The recent hack of the DigiNotar certificate authority has brought to light a major weakness in the underlying security architecture of the Web.
Almost all secure Web communications rely on SSL (Secure Sockets Layer) and the certificates used to verify the authenticity of the sites you are visiting. But if a certificate authority is compromised, all of that security and assurance of authenticity goes out the door. Browser makers and operating system vendors have been issuing updates to block fraudulent certificates that were issued through the DigiNotar hack. But what if there had been a way to flag the problems with the fraudulent DigiNotar certificates as Web surfers ran into them?
That is exactly what Convergence, a free Firefox extension, attempts to do. Rather than simply trusting a signed certificate, Convergence checks with several trusted certificate sites, or notaries. If all of the parties agree that the certificate is accurate, it's OK to go ahead and use the site. However, if the notaries detect a difference between what they have as valid certificates and what the browser is seeing, then the certificate will be flagged and the user can avoid that site.
Convergence is developed by well-known security researcher Moxie Marlinspike and is based on the principles of network perspective created by the Perspectives Project at Carnegie-Mellon. Interestingly, this group also has its own Firefox extension that is similar to Convergence.
Using Convergence is very simple. You simply go to the main Convergence site at http://convergence.io and install the extension to your Firefox browser. The extension is then added to your Add-Ons directory, and Convergence adds a button to the upper-right corner of the browser window. Clicking on the button makes it possible to temporarily disable Convergence and to define the Options for the extension. The main setting in the options is to define the notaries that you want to trust. The tool comes with a few pre-defined notaries, and the idea is that, over time, more will become available. Advanced options settings let users define caching, whether they would anonymously communicate with notaries and what the threshold to verify a certificate is (such as notary consensus, majority or verification from just one notary).
In my evaluation, Convergence was pretty seamless. I did run into a few problems when using enterprise Web applications for business, where some tasks wouldn’t complete while Convergence was enabled. Using the button to temporarily disable Convergence solved these issues.