Despite the rising cases of fraudulent activities in the crypto space, the Binance hack came as a huge surprise to many in the crypto community. Since it’s the most reputable and dominant exchange in the world as well as the most popular one for that matter, few anticipated that this incident would happen. This effect has led other exchanges like Koinex to reassess their security measures.
Several reports suggest that scammers have honed their skills and can make a website’s address appear as authentic URLs making it difficult to notice when they mimic an address of a top cryptocurrency exchange site such as Bitfinex and Binance. Unknowingly, a crypto trader may end up losing their digital assets or government-minted money when they use their credentials to log in on such sites.
Significance of SSL Certificates in the crypto space
Although it’s not stressed often enough, trust is usually a critical factor that builds harmony in a relationship between enterprises/corporations and their clients/customers. If you are running an online business/project (perfect example-Crypto platforms) that requires the transfer of funds in exchange for products/services, you need to create a secure environment where your potential customers feel comfortable doing business with you.
Well, even before the inception of cryptocurrency, it has been a customary for users to check if the little green lock is there (in the HTTP section/URL) to signal that the site is secured with SSL certificates. That’s because Secure Sockets Layer (SSL) has been for a long time regarded as the final piece of the puzzle that protects the client’s sensitive information over the Internet.
SSL protocol was introduced by Netscape in 1994 and has been a key driver of e-commerce success. In case you are unfamiliar of the basics of SSL, you should know that it is the technology that secures (by establishing encrypted links) the connection between you as a client and the website’s servers you are visiting.
Business in the e-commerce sector requires its clients to mandatorily provide their social security numbers, credit card numbers, and use login credentials to make purchases in their site. Therefore, SSL is essential to transmit a client’s data from their browsers to your servers securely. SSL encrypts this data so that an attacker cannot use your client’s data fraudulently in case they are able to intercept it.
While SSL certificates have continually secured websites and enabled secure information exchange, its systems have been noted to be the source of phishing kits crippling crypto exchanges. Recently, many platforms have experienced increased cases of vulnerabilities that help hackers’ effort to steal vital information as well as the resources affiliated. For instance, the Heartbleed bug, a severe vulnerability, has been paving the way for unauthorized users to access protected information. Such flaws have caused a significant loss of trust in SSL, and tech enthusiasts and experts have started to consider blockchain as the potential replacement for SSL, but is it possible?
Relationship between the Blockchain and SSL certificates
Looking at the infrastructure of blockchain technology, you will notice that it is somewhat similar to SSL Certificates since it is also employed to authenticate and secure digital transactions, but it does that pseudonymously. However, unlike SSL Certificates, the capabilities of blockchain technology span far beyond securing digital transactions alone. The blockchain technology used in authentication and securing digital transactions is known as the Blockchain Originated Certificate of Authenticity (BOCA). Just like SSL, BOCAs also allows users to safely and securely transfer digital information across websites. This is actually the only similarity between the blockchain and SLL certificates as both employ different protocols to achieve security.
BOCA protocols encompass sophisticated mechanisms to authenticate its users and protect their private information. First, a keyless Security Infrastructure (KSI) stores data hashes on blocks and runs a hashing algorithm for their verification. Second, BOCA does not integrate Public Key Infrastructure (PKI) in its system as SSL. PKI has been identified to be vulnerable to man-in-the-middle and DDoS attacks; thus, since BOCA has not included this process, it means that any data manipulation in the system can easily be identified because the original hash will still be available on other nodes attached to the system.
Therefore, security achieved via blockchain technology is thus far beyond asymmetric encryption and caching of public keys. Unlike SLL Certificates which can be compromised and give access to sensitive information, BOCAs are tamper proof thanks to the underlying blockchain infrastructure. Additionally, BOCAs have a single Central Authority referred to as DID (Decentralized ID), unlike SSLs which have multiple Central Authorities.
The Flaws in SSL Systems
Many high-level institutions, including the National Institute of Science, Technology and Development Studies and Google have discovered serious flaws in the SSL Systems which put sensitive information of millions of users at risk. Google discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The authority (MC Holdings) issued certificates for Google domains despite not being in charge of those domains. This was a graving set back to the integrity of SSL certificates. Apparently, the National Security Agency (NSA) is also noted to be able to access the system when need be.
