Buying and selling root certificates
Not that SSL certificates are worth the paper they aren't printed on; I still find this vaguely disturbing. Just who do you think your computer is trusting? http://www.websheji.com/domain-names/news/id506.html Bob Parsons, CEO of Go Daddy, said that Starfield Technologies, a subsidiary of the company, bought an unused root certificate, trusted by 99% percent of the browsers from ValiCert Inc more than a year ago has been developing the system since then. I'm not that interested in SSL for web servers, but I have noticed a gradual increase in the number of mail servers willing to STARTTLS with mine. I was experimenting with trying to verify some of the certificates presented, its not real security, but makes the logs cleaner.
Sean Donelan <sean@donelan.com> writes:
I'm not that interested in SSL for web servers, but I have noticed a gradual increase in the number of mail servers willing to STARTTLS with mine. I was experimenting with trying to verify some of the certificates presented, its not real security, but makes the logs cleaner.
Most of us who are willing to opportunistically do STARTTLS are using self-signed certificates anyway. We do this for many reasons; chief among the reasons I do so are: 1) More encrypted traffic running around the Internet is a _good thing_ 2) Even if the contents of my email is PGP-encrypted, headers and transactions can still be passively monitored and collected. This is sufficient for drawing relationship graphs. Opportunistic TLS fixes this problem. Note that "verifying the identity of the guy on the other end and thus eliminating man-in-the-middle attacks on my email" is not on the list. STARTTLS-capable MTAs vary in their ability to follow certificate chains anyway... ---Rob
Thus spake "Robert E. Seastrom" <rs@seastrom.com>
Most of us who are willing to opportunistically do STARTTLS are using self-signed certificates anyway. We do this for many reasons; chief among the reasons I do so are:
1) More encrypted traffic running around the Internet is a _good thing_
This is an oft-overlooked angle... If only sensitive information is encrypted, then the mere use of encryption makes one a target -- one buys a safe only if they have valuables to protect, right? However, if every home came with a safe, how would burglars figure out who to rob? The feds clearly have the power to get through or around encryption suspected criminals are using: the FBI reports that there have been _zero_ cases nationwide over the past several years where the use of encryption has prevented them or other agencies from obtaining the evidence needed, even when "secure" tools like PGP, SSL, or IPsec are used. Unfortunately, one must then assume that other, less honest parties have the same success rate, and so the only defense is to make it impossible to determine _which_ traffic to decrypt and even who is talking to whom. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
On Thu, Apr 29, 2004 at 12:02:44AM -0500, stephen@sprunk.org said:
Thus spake "Robert E. Seastrom" <rs@seastrom.com>
Most of us who are willing to opportunistically do STARTTLS are using self-signed certificates anyway. We do this for many reasons; chief among the reasons I do so are:
1) More encrypted traffic running around the Internet is a _good thing_
This is an oft-overlooked angle... If only sensitive information is encrypted, then the mere use of encryption makes one a target -- one buys a safe only if they have valuables to protect, right? However, if every home came with a safe, how would burglars figure out who to rob?
The feds clearly have the power to get through or around encryption suspected criminals are using: the FBI reports that there have been _zero_ cases nationwide over the past several years where the use of encryption has prevented them or other agencies from obtaining the evidence needed, even when "secure" tools like PGP, SSL, or IPsec are used.
<snip> That assumes the FBI can be trusted to be honest about cases where encryption successfully foiled their investigations. It is in their best interest, after all, to have everyone, criminals included, think encryption is not worth using (_especially_ if it is). :) OTOH, the average criminal is probably about as smart as the average user, which means the FBI wouldn't have to break the crypto, when they could just guess the criminal's passphrase/password with a minimum of effort ... (that said, I absolutely agree that more crypto everywhere, for both important and trivial traffic, is essential to reducing the "unusual" nature of such traffic. Crypto should be the default, not the exception.) </wishful thinking> -- Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527 Less and less is done until non-action is achieved when nothing is done, nothing is left undone. -- the Tao of Sysadmin
On 29-apr-04, at 7:02, Stephen Sprunk wrote:
The feds clearly have the power to get through or around encryption suspected criminals are using: the FBI reports that there have been _zero_ cases nationwide over the past several years where the use of encryption has prevented them or other agencies from obtaining the evidence needed, even when "secure" tools like PGP, SSL, or IPsec are used.
