Convergence To Replace Certificate Authority System?

Hak5 from Revision 3 had mentioned of Convergence.io.  It’s a technology that tries to replace Certificate Authority System.  According to Convergence, several trust notaries have had a monopoly on the enforcement of dictating who on the world wide web should be trusted by the users.  Unfortunately, even though Certificate Authority System (i.e., traditional trust notaries) has been working quite well so far, hackers were able to hack into several CAs (reputable trust notaries) and issue bogus certificates to pretend (i.e., phishing) to be the trusted parties.

According to Arstechnica.com’s article “Comodo hacker: I hacked DigiNotar too; other CAs breached,” a hacker called himself ComodoHacker claimed that he hacked DigiNotar, GlobalSign, and four other CAs that he refused to name so far.  It’s obvious that hackers can target and penetrate CAs’ security systems from time to time.  Therefore, we can safely assume that sometimes, not all SSL certificates issue by these CAs/trust notaries can be trusted.  SSL certificates nowadays are limited to several reputable brands only (besides the self-signed certificates), therefore even users cannot do anything about bogus SSL certificates since the users will not be able to remove the trust of an affected trust notary (i.e., was hacked by hackers).  Several websites probably had switched to different CAs (i.e., trust notaries) when previous CAs (i.e., trust notaries) had been penetrated by certain hackers, but what if the same hackers or different ones again hack into the new CAs (i.e., trust notaries) that these websites had switched to?  Round and round we go, and meanwhile users have no choice but to trust the newly SSL certificates that these websites have renewed with different CAs (i.e., trust notaries)?

According to Hak5 episode “DEFCON 19 Part 2 – Moxie on Authenticity and Hackers for Charity – Thursday, August 25th, 2011 – running time 24:40,” Convergence allows users to make the decision of what trust notaries to be trusted.  Although it might be a burden on the users, but it allows the informed users be able to remove the untrusted trust notaries even though such trust notaries are reputable.  Hint: as I’d mentioned above how hackers had penetrated several reputable trust notaries!  Somewhat lessen the burden of the users, users who are using Firefox browser can install Convergence’s Firefox extension, and there will be default trust notaries that users can give their trust to, but users can configure and ultimately add and remove default and new trust notaries.

Heading over to http://convergence.io/details.html, Convergence claims that it’s secure and flexible and even backward compatible to the traditional Certificate Authority System.  The list goes on:
— Users themselves can run Convergence as trust notary since Convergence has released open source notary code.  This allows users to users as trust notaries, therefore somewhat socializing the Certificate Authority System in general.  This has one benefit, because if there is a bad trust notary, there will be less users that have to deal with such a bad trust notary unless such a bad trust notary is truly trusted by so many users.  Fortunately, users who use Convergence system can easily remove a bad trust notary.
— Convergence is robust since it can be configured to have multiple trust notaries to agree on what trust notaries to be trusted, sort of like a democracy system.  Therefore, it’s less likely to have a bad trust notary to be listed as a trust notary if multiple trust notaries are carefully policing new and unknown trust notaries.
— Convergence is simple in a way that users won’t see self-signed certificate warning, because Convergence is backward compatible to the traditional Certificate Authority System and smart enough to recognize a self-signed certificate.
— Convergence also caches trust notaries information locally, and so users can configure Convergence to shield IP addresses from trust notaries and preventing browsing history to be leaked elsewhere.
— According to Convergence, it’s fast and lightweight so users won’t have to feel any sluggishness when using it.

To tell the truth, I like the idea of Convergence very much.  Unfortunately, I can’t find other reviews on Convergence to confirm the goodies and benefits that Convergence claims it has, besides getting to know Convergence through an episode of Hak5 that I had mentioned above.  Heading over to convergence.io, users can download the extension for Firefox, but when I head over to Firefox’s extension Add-ons website, I could not find Convergence’s official extension there.  This somewhat deters me to try Convergence out since I somewhat implicitly trust the extensions that Mozilla themselves has allowed to be listed inside the Firefox Add-ons website. Nonetheless, if Convergence is useful and noble, I hope it will become popular so more users can reap the benefits of using it.

My opinion though, I can see the traditional Certificate Authority System will not welcome the arrival of Convergence.  It’s a disruption to the business of many reputable trust notaries.  Reputable trust notaries sell SSL Certificates for living, therefore the idea of users to users trust notaries can break down or saturate the market of SSL Certificates a lot.  But I guess as long Convergence isn’t popular or has a weak point somewhere, the traditional brands of reputable trust notaries will not be up in arms.

Tell me in the comments below this blog post or my YouTube video and let me know what else you know of Convergence, and what you make or think of it. Thanks…

Sources:  http://convergence.io/details.html

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.