When you visit an HTTPS website (https://) your connection is secured using SSL/TSL encryption. In theory you can tell that the connection is secure by looking the little closed padlock in your browser’s URL bar, but how does your browser know to trust the connection?
A Man-in-the Middle (MitM) attack is a popular trick used by hackers (both criminal and government) to hijack a request for a website and initiate an insecure connection so that communications between your browser and the website can be spied upon. Viruses designed to attack browsers and DNS poisoning are two common ways of doing this.
HTTPS uses the X.509 Public Key Infrastructure (PKI), an asymmetric key encryption system where a website server presents a public key, which is decrypted using a browser’s private key. In order to ensure against a man-in-the middle attack X.509 uses use HTTPS Certificates – small data files that digitally bind a website’s public cryptographic key to an organization’s details.
An HTTPS Certificate is issued by a recognised Certificate Authority (CA) which certifies the ownership of a public key by the named subject of the certificate – acting in cryptographic terms as a trusted third party (TTP). If a website shows your browser a certificate from a recognised CA, your browser will determine a site to be genuine.
And this is where the problem lies…
There exist some 1200 CAs that can sign certificates for domains that will be accepted by almost any browser. Although becoming a CA involves undergoing many formalities (not just anyone can set themselves up as a CA!), they can be (and are) leaned on by governments (the biggest problem), intimidated by crooks, or hacked by criminals to issue false certificates.
If your bowser then visits a compromised website and is presented with what looks like a valid HTTPS certificate, it will initiate what it thinks is a secure connection, and will display a padlock in the URL. The scary thing is that only one of the 1200+ CAs need to have been compromised for your browser accept the connection. As this EFF article observes,
‘In short: there are a lot of ways to break HTTPS/TLS/SSL today, even when websites do everything right. As currently implemented, the Web’s security protocols may be good enough to protect against attackers with limited time and motivation, but they are inadequate for a world in which geopolitical and business contests are increasingly being played out through attacks against the security of computer systems.’
A possible solution?
There are at present no generally recognised solutions to this problem, although the soon to be non-profit origination okTurtles Foundation has attracted some interest by suggesting the use of a blockchain, instead of certificates, to authenticate an HTTPS connection.
The blockchain is a public ledger invented by Satoshi Nakamoto to record bitcoin transactions on a distributed database. Every bitcoin transaction is recorded in the block chain and published to all ‘nodes’ in the network, and ownership of every bitcoin (or fraction of a bitcoin) can be verified by comparing it to the blockchain published on all the nodes. The beauty of this system is that it allows bitcoin spending and ownership to be reliably and securely recorded without any need for a trusted central authority.
okTurtles proposes using a similar decentralized blockchain ledger (based on the Bitcoin fork Namecoin, which unlike Bitcoin is designed to store to data within its blockchain) to guarantee the authenticity of a connection without the need to trust potentially unreliable Certificate Authorities.
‘DNSChain is a DNS server that uses Namecoin as a backend, but compromises Namecoin’s security without any improvements to usability or legacy interoperability. However, DNSChain’s faulty and grandiose claims have led to a frightening degree of interest and adoption. The Namecoin blog is not the place to engage misguided projects but, as an official Namecoin developer, I feel compelled to speak out.’
okTurtles is currently working on a browser extension that uses the technology to allow users to communicate securely on any website, and are apparently cooperating with big-name SmartDNS service UnBlockUs,
‘The developers of Unblock.us.org and DNSChain are teaming up to bring the anti-censorship features of Unblock.us into DNSChain. Each project benefits from the other: DNSChain ensures MITM-free communication and Unblock.us ensures that the communication passes through firewalls.‘