Versions of SSL and their Flaws
SSL 2.0 – First version of SSL (Released in February 1995)
- It lacks protection or security for the handshake meaning the man-in-the-middle-attack may go undetected
- It employed a Weak MAC Construction which uses the MD5 hash function, making it vulnerable to length extension attacks
- It assumes a single service and fixed domain certificate that clashes with the feature of virtual hosting in web servers
SSL 3.0 (Released in 1996)
- It was operational until 2014 when the Google security team discovered a major security vulnerability
- It had a weak derivation process that is overly dependent on the MD5 Hash Function, which is considered less secure and not collision resistant
Note: The next SSL protocol upgrade after SSL 3.0 rebranded to Transport Security Layer (TLS) which happened in 1999
Verdict: Why blockchain has been suggested as a potential SLL replacement
Surprisingly, most FinTech experts recommend the blockchain, in spite of being amidst of alarming high rate of insecurities in the crypto space, as a potential solution to fixing susceptibilities presented in the SSL system. Controversially, this is not shocking because, after all, blockchain technology possess more secure features than SSL certificates. Importantly, it is crucial not to interlink the security mishaps existing in the crypto universe to blockchain technology.
Both the crypto community and critics have condemned cryptocurrency as one of the most disruptive inventions in the financial sector but disregard the perquisites of the underlying technology (blockchain). When deployed in digital security, blockchain provides credible authentication of users and devices without necessarily relying on passwords.
On the other hand, SSL systems employ end-to-end encryption, which fails to cover the meta-data leading to the leakage of sensitive information. This can, however, be averted by using blockchain technology as the metadata used for communication is usually scattered in the distributed ledger hence preventing the information to be collected at a centralized point which in turn stops data leaks and cyber-espionage. Additionally, blockchain technology lets individual parties create unique cryptographic keys that can certainly go a long way to verify the information and ensure secure communication.
Even though blockchain is projected as the most suitable replacement for SSL certificates, Crypto projects/platforms utilizing its mechanisms should observe the regulations that necessitate compliance with KYC (Know your customer) as well as AML (anti-money laundering) laws. Additionally, the blockchain technology (whose dominant feature is anonymity) cannot act in the same capacity as Central Authorities (CA) whose role is to verify that the owner of a certificate is legitimate. The trust in the decision-maker is crucial to building faith in the overall system, and the blockchain technology may not accomplish that.
Can blockchain be integrated with SSL?
There are several blockchain-based SSL certificates on the market already that have been launched and function to achieve verification by generating consensus between different parties. These certificates eliminate the human factor (CA) from digital transactions, thus providing a stronger authentication. The distributed and decentralized nature of blockchain based SSL Certificates precisely verifies the integrity of digital transactions, making it impossible to launch a cyber-attack. Examples of these certificates include:
REMME– It’s a blockchain based system that assigns an SSL certificate to an individual device such as a smartphone or pc and later stores the certificate information using a secure, blockchain-enabled database.
DNSChain– A blockchain-based DNS and an HTTP server with a unique ability to enhance HTTPS security.
Reputable web browsers such as Google Chrome and Mozilla Firefox, have made it compulsory for websites to use SSL/TLS encryption in an attempt to build a safer internet. However, while SSL Certificates have for a decade been used to provide communication security and privacy over the Internet, its flawed system puts users at risk of cyber-espionage. Meanwhile, even if the blockchain seems like the best replacement, it doesn’t have that human touch required to verify the legitimacy of a user.
Therefore, it is safe to point out that, if correctly implemented, blockchain technology can fix vulnerabilities of SSL certificates and fortify the security systems for users while online. But still, it is crucial that blockchain developers demonstrate a high level of stability of the technology in upholding digital security and decentralizing trust. It may be wrong to rush to cast out the CA decision-maker and replace with a blockchain-enabled system without thorough research and investigations for all possible outcomes in the event of a cyber-attack.