Time to say good-bye to CAs?

I have a long history of being uncomfortable with the bodies who present themselves as self-proclaimed authorities like ‘Certification Authority’ (CA). Even for my email communications I always favored PGP rather than trusting a so-called trusted third party to tell me: if I am talking to right people. Such trusted third party was never able to win over the suspicions I have regarding its legitimacy, transparency of its operations and measures it is taking to protect their CIA (unless they allow me to audit them ).

Two recent posts, one regarding a ghost root CA in Firfox ( http://blogs.zdnet.com/security/?p=6016 ) , and second about the presence of commercially available SSL subverting appliance ( http://www.wired.com/threatlevel/2010/03/packet-forensics/) viewed by me as a final straw on the back of trust, such CAs offer.

 To me, when read combined, above mentioned posts coupled with a little bit imagination paint a rather scary and privacy-hostile picture. Where powerful bodies—state or non-state–can (or already are) able to exploit the inherent weaknesses in such trust model for eavesdropping and monitoring our moves. Traditionally, this CA model is considered to provide reasonable protection against man-in-the-middle (MITM) attack. The business model is straightforward, you pay those self-declared CAs sum of money to tell your e-visitors that they are indeed visiting your website and not some rogue website. On the other hand such assurance itself begs, somewhat, blind trust on the operation and motives of such CAs.

A worthy competitor of this centralized CA model is ‘Perspectives’ presented by the folks from Carnegie Mellon university. Detail about Perspectives can be seen at http://www.cs.cmu.edu/~perspectives/index.html. Perspectives uses an interesting but simple vantage point like technique to detect MITM attack. After installing its extension, currently available for Firefox, upon visiting a webpage who presents a self-signed certificate it will establish contact with geographically distributed servers called ‘network notary servers’ to verify if the private key obtained by you from the visited site is similar to the key seen by those notary servers. In this simple way it can detect and notify you about the presence of MITM while eliminating the need for investing money and trust in so called CAs.

Currently, only Carnegie Mellon is operating such notary servers, but I expect other bodies and universities to provide such services soon and keep the Internet an open platform as per its intended spirit.

In a nutshell, though no single solution is fool-proof yet ‘Perspectives’ gives hope for users who want to use self-signed certificates.  However, when used in addition to CA model ‘Pespectives’ can definately provide better protection and peace of my mind—at least to me.