Convergence vs. DNSSEC
Remember the Comodo certificate scandal from earlier this year (see our blog entry on same)? The Comodo Certificate Authority tried to suggest that it was penetrated by a nation-state with impressive resources. In reality, the perpetrator was a quirky young Iranian man (or teen) wielding simple hacking skills and a nose for juicy targets. He’s become known as the “Comodohacker” and he’s been busy hacking other CAs. He recently hacked Dutch CA “DigiNotar” and issued himself dozens of interesting certificates including:
- *.google.com
- www.mossad.gov.il - The Mossad
- www.cia.gov -the CIA
- www.twitter.com
- www.facebook.com
- *.*.com – nice!
Unlike Comodo, which at least made the correct disclosures after being hacked, DigiNotar fumbled by failing to disclose the extent of their penetration and did not release the full list of compromised certificates. Later, some of the rogue certificates were found being used in the wild. The resulting backlash resulted in DigiNotar being delisted from the major browsers and finally declaring bankruptcy. Mozilla has a nice write-up about their delisting decision here. Perhaps they were miffed because one of the compromised domains was their own addons.mozilla.org.
In his recent talk, SSL and the Future of Authenticity [youtube], Security rock star Moxie Marlinspike shows how the Comodo hack so thoroughly deteriorated confidence in the CA system (the talk is now making the rounds at a security conference near you). Moxie was so thoroughly disgusted at the situation that he introduced a new technology, called Convergence, at DEFCON 19 this year. Convergence provides the ability to stop trusting any particular CA at any time, on a per-user basis. If you’ve seen the talk, you walk away thinking “Game-Changer!” Certificate Authorities should be very afraid; their infrastructure is under attack by a quirky Iranian hacker and their business model threatened by the talented visionary, Moxie.
On the other hand… there is an opposing new technology that, if implemented properly, has the power to secure sites against their own domain names: DNSSEC. [Disclaimer: F5 ships a world-class DNSSEC implementation that is fronting TLDs right now]. If you are familiar with DNSSEC, you might know it’s most vocal champion, security luminary Dan Kaminsky. He’s been giving a series of excellent talks about how DNSSEC is finally going to make the internet secure for your parents so that they don’t get phished so often. Here’s a series of interviews with Kaminsky by F5 Network’s very own Pete Silva.
Convergence vs. DNSSEC. Moxie vs. Kaminsky.
Following the DigiNotar breach, Moxie and Kaminsky, who both presented at DEFCON 19 (of course), had an engaging twitter war. Revolutionary Moxie is clearly on the offensive against DNSSEC. His issue is that DNSSEC exacerbates reliance on unreliable Certificate Authorities by making them “official.”
Moxie: “If you think it’s nice that you can remove the DigiNotar CA, imagine a world where you couldn’t, and they knew you couldn’t. That's DNSSEC.”
Kaminsky: “Look, it’s about *responsibility*. If .com or .org really messes up, you can leave them. It sucks, but you can.”
Moxie: “I didn’t think the DNSSEC camp was actually that delusional. What about the people who have already built their business on a URL? Can I quote you on this? DNSSEC is better than the CA system, because we can abandon our URLs if we want?”
Kaminsky: “DNS is our best distributed exclusive namespace. It may even be the best possible. It can never be perfect.”
Who will win, Marlinspike or Kaminsky? There’s already HUGE momentum for DNSSEC. The Certificate Authorities have to clean up their act though, otherwise this will be a huge opportunity wasted. On the populist side, Convergence might be used to help oppressed people communicate with sympathizers outside their country, the same way that Moxie’s other software initiatives (WhisperCore) were used during the Arab Spring.
In a previous post, I had tried to draw a parallel. The Fukushima reactor meltdown came at the worst possible time for the Nuclear Reactor industry, which was on the verge of making a comeback. The comeback is toast.
In the same way, the Security Industry is on the verge of making a giant leap forward with DNSSEC, but will the complacency of the Certificate Authorities create a meltdown that will undo it all?