At Defcon, I aquired a new tech hero. Defcon is all about finding vulnerabilities. The glory goes to the most creative and most damning hacks. I’m not condemning hackers. I think the world is more secure because of them. But it bothers me that all the glory goes to breaking in, but there is no glory in fixing or protecting.
Moxie Marlinespike has been breaking SSL for years. SSL is the technology behind the padlock icon in your browser. In school I marveled at SSL’s protocol. To me it was like an armored truck delivering my internet traffic. Moxie broke that perception for me years back with his many discoverys of how to get around the armored truck. In particular his SSL-strip presentation at blackhat rocked my world, (and it still has the potential to rock your bank account).
Not content with exposing the weakness of SSL, Moxie wants to fix it. At defcon he explained the problems with certificate authentication and proposed a fix: convergence. It changes the way we establish trust in certificates. Here is his explanation of the problem. Here is his proposal to fix it. It’s a real solution. You can try it on firefox today. If you want to be part of the solution you could host a notary. Here is a write up on the sophos blog.
So this is for Moxie, the SSL-Hero, more than a hacker, he finds the problems and fixes them. No offense to hackers, they find the holes. No offense to developers who create fix the holes. But it takes a super hero to find and fix.