Converting certificate-based authentication into an operating system service.
The certificate authentication (CA) system has significant flaws that compromise Internet traffic. Primary among these is that any certificate authority can sign certificates for any site, requiring every system to trust every authority. These authorities may be owned by foreign governments, or may be coerced to provide bad certificates by a government. Authorities have also been hacked, such as the Diginotar hack that compromised hundreds of thousands of Gmail accounts. Finally, even when the CA system is working well, there are many poorly-written applications that do not authenticate certificates properly.
The TrustBase project centralizes authentication as an operating system (OS) service, giving system administrators and OS vendors control over authentication policy. TrustBase uses traffic interception to find and authenticate certificates in existing applications, allowing it to effectively prevent broken applications from communicating. To provide system administrator control, TrustBase provides a policy engine that enables an administrator to choose how certificate authentication is performed on the host, with a variety of authentication services that can be used to harden the CA system. This approach both protects against insecure applications and transparently enables existing applications to be strengthened against failures of the CA system.
TrustBase enables system administrators and OS vendors to enforce a number of policies regarding TLS. For example, an administrator could require revocation status checking, disallow weak cipher suites, or mandate that Certificate Transparency be used to protect against active man-in-the-middle (MITM) attacks. Likewise, an OS vendor could ship TrustBase with strong default protections against broken applications, such as enforcing best practices for validating a certificate chain, requiring hostname validation, and pinning certificates for the most popular web sites and applications.
This project is supported by the National Science Foundation under Grant No. 1528022 and by the Department of Homeland Security Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) under contract number HHSP233201600046C.
Any opinions, findings, and conclusions or recommendations expressed in this work are those of the author(s) and do not necessarily reflect the views of the sponsors.