Web Of Trust

Authenticating yourself using the Internet



Most people using the Internet eventually “sign up” to become members of various sites where they can post stuff. It is suggested that by posting certain identical (“public-key cryptography”) data at several of those sites, an individual can establish a verifiable identity, simply because only that person knows the passwords for posting data at those sites. Since the identical data most likely means the same person did the posting (and the more sites, the better!), it becomes possible to trust that other data also originated from that person, via the mechanism of a “digital signature”. Such data might be a “self-signed” SSL Certificate for a web site the person operates –someone else seeing a warning message about the site, presented by the browser, can find plenty of evidence associating the certificate with the genuine site-operator, and not a hacker.

Much of the following text was originally posted at the “HalfBakery” web site ( http://www.halfbakery.com/idea/Web_20Of_20Trust ). It is hoped that after you read this, you will understand why one person is posting the same thing in multiple places.

Imagine a newly-developed web site that is to be accessed via the “https” protocol. The ordinary “http” protocol is occasionally exploited by hackers, to redirect traffic from one web site to another, which does bad things like feed viruses to your computer. A web site with beefed-up security, such as by using the https protocol, is harder to hack that way.

One aspect of that increased security is that the site needs something called an “SSL Certificate” ( http://www.networksolutions.com/education/what-is-an-ssl-certificate/ ); otherwise the browser won’t connect to the site using the https protocol.

There are various ways to obtain an SSL Certificate. Organizations such as Network Solutions, known as “Certificate Authorities”, will be happy to sell you one. But first you have to provide them with a bunch of information so that they can verify you are who you claim to be (that’s probably where most of the purchase price goes, the work they do to verify your information).

The SSL Certificate that you obtain from the Certificate Authority (“CA”) will be “signed” by that company. Your browser probably includes a “root certificate” provided by that company; the “signing” process links your SSL Certificate (and many others that they sell) to theirs. So when the browser encounters your site and your site responds by presenting its certificate, the browser can see the connection between it and the root certificate, and “know” that the CA that provided the root certificate verified you, and therefore any web pages the browser loads almost certainly actually came from your site.

There have been a few cases in which the CA company has been hacked, and its root certificate “key” stolen. The key is secret and used to create the root certificate that the CA provided to the browser. The hacker can use it to create equivalent root certificates –and linked web-site-specific SSL Certificates– that your browser will accept without question. Lots of certificates need to be revoked, and recreated from scratch, when that happens. Still, this is a rarer thing than the ordinary site-hacking described in the first paragraph above.

The process of creating an SSL Certificate is fairly simple, so you could create your own “self-signed” certificate. More, you can act as your own Certificate Authority, and create a “root key” and a “root certificate”, and then use it to sign your ordinary SSL Certificate. But in neither case is such a certificate linked to a widely-recognized CA, so no browser will automatically accept it –the browser-users have to each one specifically tell the browser to accept it.

Why should they?

Is there any way that someone with a self-signed certificate can create a Web Of Trust such that you could be reasonably sure that “someone” sending that certificate to your browser was actually the site-owner?

That’s where this idea comes into play. Part of it relates to something already known, “digital signatures” ( https://www.gnupg.org/gph/en/manual/x135.html ), and “public key cryptography”. You use a special program to create a public key (which you make public) and a private key (which you keep secret). Someone wanting to communicate with you securely would encrypt the message with your public key, but it can only be decrypted with the private key, and only you are the one who has that.

It works in reverse; you can encrypt a public message with the private key, and only your public key can decrypt it, so anyone decrypting the message will know it came from you.

The digital signature is a variation on that theme. A public file, like an SSL Certificate, can be linked to a “signature file” which you created with your private key, and only your public key can prove that the signature file is associated with the public file –which means the public file came from you only.

“However!” you say, “a hacker pretending to be you can also create a public key and put your name on it –so the verification problem remains!”

Not so fast!! Here is where we can actually use the Internet as a Web Of Trust. Think about how many nooks and crannies you regularly visit, and how many of those are places where you signed up to become a member (perhaps including WordPress here).

Suppose you put certain data, like your public key, and your SSL Certificate, and your associated digital signature file, in multiple places on the Web (also include a file listing all those places). They will be the same files in all those places, obviously. A hacker trying to compromise your dot-com web site would have to also compromise all those other sites, or at least all your accounts at those other sites, in order to replace the critical files so that they were as alike afterward, as before the hack.

Since accomplishing that is highly improbable/impractical (unless you did something truly dumb, like use the exact same password everywhere), the net result is that anyone can verify that your SSL Certificate came from you only, and would then have a reason to tell the browser to accept the certificate.

And so I include the text-content of my public key here. You can compare its data to the data at the HalfBakery (see link at top of article), and see it is the same data (not counting certain spaces). Another place to find a copy of the data is the “Slashdot” news-for-nerds site ( http://slashdot.org/journal/1201485/my-public-key-data )

Version: GnuPG v1

Also, while the above is just the text-content, the actual public-key-file can be downloaded from another site ( http://www.nemitz.net/vernon/vnemitz.gpg ), opened with a text editor, and compared.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s