To verify the authenticity of SSL-certificates TACK TLS extension combines a public key to check the self-signed key.
Security researchers Trevor Perrin (Trevor Perrin) and Moxie Merlinspayk (Moxie Marlinspike) developed a protocol Transport Layer Security (TLS), which enables web-browsers detect and block fake SSL-certificates.
A new method of fraud detection has been implemented in the application TACK (Trust Assertions for Certificate Keys), which is currently submitted to the Engineering Board of the Internet (Internet Engineering Task Force, IETF). IETF – an international community which is engaged in the development of protocols and Internet architecture.
With the help of the owner TACK domain can generate a pair of private and public keys, called TACK-Key. The private key used to sign TLS-public key server, which is currently used by browsers to verify the authenticity of SSL-certificates. Then open TACK-key is sent to the browser and is used for authentication, signed with TACK, TLS-Key.
In some exceptional cases, the browser can bind an open TACK-key received from the server to the domain name. If an attacker tries to make the substitution for the SSL-certificate bound domain, certificate authentication will fail and your browser does not authorize the connection.
As explained to the researchers, TACK – an attempt to solve the problem of trust associated with the PKI. According to them, the unreliability of SSL-certificates became apparent last year after several incidents in the security certification authorities and Comodo Diginotar.
Recall that in both cases after the attackers compromised companies were able to create a fake SSL-certificates such popular domains as Google.com, hotmail.com or mail.yahoo.com. Moreover, in the case of the fake certificates Diginotar actively used to attack Iranian users of Google.
Perrin and Merlinspayk also noted that under current conditions the diffusion of new technologies is difficult to predict how popular will TACK even possible approval by the IETF.