Throughout the past few years, many studies have experimented implementation of the blockchain technology in various aspects on internet security. A recently published study analyzed the influence of the blockchain technology on the development of services offered by various cybersecurity companies across a myriad of industries and sectors with emphasis on certificate authorities and the context of critical infrastructure. Furthermore, the study examined the increased magnitude of studies delving into blockchains and decentralized governance to evaluate the impact on blockchains on promoting cybersecurity and creating a state of “cyber peace”.
Let’s look through how the study proposed a solution to maximize the security of certificate authorities via the blockchain technology.
The Insecurity and Vulnerability of Certificate Authorities:
Certificate authorities are intermediaries, or third parties, that webmasters and online companies refer to in order to identify organizations or individuals and match their identities with their corresponding public cryptographic keys. This enables users, who already trust the certificate authority, to trust that a given public key corresponds to the appropriate party, and thus, messages received from it match the identity referred to by the certificate authority.
Practically, due to reasons that vary from simple incidents to covert governmental interventions, certificate authorities can be themselves untrustworthy. Big internet companies, such as Google and Mozilla, have inherently trusted some certificate authorities despite the fact that they can lie about identities of users or can be successfully hacked, which can result in a hacker obtaining false certificates. For instance, during the first half of 2011, approximately 200 various certificate authorities successfully fulfilled Mozilla’s certificate policies and therefore, could be used back then to find websites on Mozilla’s Firefox, including China’s Internet Network Information Center (CNNIC), which is owned and operated by the Chinese government. During later parts of 2011, fraudulent certificates were received from Comodo’s servers, which is a well known certificate authority that formulates certificates for entities such as Yahoo and Gmail, by an Iranian hacker. Interestingly enough, the Stuxnet attack was possible, more or less, by Taiwanese certificate authorities which improperly verified identities; this has been done through covert governmental interference.
Utilizing the Blockchain Technology to Heighten the Security of Certificate Authorities:
One of the main problems associated with present certificate authorities is issuing certificates that link identities of real people to digital cryptographic keys, because it involves people. As such, whether it is dishonesty, fraud, incompetence or a combination of any of these, certificates, that improperly link identities to cryptographic keys, they are issued. For instance, Turkish certificate authorities issued certificates that linked Google’s identity to cryptographic keys that don’t belong to it, which led to users connecting to websites, which they thought were Google, but were actually third parties. Theoretically speaking, one can check which certificate authority signed a given certificate, yet this is not usually done even by the most experienced security professionals as it takes a lot of time and effort to do so with all used certificates. Interestingly enough, the fraudulent Google’s certificates was not an isolated incident, as similar incidents have hit Microsoft and other online companies.
Blockchains can provide a solution to address the problem of accidental issuance of certificates, as a blockchain represents an immutable public ledger. Organizations’, as well as users’, certificates need to be inserted onto the public ledger, rather than depending on untrustworthy third parties. The public nature and non-malleability of blockchains enable one to broadcast his/her certificate without having to go through validation by a certificate authority. Even more, certificates can have a long life span on a blockchain, i.e. issuance of newer certificates by the same organization can be questioned and subjected to specific criteria to minimize the risk of its use.
When a user of a given certificate trusts that it is legitimate, it can deploy computational power, via mining, to verify that the certificate is in fact legitimate. For instance, whenever a user connects to Amazon via an encrypted channel using his/her browser, he/she can utilize some computational power to verify Amazon’s certificate, and have this recorded on the blockchain. Long lived, frequently used, certificates will be considered more trustworthy than newly issued certificates that are used less frequently. This is due to the fact that such long lived, frequently used, certificates would have more proofs-of-work, when compared to newly issued certificates.
Nevertheless, this would render it rather hard for well reputable brands to create new trustworthy certificates, whenever needed, as they will have to build their own history, yet the ability to share trust transitively across various certificates can mitigate this problem. On the other hand, users can be notified whenever a certificate’s identity is newly minted, to take the appropriate precautions
Despite the fact there are multiple security needs that such scheme has to fulfill, the blockchain technology can surely heighten the security of certificate authorities. Scholars at MIT are working hard and experimenting in this field, so we can expect more development in this sector within the next few years.