Security pro calls for replacement of digital certificate standard

Dan Kaminsky calls for implementation of the Domain Name System Security Extensions to provide adequate level of security

LAS VEGAS—The Secure Sockets Layer (SSL) protocol is broken and security researcher Dan Kaminsky is working with vendors and security experts to help get the system patched up until a replacement scheme can be put into place.

More news from the Black Hat Briefings:

Microsoft calls for united front in war against malware, hackers

Microsoft progam to help quantify costs, risks, returns of patch management

New tool could help computer forensics move off the disk and into memory

New weapon revealed for defense against zero-day attacks

SSL is a scheme using the X.509 standard for digital certificates to secure Internet connections for online transactions. But after a decade of implementation, digital certificates still are not providing an adequate level of assurance, Kaminsky said Wednesday at the Black Hat Briefings security conference. He also demonstrated a number of exploits SSL that could be used to break down the secure connections.

“We’ve been trying to get it done for 10 years, and it just isn’t working,” Kaminsky said. “The majority of [online] attacks happen because servers don’t know who they are talking to.”

The problem is the underlying X.509 technology, according to Kaminsky. He has spent the past several months looking into it, and he has concluded that it does not support a robust, scalable and dependable structure.

“Pretty much every corner we looked at in X.509, we found ugliness,” he said. “It is remarkably fragile. There are a lot of ambiguities in a technology that ought not to be ambiguous.”

Kaminsky has been working with vendors who implement X.509 technology in their products, such as Open SSL, Netscape and Microsoft, to patch and “paper over” the problems until a more permanent solution can be put into place. His goal is to replace X.509 with a scheme built on a secure Domain Name System (DNS).

“We have to start over,” he said. “The way to do this seems to be through the DNSSEC [DNS Security Extensions] track.”

Kaminsky gained attention last summer with the discovery of a flaw in the DNS protocols that underlie most Internet activity. He succeeded in getting industry support for a quick fix for that problem until a more permanent solution, DNSSEC, could be implemented. Full DNSSEC deployment still is several years away, but Kaminsky still is a believer in DNS as the basis for cryptographically signing digital certificates and making keys available for authenticating clients and servers for SSL.

Despite its flaws, DNS has scaled well and worked reliably for the last 25 years as the technology for directing Internet traffic to the proper addresses. Kaminsky sees it as the obvious seed for a trust chain of authentication.

“Let’s get cryptographic keys from it,” he urged.

In the meantime, he said vendors are cooperating in the effort to fix the X.509 flaws in the short term.

“We have some lead time on this, as far as we know,” he said. “We have a chance to fix a problem now, before it blows up in our faces.”

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.