A number of high-profile issues have severely affected trust in Secure Sockets Layer (SSL) technology, leading many people to advocate replacing it wherever possible with Transport Layer Security (TLS) or other technologies. Blockchain is seen by some as having the potential to do just that, but can it really deliver?
The SSL cryptographic protocol has been around since the early 90s and has been used in a wide range of systems to enable more secure information exchange. The term SSL is sometimes confused or conflated with TLS, though the two technologies are different in several respects.
SSL works by authenticating information exchange using an encrypted message authentication code (MAC) designed to validate the integrity of an individual message and ensure secure communication over networks or on the web. Unfortunately in recent years serious flaws in aspects of SSL technology have been identified and it is no longer recommended in certain settings by organizations, such as the National Institute of Science, Technology and Development Studies (NISTADS).
While there are several reasons for the demise of SSL as a widely accepted standard, some of the primary issues are mistakes, both real and perceived, by organizations implementing SSL as well as the bodies in charge of offering and maintaining the ecosystem; Certificate Authorities (CA). Although there are thousands of CAs around the world, all of whom have passed a rigorous approval process to set up and offer SSL certificates, the scale of the SSL market means that CAs can hold a disproportionate amount of control in the current system.
When the operations of CAs are then attacked by hackers, or subject to influence by governments or private sector actors, trust in the system is undermined. The distrust of Symantec certificates is a prime example of this erosion in trust. False certificates are not often created due to a CA’s oversight, error or even due to a conscious choice. But when they are, fraudulent certificates can be used to trick individuals into sharing sensitive information while believing they are communicating with a legitimate system – such as their online banking account or an internet payment provider.
Blockchain technology has been cited as a potential solution to fixing such vulnerabilities in the SSL system. The decentralised ledger can be used by individual parties to create unique cryptographic keys that can verify information and ensure secure communication. One example of this is the open-source Namecoin system, which also partially functions as an alternative currency like many blockchain startups. Namecoin is designed to be an alternative to centrally-managed systems that provide identity information for websites and other online assets, even offering a decentralized DNS.
In addition, another startup called REMME is developing a blockchain password replacement system which will be able to identify devices and users with the support of SSL certificates. The REMME system assigns an SSL certificate to an individual device (such as a smartphone or tablet computer) and stores the certificate information using a secure, blockchain-enabled database. This simple solution removes any reliance on an authentication server or password database, two common targets for attack. It can also enable two-factor authentication with the addition of another device.
Although these examples, and various other emerging solutions, are seeking to address the issues that the SSL system faces, they may also ultimately suffer from the very problem they are trying to solve; a lack of trust. The vital role of CAs is to verify that the owner of a certificate is legitimate, and while blockchain may be able to assist with this process, it is trust in the decision-maker that drives trust in the system overall.
If the CA as decision-maker is replaced with a blockchain-enabled system, then it will be important for those involved in building and maintaining that system to clearly demonstrate its stability and decouple from the hype and misinformation around blockchain in general. We regularly see how the value of alternative blockchain currencies are intimately tied to the fate of Bitcoin pricing, and how a successful attack on any currency exchange can affect perception (rightly or wrongly) in the sector as a whole. Any system attempting to decentralize trust in order to provide certificates that can replace SSL technology will need to bear these challenges in mind for the future.
As huge numbers of both new users and machines (due primarily to the growth of Internet of Things [IoT] enabled technologies) come online, the web is set to grow exponentially in the future in terms of the number of devices which will be fully connected and able to act as network nodes. All organizations need to ensure that the machine identities and certificates used to communicate securely with other servers are carefully managed, whether they use SSL or TLS replacement technologies deploying blockchain, hybrid systems such as that being developed by REMME, or the legacy SSL system alone. Management of these certificates is a critical security issue and should not be overlooked in the drive to enhance, or even replace, the existing SSL ecosystem.