Researchers propose TLS extension to detect rogue SSL certificates
TACK TLS extension combines public key pinning with self-generated keys to validate SSL certificates
IDG News Service - A pair of security researchers have proposed an extension to the Transport Layer Security (TLS) protocol that would allow browsers to detect and block fraudulently issued SSL certificates.
Called TACK, short for Trust Assertions for Certificate Keys, the extension was developed by security researchers Trevor Perrin and Moxie Marlinspike and was submitted for consideration to the Internet Engineering Task Force (IETF), the body in charge of TLS, on Wednesday.
TACK tries to resolve the trust-related problems with the public key infrastructure that were highlighted by last year's security breaches at certificate authorities (CAs) Comodo and Diginotar.
Both of those breaches resulted in SSL certificates for high profile domains like google.com, hotmail.com or mail.yahoo.com, being issued fraudulently. In Diginotar's case, the certificates were even employed in active attacks against Google users in Iran.
At the moment, Web browsers trust over 600 organizations from around the world to issue SSL certificates. These organizations are known as certificate authorities and every one of them can technically issue a valid certificate for any domain on the Internet.
Several proposals to improve the current CA-based system have been put forward by Internet and security experts in the past 12 months, but there's no consensus regarding which one offers the best solution.
In November 2011, security engineers from Google proposed an HTTP extension called "public key pinning" that would allow websites to effectively tell browsers via an HTTP header which certificate authorities should be trusted to issue SSL certificates for their domain names.
The browsers would then remember (pin) this information and refuse to establish the connection if they receive a certificate signed by a different CA in the future. A more static implementation of this system already exists in Google Chrome for particular domain names, including Google's.
TACK is based on the same public key pinning concept, but instead of pinning CA public keys to particular domain names, it pins public keys generated by the domain owners themselves.
With TACK, the domain owner can generate a pair of private and public keys called TACK keys. The private key is used to sign the server's TLS public key, which is currently used by browsers to validate SSL certificates. The TACK public key is then shared with connecting browsers and is used to validate the TACK-signed TLS public key.
The browsers can pin a TACK public key to a domain name if they receive it from the server on several separate occasions. If an attacker attempts to use a rogue SSL certificate to spoof a secure connection to a domain name that already has a TACK key pinned to it, the browser will not authorize it because the TACK validation will fail.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts