Can the blockchain replace SSL?

Bitcoin made the Blockchain concept famous, and is the most visible application of the concept of a distributed transaction database. But many computer scientists, technology enthusiasts and investors believe that the blockchain's most powerful applications are yet to be developed. 

One of the intriguing potential applications for the blockchain is to become a distributed alternative to the Internet's current Secure Sockets Layer (SSL) based trust layer. SSL, the technology that enables a client to communicate with a server through an encrypted connection, has been around since 1995 and is ubiquitous on the Web. But SSL isn't perfect and its imperfections have been the source of great angst in recent times. Heartbleed was one of the biggest security vulnerabilities in history, potentially effecting countless servers and forcing companies around the world to reissue their SSL certificates. 

Heartbleed was the result of a flaw in the popular OpenSSL cryptographic Library, not in SSL itself. In contrast, the even more recent POODLE vulnerability was based on a flaw in an algorithm within the SSL 3.0 protocol and affected all applications using SSL 3.0 in a particular cipher mode.

While POODLE is considered less damaging than Heartbleed in practice, the approach used to exploit POODLE – a man-in-the-middle attack – is the bane of the current SSL trust model. That's because SSL certificates, which rely on X.509 public key infrastructure, are issued by Certificate Authorities (CAs). These CAs are tasked with verifying that the certificates they issue for websites are actually being issued to the owners of those websites. According to Douglas Crawford, "There exist some 1200 CAs that can sign certificates for domains that will be accepted by almost any browser. Although becoming a CA involves undergoing many formalities (not just anyone can set themselves up as a CA!), they can be (and are) leaned on by governments (the biggest problem), intimidated by crooks, or hacked by criminals to issue false certificates."

If a CA is compromised and issues a false certificate, or issues a certificate without proper verification, a client can be tricked into believing that it's communicating securely with, say, a banking website, when it's really communicating with server set up by a fraudster. Not only would the fraudster be able to intercept traffic intended for a legitimate destination, he would be able to decrypt all of the sensitive data being sent – a major problem, for obvious reasons.

What is the solution? Certificate pinning, which is used by some companies to prevent reverse engineering of their private APIs, can help address this issue within the current trust model, but it has its limitations and is not likely to be employed at scale. So some have started suggesting that SSL needs to be replaced entirely and more novel approaches are being looked at. One of these approaches: use the blockchain.

As an anonymous computer scientist and Bitcoin enthusiast mused in a blog post last year, "With no central authority a user can register themselves as the owner of a name, point it to their address, but also register a certificate which can be used to establish that the person on the other end of that address is the owner of the name, not just somebody listening in or pretending."

Some are already experimenting with a blockchain-inspired approach to trust on the web. Namecoin, which calls itself "a Decentralized open source information registration and transfer system," facilitates the unofficial .bit TLD and offers an alternative to the current CA system. And The okTurtles Foundation, which supports the development of decentralization technologies, has developed DNSChain, a blockchain-based DNS and HTTP server that it claims "fixes HTTPS security."

With DNSChain, the blockchain replaces X.509 PKI. CAs, the weak link in the current trust system, go away. Public key pinning is used to secure the connection between clients and DNSChain, eliminating the need to use pinning on a website-by-website basis. A REST API provides access to all blockchains as well as traditional DNS, making the solution backwards compatible with the existing DNS system. As an added non-technical benefit, the elimination of CAs would eliminate the need to charge for certificates.

The okTurtles vision is bold, and some issues, such as how the legitimacy of entries in the blockchain is established in practice, will probably need to be looked at in greater detail. But the most interesting thing about this approach is that all of the core technical components required to make it a reality are already in place. So will DNSChain, or a solution like it, ever be adopted widely? The ubiquity of the current system suggests that is unlikely, but the real question might be whether or not the current system will be able to survive without modification as its shortcomings become more apparent and more problematic.

Be sure to read the next Security article: Tinder API Hack Leaves Unsuspecting Men Hitting on Each Other