There's Convergence. It allows a browser to get a second opinion about a certificate from a source chosen by a user. "It's a brillant idea, but as soon as you get on a corporate network and you're behind a proxy or behind a network translator, it can break," Chet Wisniewski, a security advisor with Sophos, said in an interview.
There's DNSSEC. It uses the domain naming resolution system--the system that turns the common names of websites into numbers--to create a trusted link between user and website. Not only is the system not easy to understand, but implementation could take years.
"The problem with DNSSEC is it requires implementing a new technology and a coordinated upgrade of infrastructure before we can take advantage of it," Wisniewski said. "With the adoption rates that we've seen so far that means we won't have a solution in place for ten or 15 years. That's not good enough."
Also proposed are two "pinning" techniques--Public Key Pinning Extension for HTTP and Trusted Assertions for Certificate Keys (TACK), which are similar.
They allow a website to amend an HTTP header to identify certificate authorities it trusts. A browser would store that information and only establish a connection to a website if it receives a certificate signed by a certificate authority trusted by the website.
The pinning proposals are the most likely to be adopted to cure the certificate problem, according to Wisniewski. "They could be adopted in short order," he said. "They allow people who want to take advantage of advanced security to do so right away, but it doesn't break any existing web browser that's not updated."
Whatever scheme browser makers adopt to address the certificate problem, they need to do it soon. Otherwise, snafus will continue to proliferate and trust on the Internet may be irreparably harmed.