servers.

"The one big problem is the fact that any one certificate authority can sign any certificate for any website in the world," says Ivan Ristic, director of engineering at Qualys. "That's an obvious loophole."

Ristic says he believes that public key pinning can help close that loophole. Currently in revisions within the Web Security Working Group of the Internet Engineering Task Force (IETF), the Public Key Pinning Extension for HTTP puts power in the hands of domain holders.

"It's a way for a website to choose three certificate authorities that you give permission to create certificates for your website," Ristic says. "The idea is that, rather than have any of the hundreds of certificate authorities create certificates, you say 'I'm going to pick these three' and then it sort of reduces the attack surface to a much smaller area."

Currently, Google Chrome uses a pilot version of key pinning that pops up warnings when users visit some well-known domains (including Google) that are signed by non-pinned CAs. In fact, some credit this early use of key pinning for sussing out fraudulent certs that portended the DigiNotar blow-up last year.

Read the rest of this article on Dark Reading.

InformationWeek is conducting a survey on information security and risk management. Upon completion of our survey, you will be eligible to enter a drawing to receive an 64-GB Apple iPad 2. Take our Alternative Strategic Security Survey now. Survey ends March 9.