Perspectives is a new approach to helping computers communicate securely on the Internet. With Perspectives, public “network notary” servers regularly monitor the SSL certificates used by 100,000s+ websites to help your browser detect “man-in-the-middle” attacks without relying on certificate authorities.
Because anyone can run a network notary server, you get to choose who you trust to validate SSL certificates, a powerful concept indeed! You can try it out using our Firefox Extension.
For years, the Internet has relied on anointed ”Certificate Authorities” (CAs) like VeriSign to issue SSL certificates that browsers trust to verify the identify of a remote web server when using the HTTPS protocol. Verifying the remote server’s SSL certificate is necessary to avoid “man-in-the-middle” (MitM) attacks in which an attacker eavesdrops on communication or impersonates a remote website.
The Certificate Authority model have long been criticized as a potential security risk, and recent incidents demonstrate that the security concerns are not just theoretical:
- May 2011: Indications point to the Syrian government actively performing man-in-the-middle attacks (More Info)
- March 2011: Certificate Authority is hacked, leading to the issuing of fraudulent certificates for sites including google.com, yahoo.com and msn.com (More Info)
The root of the problem is that with the CA model, browsers blindly trust a group of 600+ corporate and government parties (ref) to validate SSL certificates. You as a web browser user have little or no choice about who to trust and essentially no visibility into whether these organizations deserve your trust.
How Perspectives Helps
Perspectives takes a different approach to how the web browser determines if an SSL certificate is valid. Instead of requiring browser users to trust an anointed group of certificate authorities, Perspectives gives users the ability to pick a group they trust (e.g., the EFF, Google, their company, their university, their group of friends, etc.) and trust no one else.
How is this possible? Perspectives has a decentralized model that let’s anyone run one or more “network notary servers”. A network notary server is connected to the Internet and regularly monitors websites to build a history of the SSL certificate used by each site. Notary servers or groups of notary servers may be operated by public organizations, private companies, or even individuals.
Rather than validating an SSL certificate by checking for certificate authority approval, with Perspectives the browser validates a certificate by checking for consistency with the certificates observed by the network notaries over time. With network notary servers spread around the world and keeping a history of data, it is VERY hard for an attacker to launch a man-in-the-middle attack (see our academic paper for a full security analysis).
Just like a user picks which search engine their browser will use, they user can also choose what group(s) of network notaries they will trust. The user him/herself can choose whether they trust Comodo, the U.S government, the Chinese government, or not. And because all notary data is public, the quality of different network notaries can be measured and evaluated by anyone, creating a market for better security.
Bonus: Smoothing the Path to Ubiquitous SSL
Potentially untrustworthy certificates authorities is an obvious vulnerability, but we less frequently think about another security hole: all of the completely insecure Internet communication that happens without any SSL protection. In 2011, despite incredible gains in computing performance, why is HTTPS still far from ubiquitous?
One part of the problem is that while computing resources have gotten cheaper, the manual effort required to purchase, install, and yearly renew a certificate still has the same cost. The certificate authority model also has problems with “virtual hosting”, a common practice of hosting many websites on a single machine. These and other factors mean that many sites turn on HTTP, but leave HTTPs disabled.
Perspectives changes the game here, enabling a simple “Plug-n-Play” model whereby any webserver can simply auto-generate an SSL certificate that can be observed by notaries and as a result trusted by user’s browsers without any manual action by the administrator of the webserver, regardless of whether virtual hosting is used. All that is necessary is that the server is plugged into the network and automated probing by notary servers takes care of the rest.