SecurityWeek recently published my article, “Convergence replacement throwdown: DANE vs TACK vs CT,” that compared three possible replacements for the certificate-authority monitoring system “Convergence.” One interesting comment came in after the piece was submitted and I wanted to capture it here. I had reached out to Ivan Ristic, of Qualys’ SSLLabs and the SSL Pulse project, to see if he had any commentary on Convergence. Here’s what Ivan had to say:
“…Qualys sponsored Convergence with 4 servers. We were in the default installation.
I don't know if Convergence would have succeeded, but it failed because the developers lost interest and stopped updating the Firefox plugin. It [the plugin] got broken by a change in Firefox, never to work again.
Eventually, we pulled the plug on the servers.“
I’m charitably assuming that the Convergence developers “lost interest” because they realized that Convergence, as it was designed, couldn’t work in the real world due to some of the issues that the SecurityWeek article talks about.
But think about this for a second: one of the major headaches of writing browser plugins was that, because the browser technology evolves so fast, the plugin developers had to do a lot of maintenance work just to keep their plugins functioning release-to-release, often with zero value-add to the plugin itself. Google Chrome has recently announced that they are dropping support for plugins because people have stopped using them. The Google Earth plugin, for example, has dropped from nearly 10% to 0.1% usage in the last year.
The lack of an accessible plugin API means we aren’t going to see another plugin-based system like Convergence. If there is a client component to the observable certificate authority universe, it will have to be built into the browsers themselves. Which is exactly what’s going to happen with the Certificate Transparency project.