"The problem with DNSSEC is it requires implementing a new technology and a coordinated upgrade of infrastructure before we can take advantage of it," Wisniewski said. "With the adoption rates that we've seen so far that means we won't have a solution in place for ten or 15 years. That's not good enough."
Also proposed are two "pinning" techniques--Public Key Pinning Extension for HTTP and Trusted Assertions for Certificate Keys (TACK), which are similar.
They allow a website to amend an HTTP header to identify certificate authorities it trusts. A browser would store that information and only establish a connection to a website if it receives a certificate signed by a certificate authority trusted by the website.
The pinning proposals are the most likely to be adopted to cure the certificate problem, according to Wisniewski. "They could be adopted in short order," he said. "They allow people who want to take advantage of advanced security to do so right away, but it doesn't break any existing web browser that's not updated."
Whatever scheme browser makers adopt to address the certificate problem, they need to do it soon. Otherwise, snafus will continue to proliferate and trust on the Internet may be irreparably harmed.
Sign up for Computerworld eNewsletters.