Mobile // Mobile Applications
09:54 AM
Connect Directly
Repost This

5 Schemes For Redeeming Trust In SSL

Web authentication is clearly flawed, but SSL and certificate authorities aren't going away. Here's a guide to the leading proposals to fix the problems.

While many pundits would agree the SSL and certificate authority (CA) trust model has some serious flaws, the ubiquitous protocol isn't going anywhere anytime soon. As a result, various members of the security community have dreamed up a number of different solutions to "fix" SSL--primarily by making adjustments to how public keys and certificates are created and processed in order to better secure users' Web experiences.

Some ideas look similar, others are mutually exclusive, and each has its own pros and cons. For those trying to keep all these proposals straight, the following round-up offers a quick cheat sheet to get a taste for the ideas and plans with the most momentum at this time.

1. Public Key Pinning
The idea behind key pinning is to give website operators more control over which certificate authorities can issue certificates for their servers.

"The one big problem is the fact that any one certificate authority can sign any certificate for any website in the world," says Ivan Ristic, director of engineering at Qualys. "That's an obvious loophole."

Ristic says he believes that public key pinning can help close that loophole. Currently in revisions within the Web Security Working Group of the Internet Engineering Task Force (IETF), the Public Key Pinning Extension for HTTP puts power in the hands of domain holders.

"It's a way for a website to choose three certificate authorities that you give permission to create certificates for your website," Ristic says. "The idea is that, rather than have any of the hundreds of certificate authorities create certificates, you say 'I'm going to pick these three' and then it sort of reduces the attack surface to a much smaller area."

Currently, Google Chrome uses a pilot version of key pinning that pops up warnings when users visit some well-known domains (including Google) that are signed by non-pinned CAs. In fact, some credit this early use of key pinning for sussing out fraudulent certs that portended the DigiNotar blow-up last year.

Read the rest of this article on Dark Reading.

InformationWeek is conducting a survey on information security and risk management. Upon completion of our survey, you will be eligible to enter a drawing to receive an 64-GB Apple iPad 2. Take our Alternative Strategic Security Survey now. Survey ends March 9.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.