I have a hard time believing this... So what do they do? Send a team in to retrieve the key from your system? Borrow some CPU time from the NSA?
At 11:10 AM 4/29/2004, Iljitsch van Beijnum wrote:
On 29-apr-04, at 7:02, Stephen Sprunk wrote:
The feds clearly have the power to get through or around encryption suspected criminals are using: the FBI reports that there have been _zero_ cases nationwide over the past several years where the use of encryption has prevented them or other agencies from obtaining the evidence needed, even when "secure" tools like PGP, SSL, or IPsec are used.
I have a hard time believing this...
So what do they do? Send a team in to retrieve the key from your system? Borrow some CPU time from the NSA?
They secretly enter your house and put a hardware monitor on your keyboard to collect your passphrase as you type it in. http://www.wired.com/news/privacy/0,1848,49455,00.html If you use the NSA, then you can't prosecute. The NSA won't testify in court, because they won't divulge what their true capabilities are. So, you only use the NSA when the knowledge is more important than being able to prosecute. Maybe this will cut down on unemployment a little: The Watergate burglars now have job opportunities :-)
Speaking on Deep Background, the Press Secretary whispered:
On 29-apr-04, at 7:02, Stephen Sprunk wrote:
The feds clearly have the power to get through or around encryption
I have a hard time believing this...
So what do they do? Send a team in to retrieve the key from your system? Borrow some CPU time from the NSA?
In the Scarfo case (a small-time Tony Soprano type) they did multiple black-bag entries to put a keysnatcher on his laptop. <http://www.epic.org/crypto/scarfo.html> -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Thus spake "Iljitsch van Beijnum" <iljitsch@muada.com>
On 29-apr-04, at 7:02, Stephen Sprunk wrote:
The feds clearly have the power to get through or around encryption suspected criminals are using: the FBI reports that there have been _zero_ cases nationwide over the past several years where the use of encryption has prevented them or other agencies from obtaining the evidence needed, even when "secure" tools like PGP, SSL, or IPsec are used.
I have a hard time believing this...
The DOJ was directed by Congress to collect data and report back each year, and while I don't trust any law-enforcement types in general, I do trust in their fear of Congressional inquiries. Besides, given the FBI's past position on crypto, especially key escrow, I have a hard time believing they'd claim crypto wasn't a problem if it actually was -- that's counter-productive for them.
So what do they do? Send a team in to retrieve the key from your system? Borrow some CPU time from the NSA?
The reasons for the FBI's conclusion were not given. It's "common knowledge" that it's cheaper to attack the key-management systems (or the end systems) than the crypto, so that's one possibility. Another is that the existing implementations are flawed in ways that reveal the keys and/or plaintext. Last, it's possible that the plaintext was never recovered and the pattern of communication was enough evidence in itself. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
On Thu, 29 Apr 2004 00:02:44 CDT, Stephen Sprunk said:
The feds clearly have the power to get through or around encryption suspected criminals are using: the FBI reports that there have been _zero_ cases nationwide over the past several years where the use of encryption has prevented them or other agencies from obtaining the evidence needed, even when "secure" tools like PGP, SSL, or IPsec are used.
Have to read those stats *very* carefully. What the FBI report actually *says* is that there were zero cases where they didn't eventually get the information they were looking for. That's a very clever use of spin control. :) Remember - in the Scarfo case, they eventually got the info - after resorting to multiple black-bag jobs. I'm sure there were other cases where they got the info via bribery, informants, and plea-bargains, and I'd be very surprised if there were zero cases of rubber-hose crypto. Yes, a *very* well funded and determined adversary can beat crypto (almost always by doing an end run around it). However, raising the bar to that level will eliminate all the successful attacks by lesser adversaries, and can also contribute to the bankrupting of the well-funded - even the FBI can afford only a few Scarfo-scale cases a year...
Speaking on Deep Background, the Press Secretary whispered:
Yes, a *very* well funded and determined adversary can beat crypto (almost always by doing an end run around it). However, raising the bar to that level will eliminate all the successful attacks by lesser adversaries, and can also contribute to the bankrupting of the well-funded - even the FBI can afford only a few Scarfo-scale cases a year...
