HOME

TheInfoList



Click Here for Items Related To - Convergence (SSL)
OR:
Convergence (SSL) on:   [Wikipedia]   [Google]   [Amazon]

Convergence was a proposed strategy for replacing
SSL SSL may refer to: Entertainment * RoboCup Small Size League, robotics football competition * ''Sesame Street Live'', a touring version of the children's television show * StarCraft II StarLeague, a Korean league in the video game Natural language ...
certificate authorities In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This ...
, first put forth by Moxie Marlinspike in August 2011 while giving a talk titled "SSL and the Future of Authenticity" at the Black Hat security conference. It was demonstrated with a
Firefox addon Add-on is the Mozilla term for software modules that can be added to the Firefox web browser and related application software, applications. Mozilla hosts them on its official add-on website. Browser extensions are the primary type of add-on. In ...
and a server-side notary daemon. In the talk, Marlinspike proposed that all of the current problems with the certificate authority (CA) system could be reduced to a single missing property, which he called "trust agility" and which Convergence aimed to provide. The strategy claimed to be agile, secure, and distributed. As of 2013, Marlinspike is focused on an
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and ...
proposal called TACK, which is designed to be an uncontroversial first step that advocates for dynamic certificate pinning instead of full CA replacement and reduces the number of times a third party needs to be trusted. Development of Convergence was continued in a "Convergence Extra" fork until about 2014.


Background

Convergence was based on previous work from the Perspectives Project at
Carnegie Mellon University Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
. Like Perspectives, Convergence authenticated connections by contacting external notaries, but unlike Perspectives, Convergence notaries could use a number of different strategies beyond network perspective in order to reach a verdict.


Convergence in comparison to conventional SSL

The purpose of a
certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Th ...
in the conventional
SSL SSL may refer to: Entertainment * RoboCup Small Size League, robotics football competition * ''Sesame Street Live'', a touring version of the children's television show * StarCraft II StarLeague, a Korean league in the video game Natural language ...
system is to vouch for the identity of a site, by checking its SSL certificate. Without some vouchsafing, one is open to a
man-in-the-middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
. A single site is vouched for by only a single certificate authority (CA), and this CA has to be trusted by the user. Web browsers typically include a list of default trusted CAs and display a warning about an "untrusted connection" when a site cannot be vouchsafed by a trusted CA. A problem with this system is that if a user (or browser vendor) loses trust in a CA, removing the CA from the browser's list of trusted authorities means losing trust in all the sites that used that CA. This happened when major browsers lost trust in the DigiNotar CA and sites registered with this CA had to get new certificate authorities (see '' Certificate authority#CA compromise'' for more examples of trust breaches). With Convergence, however, there was a level of redundancy, and no
single point of failure A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software appl ...
. Several ''notaries'' could vouch for a single site. A user could choose to trust several notaries, most of which would vouch for the same sites. If the notaries disagreed on whether a site's identity was correct, the user could choose to go with the
majority vote A majority, also called a simple majority or absolute majority to distinguish it from related terms, is more than half of the total.Dictionary definitions of ''majority'' aMerriam-WebsterQualys announced it would run two notary servers. As of June, 2016 these servers appeared to be down. A list of notaries was maintained on the Convergence wiki.


Alternatives

* The
Monkeysphere Project Dunbar's number is a suggested cognitive limit to the number of people with whom one can maintain stable social relationships—relationships in which an individual knows who each person is and how each person relates to every other person. This ...
tries to solve the same problem by using the PGP
web of trust In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the ...
model to assess the authenticity of https certificates. *
HTTP Public Key Pinning HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates. A server uses ...
is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. *
Certificate Transparency Certificate Transparency (CT) is an Internet security standard for monitoring and auditing the issuance of digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly t ...
is an attempt to solve the problem by verifiable append-only public logs.


References


External links

*
Convergence project page
at GitHub {{SSL/TLS Computer security accreditations Transport Layer Security