Home → News → Researchers Propose Way to Thwart Fraudulent Digital... → Full Text

Researchers Propose Way to Thwart Fraudulent Digital Certificates

By eWeek

May 30, 2012

[article image]


Security researchers Moxie Marlinspike and Trevor Perrin say an extension to the transport layer security (TLS) protocol could help address spoofing attacks on the Secure Sockets Layer certificate ecosystem.

They have proposed an approach called Trust Assertions for Certificate Keys (TACK), which enables a Web site to sign its TLS server's public keys with a TACK key. Clients can pin a hostname to the TACK key without requiring sites to make changes to their existing certificate chains or limiting their ability to deploy different certificate chains on different servers or change certificate chains at any time.

Marlinspike and Perrin note that inside the TACK is a public key and signature. "Once a client has seen the same [hostname, TACK public key] pair multiple times, the client will 'activate' a pin between the hostname and TACK key for a period equal to the length of time the pair has been observed for," the researchers say. "This 'pin activation' process limits the impact of bad pins resulting from transient network attacks or operator error."

The browser will reject the session and alert the user when it comes across a fraudulent certificate on a pinned site.

From eWeek 
View Full Article

Abstracts Copyright © 2012 Information Inc. External Link, Bethesda, Maryland, USA

0 Comments

No entries found