This is now wildly OT, but to close: a) CALEA, Carnivore etc. are ALL about cost-shifting. The Feebees used to talk about breaking cases with "a dime & a dime" meaning informants calls, and wiretaps. The current fights are about victims^H^Htargets of interest furnishing those dimes themselves. b) Scarfo is case that made little sense to many observers. Nicky was scarcely Vincent Gigante or Gotti; from what I've read, he ran a few girls and some policy [bookmaking] while Daddy is up the river. So why did the Feebees make such a BIG deal out of it? Donno; usually they are that dedicated only when a) HQ is leaning on them or B) they can be on TV.... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
In message <Pine.GSO.4.58.0404281950200.9806@clifden.donelan.com>, Sean Donelan writes:
Not that SSL certificates are worth the paper they aren't printed on; I still find this vaguely disturbing. Just who do you think your computer is trusting?
http://www.websheji.com/domain-names/news/id506.html Bob Parsons, CEO of Go Daddy, said that Starfield Technologies, a subsidiary of the company, bought an unused root certificate, trusted by 99% percent of the browsers from ValiCert Inc more than a year ago has been developing the system since then.
I'm not that interested in SSL for web servers, but I have noticed a gradual increase in the number of mail servers willing to STARTTLS with mine. I was experimenting with trying to verify some of the certificates presented, its not real security, but makes the logs cleaner.
Matt Blaze said it well: "A commercial CA will protect you from anyone from whom they won't take money." Put another way, what's your threat model? Against what threats are you trying to defend yourself? Rob Seastrom seems to be trying to defend himself against passive eavesdroppers, for which SSL without certificate verification is an entirely adequate defense. If your concern is phishing, however, you need to check the certificate chain, the policies of the trust anchor (AKA "root CA"), and its reputation for actually enforcing those policies with proper verification. Verisign, for example, was fooled a few years ago by someone who claimed to be Microsoft -- but they had sufficient back-end verification that the spoof was detected. Is this good enough? What's your threat model...? --Steve Bellovin, http://www.research.att.com/~smb
Steve asked:
Put another way, what's your threat model?
Reminder: That is THE question you ask first for any security question, where "security" is everything from door locks at home, parking spaces at dinner ....to # of guards with M-16's at the data center. And you should ask it 3-4 times, and see what variety of answers you get..... Then ask again at the next review. (Things Change -- just recall who our biggest ally was in defeating Hitler...and against Iran...) I see lots of people putting {virtual} vault doors on straw houses. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Wed, 28 Apr 2004, Steven M. Bellovin wrote:
Matt Blaze said it well: "A commercial CA will protect you from anyone from whom they won't take money."
With current SSL implementations, you have to rely on all of the commercial CAs not taking the money. Any match wins.
verification that the spoof was detected. Is this good enough? What's your threat model...?
My threat model was simple :-) I wanted to reduce the messages in my logs about certificate verification failures. I could load a few widely used CA's or I could just turn certificate verification off (the default) and the messages would stop. Eric Rescorla gave a good talk at USENIX Security last year called "The Internet is Too Secure Already" http://www.rtfm.com/TooSecure-usenix.pdf Part of his talk was the threat model mismatch on the Internet. - Excessive concern with active attacks - Taking cryptanalytic attacks too seriously - Forgetting about other threats
Ok so I send an email to a friend at SBC. Here's the result. The original message was received at Wed, 28 Apr 2004 23:23:51 -0400 from pc2.rocknyou.com [192.168.1.28] ----- The following addresses had permanent fatal errors ----- <myfriend223@ameritech.net> (reason: 553 5.3.0 DNSBL:To request removal of,[xx.xx.xxx.111],send an E-mail to removeme@sbc.sbcglobal.net) ----- Transcript of session follows ----- ... while talking to mx1-klmzmi.klmzmi.ameritech.net.:
MAIL From:<joej@rocknyou.com> <<< 553 5.3.0 DNSBL:To request removal of,[xxx.xxx.xx.177],send an E-mail to removeme@sbc.sbcglobal.net 501 5.6.0 Data format error
Ok, I send an email to to removeme@sbc.sbcglobal.net result: The original message was received at Wed, 28 Apr 2004 23:24:09 -0400 from pc2.rocknyou.com [192.168.1.28] ----- The following addresses had permanent fatal errors ----- <removeme@sbc.sbcglobal.net> (reason: 550 5.0.0 Access denied) ----- Transcript of session follows ----- ... while talking to mx.dia.sbcglobal.net.:
MAIL From:<joej@rocknyou.com> <<< 550 5.0.0 Access denied 554 5.0.0 Service unavailable
Nice, why bother advertising such a removal via email? Cheers -Joe
Joe,
Nice, why bother advertising such a removal via email?
