ExpressVPN

Fix HTTPS by replacing certificates with a blockchain?

When you visit an HTTPS website (https://) your connection is secured using SSL/TSL encryption. In theory you can tell that the connection is secure by looking the little closed padlock in your browser’s URL bar, but how does your browser know to trust the connection?

The problem

A Man-in-the Middle (MitM) attack is a popular trick used by hackers (both criminal and government) to hijack a request for a website and initiate an insecure connection so that communications between your browser and the website can be spied upon. Viruses designed to attack browsers and DNS poisoning are two common ways of doing this.

https

HTTPS uses the X.509 Public Key Infrastructure (PKI), an asymmetric key encryption system where a website server presents a public key, which is decrypted using a browser’s private key. In order to ensure against a man-in-the middle attack X.509 uses use HTTPS Certificates – small data files that digitally bind a website’s public cryptographic key to an organization’s details.

An HTTPS Certificate is issued by a recognised Certificate Authority (CA) which certifies the ownership of a public key by the named subject of the certificate – acting in cryptographic terms as a trusted third party (TTP). If a website shows your browser a certificate from a recognised CA, your browser will determine a site to be genuine.

And this is where the problem lies…

There exist some 1200 CAs that can sign certificates for domains that will be accepted by almost any browser. Although becoming a CA involves undergoing many formalities (not just anyone can set themselves up as a CA!), they can be (and are) leaned on by governments (the biggest problem), intimidated by crooks, or hacked by criminals to issue false certificates.

If your bowser then visits a compromised website and is presented with what looks like a valid HTTPS certificate, it will initiate what it thinks is a secure connection, and will display a padlock in the URL. The scary thing is that only one of the 1200+ CAs need to have been compromised for your browser accept the connection. As this EFF article observes,

‘In short: there are a lot of ways to break HTTPS/TLS/SSL today, even when websites do everything right. As currently implemented, the Web’s security protocols may be good enough to protect against attackers with limited time and motivation, but they are inadequate for a world in which geopolitical and business contests are increasingly being played out through attacks against the security of computer systems.

A possible solution?

There are at present no generally recognised solutions to this problem, although the soon to be non-profit origination okTurtles Foundation has attracted some interest by suggesting the use of a blockchain, instead of certificates, to authenticate an HTTPS connection.

The blockchain is a public ledger invented by Satoshi Nakamoto to record bitcoin transactions on a distributed database. Every bitcoin transaction is recorded in the block chain and published to all ‘nodes’ in the network, and ownership of every bitcoin (or fraction of a bitcoin) can be verified by comparing it to the blockchain published on all the nodes. The beauty of this system is that it allows bitcoin spending and ownership to be reliably and securely recorded without any need for a trusted central authority.

okTurtles proposes using a similar decentralized blockchain ledger (based on the Bitcoin fork Namecoin, which unlike Bitcoin is designed to store to data within its blockchain) to guarantee the authenticity of a connection without the need to trust potentially unreliable Certificate Authorities.

Although the idea sounds promising, okTurtles has built upon an existing technology – DNS Chain which unfortunately has been roundly condemned by key Namecoin developers,

DNSChain is a DNS server that uses Namecoin as a backend, but compromises Namecoin’s security without any improvements to usability or legacy interoperability.  However, DNSChain’s faulty and grandiose claims have led to a frightening degree of interest and adoption.  The Namecoin blog is not the place to engage misguided projects but, as an official Namecoin developer, I feel compelled to speak out.

okTurtles is currently working on a browser extension that uses the technology to allow users to communicate securely on any website, and are apparently cooperating with big-name SmartDNS service UnBlockUs,

The developers of Unblock.us.org and DNSChain are teaming up to bring the anti-censorship features of Unblock.us into DNSChain. Each project benefits from the other: DNSChain ensures MITM-free communication and Unblock.us ensures that the communication passes through firewalls.

Both DNSChain and okTurtles are fully open source projects, and a detailed pdf overview of ‘DNSChain + okTurtles’ is available here. We await developments with interest…


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


2 responses to “Fix HTTPS by replacing certificates with a blockchain?

  1. Thanks for the writeup Douglas!

    FYI, we’ve addressed Zachary Lym’s concerns through documentation updates.

    DNSChain does in fact improve Namecoin’s usability because it makes it possible to securely access the Namecoin network (in a man-in-the-middle proof manner) without having to run your own node.

    True, you must trust the DNSChain server you’re using, however, if you don’t have access to such a server, you can simply query multiple independent servers. The more servers you query, the more you decrease the likelihood of a false answer. Even just querying two servers dramatically increases the likelihood that you will always receive accurate data.

    As far as their call for thin clients, we fully support that, and we compare DNSChain to Thin Clients here:

    https://github.com/okTurtles/dnschain/blob/master/docs/Comparison.md#thin-clients–light-clients

    Thanks for helping our project by writing about it. If you have any questions, you should now have my email.

    Kind regards,
    Greg Slepak
    Founder, okTurtles Foundation
    Developer, DNSChain

    1. Hi Greg,

      Thank you for your comments and clarifications. I love the idea behind okTurtles, and do hope the idea succeeds. I will be watching developments with interest, and if everything goes well you can definitely expect to hear from me in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *