0

Convergence is a well-thought out system to replace certificate authorities built by Marlin Moxiespike back in 2011.

Since it's debut, it seems to have largely stalled out, with no additional major notaries since the original pair and a total lack of adoption by the major browser vendors.

The most critical piece of the web's encryption infrastructure is fundamentally broken. Not only is it trivial for script kiddies to perform MITM attacks, the lack of web encryption has enabled global dragnet surveillance.

Why has this stalled out and why aren't the major browser vendors competing on this point?

Indolering
  • 852
  • 6
  • 21
  • How certificates are signed/verified seems to have little impact on whether or not sites encrypt. I don't think convergence magically fixes MITM attacks or a lack of encryption. – David Jun 10 '14 at 03:45
  • It would enable us to use self-signed certs everywhere (ending simple dragnet surveillance) and it makes MITM much harder. – Indolering Jun 10 '14 at 03:48
  • ...if users bother to check it in the first place when connecting to a HTTPS site, and understand which warnings are legitimate false alarms, such as on Google and Facebook. – Nasrus Jun 10 '14 at 05:47
  • This is not on topic here - you would need to ask the Convergence guys. Also, your question has some assumptions which may not be anywhere near as bad as you are painting them... – Rory Alsop Jun 10 '14 at 14:18
  • @RoryAlsop I'm surprised you find this off-topic, a similar question regarding interpolique went over quite well both on stack exchange and here: http://security.stackexchange.com/questions/12512/interpolique-transparently-preventing-sql-injection-and-xss-with-base64-encodin – Indolering Jun 11 '14 at 16:25

1 Answers1

4

Convergence does not solve a security issue that needed fixing. In practice, evil people who run fake sites for phishing purposes will not bother crafting a fake certificate; rather, they make a non-SSL site, or try to convince the gullible victim that the browser security warning is meaningless. (The same point can be made, and has actually been made, about EV certificates.)

What Convergence tries to fix is a political issue: it is mostly about kicking the established, commercial CA out of the Web business; it is an attempt at replacing traditional business concentration with a somewhat anarchic decentralized system. Unsurprisingly, this is not a powerful enough reason to drive adoption of a new system. Moreover, commercial CA and browser vendors are actually in good terms, and are more inclined to team up against their respective competitors rather than go to war against each other.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • Yes it solves a political issue. Yes it saves everyone money by not paying for certificates every 1-2 years. It also solves a **huge** security issue. That is the transparent MITM interception and decryption of your traffic by an attacker in a privileged network position such as an intelligence agency. I expand on this more [here](http://security.stackexchange.com/a/44303/32325). By using Convergence, you would obtain a percentage of agreement from other places around the world about what the correct certificate is, thus being able to detect if you are being presented with a false certificate. – NDF1 Jun 12 '14 at 05:39