Because everyone is really meant to also own a Hotmail, AOL, Yahoo, gmail, or some such "reputable" email service that you use for instances like this. OR... set your outbound SMTP server to your upstream's so that at least this message goes out correctly. In your case (for 24.61.68.177) you would use Comcast's SMTP name, whatever that is. Martin --- At 08:31 PM 4/28/2004, joe wrote:
Ok so I send an email to a friend at SBC. Here's the result.
The original message was received at Wed, 28 Apr 2004 23:23:51 -0400 from pc2.rocknyou.com [192.168.1.28]
----- The following addresses had permanent fatal errors ----- <myfriend223@ameritech.net> (reason: 553 5.3.0 DNSBL:To request removal of,[xx.xx.xxx.111],send an E-mail to removeme@sbc.sbcglobal.net)
----- Transcript of session follows ----- ... while talking to mx1-klmzmi.klmzmi.ameritech.net.:
MAIL From:<joej@rocknyou.com> <<< 553 5.3.0 DNSBL:To request removal of,[xxx.xxx.xx.177],send an E-mail to removeme@sbc.sbcglobal.net 501 5.6.0 Data format error
Ok, I send an email to to removeme@sbc.sbcglobal.net result:
The original message was received at Wed, 28 Apr 2004 23:24:09 -0400 from pc2.rocknyou.com [192.168.1.28]
----- The following addresses had permanent fatal errors ----- <removeme@sbc.sbcglobal.net> (reason: 550 5.0.0 Access denied)
----- Transcript of session follows ----- ... while talking to mx.dia.sbcglobal.net.:
MAIL From:<joej@rocknyou.com> <<< 550 5.0.0 Access denied 554 5.0.0 Service unavailable
Nice, why bother advertising such a removal via email?
Cheers -Joe
Because everyone is really meant to also own a Hotmail, AOL, Yahoo, gmail, or some such "reputable" email service that you use for instances like this. Lol. ok so Yes an entry like aol.com smtp:[smtp.comcast.net] cs.com smtp:[smtp.comcast.net] in mailertable is fine, but why advertise such a bogus means of a fix? As well, I'm not hotmail nor AOL so little guys are mucked up than.
OR... set your outbound SMTP server to your upstream's so that at least
Martin, this message goes out correctly. In your case (for 24.61.68.177) you would use Comcast's SMTP name, whatever that is.
And perhaps you mean ip-66-xx.xxx.xx.dsl.bos.megapath.net (66.xx.xx.xx) as well.. None the less, this doesn't support the response of "email xxx@xx.com to request removal" being 550 access denied. Perhaps this is some sort of spam deterant? Cheers Martin, Used to be out there in PacBell land too, 5 IPs via DSL. Ahh, Luck guy.
