Convergence, an alternative to Certificate Authorities

In the aftermath of the Diginotar hack, I wrote an article that mentioned we needed a silver bullet to solve the problems with the current state of SSL and certificate authorities. Of course the Internet wouldn’t be the Internet if such a silver bullet didn’t emerge sooner or later. Famous hacker Moxie Marlinspike has announced Convergence, a tool to verify the identity of websites without the need for a Certificate Authority.

Currently, he is looking for browser manufacturers to get behind his new tool. Convergence is much more flexible than the current chain of trust, relying on Certificate Authorities. It allows users to trust so called notaries, whom they trust to validate the identity of websites, rather than the current, static list of CA’s delivered by browser manufactures. It is apparently very fast (you won’t notice it is there, says the Convergence website) and more importantly, it will shield your identity revealing information (IP address) from these notaries. That means this is good news for people in countries where the government monitors and censors the Internet (like Iran, China and The Netherlands). A notary will not be able to reveal your identity so it will be impossible to verify which sites you check through Convergence in that way (someone could still be snooping your traffic, of course).