Laurie: Improving SSL certificate security

Actual security is provided through PGP encryption/signing of the files being transfered. The protocols used to transfer the files are not trusted.

How do you replace a stolen private-key and how do you communicate this to the users ?

All of your questions so far are a great example of "what if?" scenarios that sound great on paper, but in all cases, if you actually go out and run the system in a real-life operational setting, you'll find that in practice the problems that SSL certificates successfully solve aren't really big problems in production, and the problems that SSL certificates fail badly to solve are exactly the problems that really matter.

And once again, it's not legitimate to ask this question without also asking the same question of the status quo, and comparing the two answers. Under the existing SSL system, a stolen private key is at least as large a problem as it is in SSH. In theory, the SSL specification contains a key revocation mechanism, but as the Comodo attack itself demonstrates, this mechanism is utterly useless in practice. The latter is yet another example of the disconnect between theory and practice that pervades the broken SSL standard.

I am a professional cryptographer. I publish cryptography papers as part of my career. My position on this issue is not very popular among cryptographers, most of whom are great theoreticians but terrible practicians. Human factors alone imply that the idea of certificates is always going to be totally unworkable on the public internet. There is no minor tweak that can fix the SSL certificate system. The only viable approach is to scrap the system entirely. You can perhaps see why my position is unpopular, since I am basically pointing out that the last twenty years of research and investment in PKI is completely worthless and cannot be salvaged.

Also how do make this model backwardcompatible, in the old model most keys or atleast certificates are replaced every year.

Backward compatibility only affects web browsers, not servers: my proposal requires eliminating certificate authorities, so that servers no longer have certificates, and it is not possible for a server to both have a certificate and to not have a certificate. Anything short of complete elimination of certificate authorities does not represent progress, since a security system is only as strong as its weakest link, and certificate authorities are the weakest link.

For web browsers, a limited form of backward compatibility is easy to implement. When connecting to a server that offers a valid certificate, cache the certificate authority instead of the key. Even if the key changes legitimately, the CA almost always remains constant during legitimate key changes. This allows web browsers to deploy cache-and-compare without affecting existing certificates. Eventually, when almost all web browsers support cache-and-compare, servers can switch away from certificates. Finally, once all servers stop using certificates, the web browsers can delete certificate support. This strategy accomplishes the transition in three mutually compatible stages.

More generally, it is important to examine and understand the hidden assumptions underlying your question. The reason why certificates are replaced with high frequency in the current model is because the certificate authorities earn more money with frequent turnover: with short expiration dates, they generate more certificates in a given amount of time. By eliminating the certificate authorities, you also simultaneously eliminate the financial incentive for frequent key turnover. Backward compatibility in the sense that you describe is only necessary as a temporary transitional measure, since it is the current system itself that creates the need for frequent key replacement, and I am proposing to eliminate the current system.

Your system is not quite the same as what I propose, since your system depends on asking the user to explicitly set trust levels. Your system is analogous to PGP/GnuPG. Well, PGP/GnuPG is a failure in the marketplace. Most of our email is still unencrypted. Contrast this with SSH, which has succeeded in eliminating telnet -- most remote logins are encrypted.

SSH is the only cryptographic protocol in human history that has achieved marketplace dominance over its corresponding unencrypted version. We should pay attention to the things that SSH does right.

In the SSH system, trust levels, by default, are determined by one and only one question: "Is this key the same as the key that I was given before?" Advanced users can do things differently, by manually editing the known_hosts file, but the default mode of operation is what I described.

Your proposal requires user training to interpret trust levels. Your proposal requires user action to set trust levels. Based on all available evidence so far, any cryptographic protocol that requires even minimal user participation will not succeed, in the sense above (namely, it will not completely eliminate the corresponding unsecured protocol). A security program needs to have safe, usable, automatic defaults. It is worth compromising some security in order to increase usability or decrease the amount of user input. Advanced users will figure out how to recapture the lost security, so they lose nothing. Unskilled users gain the ability to use the program, and thus even with the compromise are more secure than they were before; without safe, automatic defaults, unskilled users would have no security.

A web of trust is terrible in practice. PKI is terrible in practice. These concepts should be optional elements of the standard, for advanced users to deploy if they wish. The default behavior for novice users must be, and can only be: 1. On first use, cache the key and trust it. 2. Trust all previously cached keys. 3. Hard stop when encountering untrusted keys.

[djao@laptop:~]$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 76:27:d1:f3:a5:71:75:61:7b:b5:94:ce:f4:d9:81:20.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
[djao@laptop:~]$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 76:27:d1:f3:a5:71:75:61:7b:b5:94:ce:f4:d9:81:20.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Last login: Fri Apr  1 12:19:11 2011 from laptop.dominia.org
[djao@laptop:~]$ exit
logout
Connection to localhost closed.

[djao@laptop:~]$ ssh localhost
Last login: Sun Apr 10 17:30:37 2011 from laptop.dominia.org
[djao@laptop:~]$ 

[djao@laptop:~]$ ssh iso
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
76:27:d1:f3:a5:71:75:61:7b:b5:94:ce:f4:d9:81:20.
Please contact your system administrator.
Add correct host key in /home/djao/.ssh/known_hosts to get rid of this message.
Offending key in /home/djao/.ssh/known_hosts:275
RSA host key for isomorphism.org has changed and you have requested strict checking.
Host key verification failed.
[djao@laptop:~]$