Taking a look at Convergence

Convergence is a secure replacement for the Certificate Authority System. It verifies certificates on web sites based on what notaries located around the Internet observe without any need for centralized validation.

The motivation for building a replacement for the existing CA trust model is quite simply that the old model is utterly broken. The web browsers on almost all computers in the world trust a scary amount of certificate authorities. In the recent past several of these have had security breaches and I'm quite sure that we will see more of this in the coming years. Furthermore, the business models used by the existing CAs give them no incentive to take security too seriously but drive the price up instead and makes it prohibitively expensive or even impossible to use virtual hosting for SSL sites with SAN certificates.

At the moment the only client implementation for Convergence exists as a Firefox add-on. The whole thing is still very much a work in progress, however the basic functionality seems to work well enough at this time. Just install the add-on and certificates for the SSL sites that you visit will be verified by Convergence rather than the built-in list of trusted CAs.

When convergence is active you'll notice the difference when clicking on the left part of the address bar:


www.quickdns.dk uses a domain validated certificate from Equifax and the screenshot on the left shows how it is normally presented to the user. The one on the right shows how it looks when convergence is doing the verification.

I don't know if Convergence will take off and actually replace what is in use now. Among others the people at Google have valid concerns regarding implementing it. However, if it paves the way for something better than the current trust model then that is certainly great.

The current state of the implementation

Having used Convergence on two of my computers for a week or so now, I have noticed a few things that are still not quite right. I'm confident that these issues will be worked out eventually.

No SNI support

Web sites can generally not rely on SNI yet so this is not fatal. Hopefully that will change in the not too distant future though.

If you are reading this using Internet Explorer on Windows XP or Android 2.x, stop doing that and get yourself a non-ancient web browser!

github issue: Notary fails for sites relying on SNI

No IPv6 support

When browsing a dual stack site (like www.quickdns.dk) having Convergence enabled forces IPv4 as far as I can tell.

github issue: IPv6-enabled HTTPS sites don't load when convergence is enabled

Security exceptions not working

In my development setup I have a number of sites that are not reachable by the Convergence notaries and have the wrong name in their certificates as well. At the moment I have to disable Convergence completely to access them as i am unable to add a security exception.

github issue: Cert exceptions for local internal sites don't work

E-mail Valid XHTML 1.1 Valid CSS!