Called TACK, which is short for Trust Assertions for CertificateKeys, the extension was developed by security researchers Trevor Perrin and MoxieMarlinspike and was submitted for consideration to the InternetEngineering Task Force (IETF), the body in charge of TLS, onWednesday. TACK tries to resolve the trust-related problems with the publickey infrastructure that were highlighted by last year's securitybreaches at certificate authorities (CAs) Comodo and Diginotar. Both of those breaches resulted in SSL certificates for highprofile domains like google.com, hotmail.com or mail.yahoo.com,being issued fraudulently. In Diginotar's case, the certificateswere even employed in active attacks against Google users in Iran. At the moment, Web browsers trust over 600 organizations fromaround the world to issue SSL certificates. These organizations areknown as certificate authorities and every one of them cantechnically issue a valid certificate for any domain on theInternet. Several proposals to improve the current CA-based system have beenput forward by Internet and security experts in the past 12 months,but there's no consensus regarding which one offers the bestsolution. In November 2011, security engineers from Google proposed an HTTP extension called "public key pinning" that would allow websites toeffectively tell browsers via an HTTP header which certificateauthorities should be trusted to issue SSL certificates for theirdomain names. The browsers would then remember (pin) this information and refuseto establish the connection if they receive a certificate signed bya different CA in the future. A more static implementation of thissystem already exists in Google Chrome for particular domain names,including Google's. TACK is based on the same public key pinning concept, but insteadof pinning CA public keys to particular domain names, it pinspublic keys generated by the domain owners themselves. With TACK, the domain owner can generate a pair of private andpublic keys called TACK keys. The private key is used to sign theserver's TLS public key, which is currently used by browsers tovalidate SSL certificates. The TACK public key is then shared withconnecting browsers and is used to validate the TACK-signed TLSpublic key. The browsers can pin a TACK public key to a domain name if theyreceive it from the server on several separate occasions. If anattacker attempts to use a rogue SSL certificate to spoof a secureconnection to a domain name that already has a TACK key pinned toit, the browser will not authorize it because the TACK validationwill fail. This creates a secondary protection layer, because in addition to afraudulently-obtained, CA-signed, SSL certificate, an attackerwould also need the domain owner's private TACK key in order topull off a successful attack. TACK is designed to be backward-compatible with both clients andservers that lack support for it. In such situations, the HTTPSconnection gets negotiated according to the current CA-basedvalidation system. This aspect is particularly important given the slow adoption ofnew TLS versions by Web server owners. According to TrustworthyInternet Movement's SSL Pulse project , fewer than two percent of the Internet's top 200,000HTTPS-enabled websites support TLS 1.1 or 1.2, the latest versionsof the protocol. The vast majority of websites still support SSL 3.0, the precursorof TLS, and TLS version 1.0, which was designed in 1999. Over 30percent of them still support SSL 2.0, the first publicly availableand most insecure version of the protocol. Under these conditions, it's hard to imagine TACK becoming widelyimplemented anytime soon, even if the extension ends up receivingapproval from the IETF. The e-commerce company in China offers quality products such as China Neon Rope Light , China LED Illuminator, and more. For more , please visit Decorative String Lights today!
Related Articles -
China Neon Rope Light, China LED Illuminator,
|