OWASP AppSec Research 2013

Although SSL/TLS is in widespread use today, certificate validation currently suffers from the weakest link property created by the fact that any trusted CA can sign a certificate for any domain. Thus, if a single CA is compromised or coerced, any and all hosts using CA- signed certificates can be endangered. Several recent high profile hacking cases have brought attention to this problem and a number of promising new approaches to strengthen SSL security are being discussed. In this paper we propose an evaluation framework based on a catalog of desirable benefits of SSL validation systems. We evaluate the current CA-based PKI and the the following alternative approaches: Perspectives, Conver- gence, Certificate Transparency, Sovereign Keys, TACK and DANE. We identify the different strengths and weaknesses of the systems, try to shed light on the trade-offs all systems have to make and show which disadvantages they incur that currently hinder adoption.