Marlinspike: Certificates have 'real problems'

Marlinspike: Certificates have 'real problems'

Summary: Security technologist Moxie Marlinspike tells ZDNet UK why he thinks there are major problems with trust in digital certificates after a series of certificate authority hacks in 2011

TOPICS: Security

...the statements that he made in his communiqués.

The reason why I don't feel this is state sponsored is that: one, I'm sure there are state-sponsored attacks happening all the time, but most countries simply have their own certificate authority and so it's very easy for them to intercept secure communication — they don't have to hack anybody. Their ability to intercept communication is baked in.

For really well-funded entities, like nation states that for whatever reason do not have their own certificate authorities — Iran, for example — they can just simply buy a certificate-authority certificate through a programme called GeoRoot, which is run by GeoTrust, which is owned by VeriSign. That would allow them to immediately have a certificate-authority certificate they could use to intercept any communications they want.

With Convergence, the notaries could be guaranteed by security companies. Symantec is a security company that owns VeriSign SSL, so why not use Symantec as a trusted entity?
Sure, it depends on who you trust. I feel that all security companies are not equal. Different people might trust different organisations for whatever reason. I feel there is some difference between collective trust versus [individual] trust. I feel like I can identify some sort of an organisation, where even if I might not trust each of them individually, and absolutely, I would trust their collective response. I would trust them not to be colluding with each other.

I wanted to ask you about SOPA and PIPA. Do you think they're going to change the information security landscape? Do you think they are going to lead more people to try out encryption?
It's possible. In terms of the information-security landscape, the lesson for me here, whether or not this stuff passes, is that it came close to passing, and that they are trying to pass legislation like this.

A lot of people are looking at this legislation and thinking that the future of DNSSEC hangs in the balance. If this passes, then people are, "Oh, well, we shouldn't deploy DNSSEC, but if it doesn't pass, then we'll deploy DNSSEC." And to me, the question is its own answer.

DNSSEC depends on trust in government. If governments are going to start messing with DNS responses, or intercepting DNS queries, they can very easily do that with DNSSEC. DNSSEC depends on a hierarchy of trust in centralised organisations that are either controlled by nation states through the cc top-level domains or by organisations that happen to be in the purview of the government through the global top-level domains.

To me then the question is its own answer. If people are even thinking about doing this, then we shouldn't put our eggs in that basket. It's extremely likely that even if it doesn't happen now, then it will happen at some point in the future. We should be looking for entirely different solutions.

I think of this kind of stuff from the perspective of a technologist. I'm not in a position to lobby for or against, and really I want nothing to do with it. On the technical side, if this kind of legislation did pass, it would only increase the development of a tamper-proof internet. People would immediately start working on solutions that would prevent people from tampering with the internet in this way.

I guess that's a good thing?
I think it's something we should do one way or the other. This is the writing on the wall — we're looking into the future with that legislation. We should be prepared.

There is a lot of government interest in being able to look at communications. On the other hand, there are some compelling cases for people wanting to be anonymous and have anonymous communications, especially when they are trying to effect some kind of social change. What is your view on the balance between people wanting to effect social change and law enforcement wanting to intercept communications?
My feeling is that right now, law enforcement is doing all right. Their mechanisms for intercepting communications are pretty extensive. This question is like, choose your team, and I know what team I'm on — I'm on team anonymity. Law enforcement has not built a lot of trust.

If you look at the mechanisms they are using to intercept people's communications and trap people, it doesn't feel like they're really doing it appropriately. There's a lot of politics about this. If you look at what's been happening in the US with wire-tapping, it's totally insane. That kind of stuff is really driving people towards technical solutions that allow them to preserve their privacy.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion