SSL Certificates Under Blockchain Editing: Restrictions, Risks, Opportunities

Technological progress, flying on the blockchain’s wings, continues to amaze not only its fans but also ordinary inhabitants with its capabilities that appear in different areas of our life. And when it seems that this technology is already everywhere, so immediately come push-notifications with another selection of news, where the headline about the new case of blockchain solutions implementation will flash.

It seems to me that an interesting case of the blockchain product implementation is the area of trust on the Internet, and more specifically SSL certificates, which, although designed to save us from the troubles in the network, but still have significant drawbacks.

SSL certificate is…

The SSL certificate is a confirmation that the keys that protect user’s data are issued by the organization with which the user communicates, as well as protected from situations where they could be compromised. The SSL certificates’ task is to prevent the user’s confidential information from falling into the fraudster’s hands who intends to intercept, for example, your contact details or even a bank card number.

SSL certificates are used on the websites of financial institutions, payment systems, online stores, social networks, and even state-owned enterprises.

If there is an SSL certificate on the site, a secure connection is established between the user’s browser and the resource (site). When, for example, a customer pays his purchases in an online store, his number of a bank card will be encrypted by the browser, only after that, it will reach the server. In this case, the browser converts the card number into a random set of characters and only then sends it to the server. To decrypt a message is possible only with a special key that is stored on this server. If attackers succeed in intercepting information, they still won’t understand what it means.

Vulnerabilities

However, despite the excellent concept, SSL is far from perfect.

In 2014, the cybersecurity sphere caused a wave of concern related to the discovered Heartbleed vulnerability.

This danger was able to force companies around the world to reissue their SSL certificates. At the same time, Heartbleed was the result of an error not in SSL, but in the popular OpenSSL cryptographic library. Experts estimate that approximately 70% of websites use OpenSSL for HTTPS connections, and about 35% of them are affected by vulnerabilities. If we estimate the minimum and confirmed losses, then 10 banks, 2 payment systems, 8 VPN providers, as well as the popular mail services Yandex.ru and Yahoo.com became the victims of the Heartbleed attack.

Problem

The root cause of the vulnerabilities is that SSL certificates, based on X.509 public key infrastructure, are issued by special certification authorities (CAs). The responsibility of these centers is to provide guarantees that the issued SSL-certificates actually belong to the owners of these resources.

Certificate authorities are centralized organizations that may be compromised, employees under some influence or by mistake may issue a fake certificate or fail to conduct proper validation. As a result, the user of such a resource, hoping for a secure connection to the site, can be deceived. For example, there may be a case when a client, believing that he is conducting an operational activity on the site of the payment system, will transfer all his data to the server set by the fraudster. Also, a huge problem is that each such resource provides protection in the form of user passwords, which, by all standards of security, must be unique for each site. And, of course, the more unique passwords we create for different accounts, the higher the probability of losing one of them.

Of course, thoughts about implementing a single sign-on approach have long been developed (fingerprint, voice authentication, or even retinal scanning). And services with similar capabilities most often fall victim to phishing.

Decision

In such scenarios, an attacker can not only intercept traffic but also easily decipher all confidential data, which is a serious problem, the solution of which could be the introduction of blockchain technology.

The main thing that should be emphasized is that the blockchain is able to eliminate mediation in the face of certification authorities. This approach will allow the registration of resources under the names of their owners, under their exact addresses, the data can not be changed or forged, which guarantees that the person who owns the server really owns the name.

Project examples

EmerCoin

The EmerCoin project offers its users a service that provides secure and reliable unified authorization. At the same time, the developers implemented the emcSSL protocol, positioning it as the first decentralized digital key management system based on the EmerCoin blockchain.

EmerCoin blockchain is responsible for storing SSL certificates’ hashes and ensures the uniqueness of the UserID. Since private keys never go beyond the boundaries of the user device, attackers will not be able to make a massive attack, and the lack of a central server makes it impossible to compromise it. Moreover, when authorizing a user on any resource, he or she can decide which data to provide access to the site. At the same time, there is no need to fill in your data each time, for example, when paying for online purchases, since emcSSL, with the permission of the user, will open the store access to the information that is required. After examining EmerCoin user reviews, I was surprised by a small amount of negativity, there are complaints that emcSSL is very difficult to set up, it is not completely clear in work, with the exception of professional representatives of the IT world.

REMME

The technical part of the blockchain project REMME was created by a small team of developers, with whom I was able to communicate personally. According to their statements, the main product of REMME is passwordless authentication of users and their devices using public keys (for example, self-signed SSL certificates) that are stored in the blockchain.

After REMME launching, the technical team considered the option of completely rejecting authentication passwords using an SSL certificate. However, later it was decided to start working on the implementation of the “digital passport” idea, represented by the certificate.

REMME uses the open source protocol (REMME PKI (d), which, with the implementation of the blockchain, can replace traditional centralized institutions. The technical team of the REMME project, which consists of the majority of the 482.solutions’ developers, pointed out the importance of another development — the REMME Certificate life management system (CLM). This solution is designed to manage the life cycle of certificates.
According to representatives of 482.solutions, such a concept could not be implemented without the introduction of the blockchain, since today all certificate data is stored on a centralized server, which, in turn, contains information about the root certificate, on the basis of which the rest are created. Thus, an attack on the main center entails an information leak from all the global system’s users. If the information is stored in the blockchain, where hundreds of network nodes are responsible for its correctness and confirmation, intruders simply don’t have a single entry point. Attacking hundreds of nodes at the same time is, of course, real, but meaningless, since the process will be much more expensive than the result of the hacking.

Conclusion

In the development of each technology, there are certain stops that contribute to the realization of its shortcomings and flaws. SSL certificates are an integral part that can build a bridge of trust between users and online resources. And the blockchain, in turn, ensures that this bridge doesn’t fall after the storm (attack).

I would like to note that the industry is gaining momentum and representatives of old schools, adherents of standard SSL certificates, are still eyeing the blockchain solutions.

For example, DigiCert, which is one of the leaders in providing SSL certificates, has already shown interest in the aforementioned blockchain of the REMME development team. This fact is confirmed by the presence on the GitHub of the REMME blockchain fork, created by the DigiCert representative. While the official announcements of new products using the blockchain from the company have been reported, however, if work in this direction is underway, it is already possible to say that the leaders of the Internet trust market are able to assess the risks that threaten their users and eradicate them through the blockchain technology implementation.