Security Experts:

Convergence Replacement Throwdown! DANE vs. TACK vs. CT

The world relies on SSL. It has become the de facto encryption protocol not just for Internet commerce, but commerce in the real world, as well (Uber, Airbnb). The Edward Snowden documents have increased awareness about encryption, resulting in a “bumper year for SSL” according to the latest Netcraft survey, which shows that SSL usage has increased 20 percent YoY and 50 percent among the world’s busiest sites. Additionally, in 2015, the Electronic Frontier Foundation (and its sponsors) will launch a free service called Let’s Encrypt that will enable all websites to move to SSL.

Yet, the very basic question of website authenticity (that is, “Is this really the site my browser thinks it is?”) is still only just barely solved by SSL. Since its inception, SSL has been plagued by the “man-in-the-middle” (MiTM) attack, and in the past the twenty years, only slight progress has been made toward properly defending against it.

A watershed moment happened in 2011, when an Iranian attacker breached the Dutch Certificate Authority (CA) DigiNotar. The attacker was able to issue certificates for the world’s busiest websites, including Google, Microsoft, and Facebook. Using these certificates, he was able to intercept traffic destined to these sites with a working MiTM attack. The public relations chaos that ensued from that breach was ultimately too much for DigiNotar, and the company imploded, leaving the Dutch government stalled for days.

SSL Certificates

Convergence

The DigiNotar incident led security experts to call for a replacement of the authenticity component of the SSL protocol. One of the loudest voices in the effort to replace the existing system came from famed hacker Moxie Marlinspike. He proposed a distributed system called Convergence. With Convergence, third-party public servers called “notaries” would act as remote observers to detect MiTM attacks. Not only did Marlinspike propose the system, he released the browser plugin and the source code to make it all happen.

Convergence was received with enthusiasm at the Defcon 19 hacker convention—in part due to Marlinspike’s passionate and inspiring presentation. In the weeks after its debut, Convergence generated much discussion, but ultimately it failed to reach wide-spread deployment. The same technical glitches that plagued SSL were biting Convergence as well. Captive portals at hotels, airports, and coffee shops were confounding the plugin. Global server load balancing for big sites created inconsistent telemetry for the observers. Ryan M. Hurst, the former CTO of GlobalSign, the number three CA in market share, explains: “Beyond the technical limitations, there were also limited incentives for notaries to build and scale infrastructure to support it.” Ultimately there were too many moving parts to Convergence, and low-level protocol support for observers.

DANE

Since Convergence, a number of technologies have competed for the mindshare of users interested in solving the MiTM problem. One of the first was the DNS-based Authentication of Named Entities (DANE) protocol. DANE provides certificate authenticity by pinning the SSL session to the certificate embedded in the secure version of the domain name system (DNSSEC). On its surface, DANE feels like a near perfect solution, because it solves the MITM problem, not just for SSL but for all other protocols as well, and it uses the existing naming structure as its foundation. But DANE has political problems. Because DANE relies on DNSSEC, it centralizes authentication for over 760 top-level domains such as .us, .io, .cn, .il, and others under the sovereignty of each of those respective governments. And many of those governments do not trust each other (nor do their own citizens necessarily trust them either). Were DANE to be adopted, the mistrust would likely lead to a bifurcation of the Internet, as the U.S. and China would run their own copies of all the name servers resolving to their own instances of sites. Thus, the political situation is slowing adoption of DNSSEC and DANE.

TACK

Another technological replacement proposal is an SSL extension called TACK. TACK “pins” a certificate to a domain name in the same way that SSH public keys are cached and pinned to particular targets. TACK was proposed by Marlinspike a year after Convergence launched. It was a purely technological solution that required no additional trusted third parties and thus sidestepped the incentive problem that Convergence had.  The downside, however, was that TACK would require protocol changes for both the server and the client side of any SSL transaction. “Many organizations loathe touching all their servers; it’s honestly easier to touch clients today due to auto-update, which is both sad and a little surprising,” says Hurst. As a result, TACK has not seen adoption in any popular browser or webserver.

And your trusted third party is … Google

The newest attempt to solve the MiTM problem is Google’s “Certificate Transparency” (CT) project. This project is basically Convergence all over again, but in this scheme, the trusted third party is Google. Google has a plan to require support for CT for all extended-validation (EV) certificates by February of 2015.

Will Google’s CT succeed where Convergence, DANE and TACK all failed?

Google certainly has technology on its side. It owns the world’s most popular website (google.com), browser (Chrome), and operating system (Android). But technology is only part of the solution for MiTM attacks. While DANE offers the ultimate technological solution, it’s failing because of the specter of state surveillance. Additionally, CT relies on a single trusted third party, Google, which is already the company that many people love to hate. In theory, other companies could participate in CT but, again, what is the incentive for them to do so?

Back to the Beginning

So far, each failed solution (Convergence, DANE, TACK) has not yet undermined confidence in the overall system among your everyday consumer. And although projects like ‘Let’s Encrypt’ show that the world is still moving toward an SSL Everywhere model, security professionals still get nervous when they think about these problems. Even so, something must be done, and some organization must be trusted. Hurst states:

It is easy for us to forget that today 60% of the world’s population does not yet have access to the Internet… As these users come online, their governments (and criminal enterprises) will increasingly see the Internet as borderless rich source of information. It is important we deploy the tools today so that we can protect the Internet users of tomorrow.

A few years from now, when 80 percent of websites use SSL, and the Google CT project has had time to operate, we’ll have a better idea if the MiTM problem highlighted by Convergence can be fixed. But as these projects get off the ground, their champions should take note of all the failed attempts and be wary about trumpeting success prematurely.

view counter
David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.