Is Convergence really solving the SSL problem?

At DEFCON 2011, Moxie Marlinspike presented a possible solution to the “big SSL problem”: Convergence, a clever way to remove the need of certificate authorities. But is it really going to solve it?

Let’s step back a little. We all know that SSL is kind of broken because of the need to rely on certificate authorities. Moxie himself has a great blog post on the subject. In a word, we don’t want to pay certificate authorities, we have too many of them (up to 70 in recent browsers/OS), we can’t really trust all of them, and we don’t have an easy way to revoke trust in the certificates they issue.

Convergence starts from the idea that it would be really great to avoid CAs altogether and use self-signed certificates, but self-signed certificates are vulnerable to man-in-the-middle (MITM) attacks. So the clever idea is noting that MITM is a local attack: it’s either someone next to you drinking a coffee at Starbucks, or someone that hacked your ISP’s DNS, or maybe someone working for a corrupted government that’s hijacking traffic at the BGP level. It’s unrealistic that the same MITM attack can affect you, someone in Iceland, someone in China, someone in West Virgina, and someone in Italy at the same time, right? And that’s what Convergence exploits: it gives you a way to compare SSL certificates fetched from the website you want to visit from many different servers in the world, called “notaries”. If they all match, a MITM attack is impossible, and you can trust the self-signed certificate and proceed logging in into your bank. Right?

Wrong. Because you know what else self-signed certificates are vulnerable too, in addition to MITM? Lies. And you know who lies? A phisher. So if a phisher registers bankoffamerica.com (pay attention to the typo!) and self-signs the website with a SSL certificate saying that the organization behind the website really is Bank of America Corporation incorporated in Delaware, all notaries will report that the certificate is exactly the same as fetched from different parts of the world, and you will get absolutely no warning.

And what is worse is that you will lose any EV indication while browsing with Convergence, since Convergence simply does not currently support any way to validate the identity of the website. As Moxie himself says, “Convergence does not enable EV for self-signed certs. It is concerned with authenticity, not identity”.

So to clarify: if you start browsing today with Convergence (and assuming you get a good set of notaries to bootstrap), you get the following effects:

You will be immune to MITM attacks with rogue certificates, like in the current Diginotar’s debacle. The CA list in your browser will be effectively ignored. You will stop seeing any information from EV certificates (identities of the sites your browse).

I personally don’t consider this a good compromise. It might be that I don’t live in China or Iran, but MITM attacks are an order of magnitude less common than phishing attacks, and people are slowly learning to trust EV certificates when browsing the Internet. It’s true that EV SSL certificates could be forged as well, I don’t dispute that. But right now with Convergence, I’m going to trade a simple protection against a common set of attacks with a good protection against a rare set of attacks.

I reached Moxie with these concerns, and he clarified that, technically speaking, Convergence could be enhanced to check for existing EV SSL certificates (through a custom notary), but that he doesn’t see EV certificates as solving any real problem nowadays. I beg to disagree: I don’t like EV per-se as well, but I think the identity problem is still something that must be solved on the Internet, and it’s probably even more important than solving the MITM problem.

Given that the number of websites which are targets of phishing attacks are relatively small because it’s mainly a group of high-profile sites (banks, web mails, social networks, etc.), and given that SSL certificates do not change so often (usually no more than once in a year for a high-profile website), there must be a way to conceive a global list of validated certificates for which an identity can be certified, even through a crowd-sourced mechanism. It has to be simpler than what GPG attempts to do with key-signing parties, because we don’t need to certify the identity of Mr John Green that you never met before, plus other 1 billion people; you just need to certify that Google is Google and PayPal is Paypal, for a one thousand of high profile websites. If you ask 10 people in 10 different countries to give you the SSL fingerprint for “Google, Inc.”, and you get 10 identical fingerprints, you can be 100% sure that the certificate you get is really for “Google, Inc.”. And if Google commits to use the same certificate for the next 3 months, you could globally cache this information, and distribute it to web users through notaries in a way that their address bar says “This is a certified Google Inc. website”. Or, in other words, “This is the same Google Inc. website that 1 million of people have visited in the last 2 hours, and 100 millions in the last 24 hours”.

If Convergence could be augmented to do something similar, I think we would be getting closer to the final solution of the SSL problem.