Eight reasons why trust is broken online

What you need to know about commercial certificate authorities and why the SSL certificate system needs to be reformed, according to Miracl CEO Brian Spector

The recent row between Symantec and Google over rogue SSL certificates is just one of many incidents that have called into question the role of commercial certificate authorities as a single point of trust on the internet. Indeed, the incident highlighted one of a number of shortcomings undermining the role that certificate authorities are supposed to play in providing internet security.

I would argue that the system is broken, and needs to be replaced with something more secure. Here are the eight reasons why:

1. The technology is hopelessly outdated

Commercial certificate authorities are based on 1970s technology: public key infrastructure. We don't listen to cassette tapes, use walkie-talkies or dot-matrix printers any more, so why are we still relying on such outdated technology to communicate and do business securely online?

2. They are private enterprises, not public institutions

While many define themselves as ‘trusted', this claim is generally unfounded and without authority. The only reason certificate authorities are trusted to police the internet is that they lobbied to have a public key embedded into the operating systems of major operating system and browser manufacturers. They are also not as global as the web itself. Just three US-based certificate authorities (Symantec, Comodo and GoDaddy) currently account for three-quarters of all issued certificates on public-facing web servers.

3. The green padlock is no guarantee of security

It's easy for criminals to exploit the padlock because it relies on a single point of compromise, and there is a long history of certificate authorities being hacked. In 2011, a malicious attacker that appeared to be the Iranian government managed to obtain supposedly secure digital certificates that could impersonate major websites, including Google, Yahoo and Skype. Fraudulent certificates also played an important role in the propagation of the Stuxnet worm, which was designed to attack centrifuges in Iran's uranium enrichment program.

4. Criminals know how to hack them

The vulnerabilities in the public-key infrastructure behind certificate authorities have been common knowledge for at least 15 years. That's the problem with using such an old system. Each hack only multiplies the problem, encouraging more attacks. The certification industry cannot be patched - the whole system needs to be overhauled.

5. Certificate authorities cannot properly identify who is applying for a certificate

Want a digital certificate? At the moment, any determined attacker can keep applying to the many different commercial certificate authorities until one with enough automated processes or lax controls issues a legitimate signing certificate. A recent Netcraft study found that in just one month, a major certificate authority issued hundreds of SSL certificates to deceptive domain names used in phishing attacks.

6. Names don't work any more

Certificates associate a public key with a name, but this isn't as useful as it sounds. When public key cryptography was first established, all the organisations with public keys were kept in a directory listing their name, address and public key. This might have been fine in 1976, but it is no longer viable given the sheer volume of online organisations today. In any case, names alone are an inadequate identifier given the number of websites in use today. In 1991 there was just one website in the internet. In 2014, there were 968,882,453.

7. Distributing trust is the way forward

If the root key used to generate your private key was split into several different parts, which were all required to collectively re-issue your private key, then the root key single point of compromise would be eliminated. This is a 21st century solution that could help protect the web, not the privileged businesses of a few corporations.

8. They are actually hurting the internet, not helping it

Using certificate authorities, cloud computing can't scale to deliver benefits to businesses and users. But advances in pairing-based cryptography have paved the way for a new system, where certificate authorities can be replaced by distributed trust authorities. Using pairing-based cryptography, the functions of root-key generation servers will be split into three or more parts, with a third of each private key being issued to three distinct identities. By distributing trust between several parties, rogue people and practices can be self-governed, and the web can continue to grow and expand more securely.

Brian Spector is CEO at Miracl, formerly Certivox, a company offering strong authentication security technology