Martin
-Joe
The reason being is that the spammer is spoofing a removal address, as do most of them. The best advice I can give anyone is to never respond to an unsolicited email. If you do not wish to go to the trouble to report it to, say, spamcop, then just delete it. Responses to unsolicited email only confirms your email address is good, and will subject you to an even heavier spew of the junk mail. ====================================== We can get rid of spam on your domain! , Anti-spam solutions http://www.clickdoug.com/mailfilter.cfm For hosting solutions http://www.clickdoug.com ====================================== ----- Original Message ----- From: "joe" <joej@rocknyou.com> To: <nanog@merit.edu> Sent: Wednesday, April 28, 2004 10:31 PM Subject: Spam handling : : Ok so I send an email to a friend at SBC. Here's the result. : : The original message was received at Wed, 28 Apr 2004 23:23:51 -0400 : from pc2.rocknyou.com [192.168.1.28] : : ----- The following addresses had permanent fatal errors ----- : <myfriend223@ameritech.net> : (reason: 553 5.3.0 DNSBL:To request removal of,[xx.xx.xxx.111],send an : E-mail to removeme@sbc.sbcglobal.net) : : ----- Transcript of session follows ----- : ... while talking to mx1-klmzmi.klmzmi.ameritech.net.: : >>> MAIL From:<joej@rocknyou.com> : <<< 553 5.3.0 DNSBL:To request removal of,[xxx.xxx.xx.177],send an E-mail to : removeme@sbc.sbcglobal.net : 501 5.6.0 Data format error : : Ok, I send an email to to removeme@sbc.sbcglobal.net : result: : : The original message was received at Wed, 28 Apr 2004 23:24:09 -0400 : from pc2.rocknyou.com [192.168.1.28] : : ----- The following addresses had permanent fatal errors ----- : <removeme@sbc.sbcglobal.net> : (reason: 550 5.0.0 Access denied) : : ----- Transcript of session follows ----- : ... while talking to mx.dia.sbcglobal.net.: : >>> MAIL From:<joej@rocknyou.com> : <<< 550 5.0.0 Access denied : 554 5.0.0 Service unavailable : : Nice, why bother advertising such a removal via email? : : Cheers : -Joe : : :
----- Original Message ----- From: "joe" <joej@rocknyou.com> To: <nanog@merit.edu> Sent: Thursday, April 29, 2004 1:31 PM Subject: Spam handling
Ok so I send an email to a friend at SBC. Here's the result.
<Blowin' in the wind type snip>
Nice, why bother advertising such a removal via email?
Surely you must be joking? A guide to how to be spammed. 1) Click on most spam emails to let them know your address is to be spammed. 2) Failing that in 1, click on a "remove me" so they know you are still around. ....you were just lucky it said it is a dead address if it actually IS dead but my bet is that it isn't and that you have received a "dead letter office" reply from an active account. I can do that here and I am not a spammer so why cant a spammer? Greg.
Self signed certificate protects you against any _short term_ attack - insuregent must maintain his own certificate, interceipt your connections, redirect my packets _BEFORE_ I connect very first time (after it, I got certificate and am protected). So, it is reasonable (to use commercial certificates) for public financial services (banks, e-commerce); all other kinds of services do not require it - all insurgent can do is to fraud you once in a life... unrealistic scenario. Certificate Authorities are a very good example of _blown up_ business. (Yes, they verify identity... what the difference, if you maintain 1 or 100 domains under the same company name and same basic level domains... Certificate should cost 20% for 1 year, not 400$). Do not overestimate importance of it... it is more for the public relations, not for the real security. (but I never propose any bank, any point of sale, any e-commerce to use self-signed certificate for _public_ service... even if risk is 0.000001%).. ----- Original Message ----- From: "Steven M. Bellovin" <smb@research.att.com> To: "Sean Donelan" <sean@donelan.com> Cc: <nanog@merit.edu> Sent: Wednesday, April 28, 2004 6:05 PM Subject: Re: Buying and selling root certificates
In message <Pine.GSO.4.58.0404281950200.9806@clifden.donelan.com>, Sean
Donelan
writes:
Not that SSL certificates are worth the paper they aren't printed on; I still find this vaguely disturbing. Just who do you think your computer is trusting?
http://www.websheji.com/domain-names/news/id506.html Bob Parsons, CEO of Go Daddy, said that Starfield Technologies, a subsidiary of the company, bought an unused root certificate, trusted
by
99% percent of the browsers from ValiCert Inc more than a year ago has been developing the system since then.
I'm not that interested in SSL for web servers, but I have noticed a gradual increase in the number of mail servers willing to STARTTLS with mine. I was experimenting with trying to verify some of the certificates presented, its not real security, but makes the logs cleaner.
Matt Blaze said it well: "A commercial CA will protect you from anyone from whom they won't take money."
Put another way, what's your threat model? Against what threats are you trying to defend yourself? Rob Seastrom seems to be trying to defend himself against passive eavesdroppers, for which SSL without certificate verification is an entirely adequate defense. If your concern is phishing, however, you need to check the certificate chain, the policies of the trust anchor (AKA "root CA"), and its reputation for actually enforcing those policies with proper verification. Verisign, for example, was fooled a few years ago by someone who claimed to be Microsoft -- but they had sufficient back-end verification that the spoof was detected. Is this good enough? What's your threat model...?
--Steve Bellovin, http://www.research.att.com/~smb
participants (15)
-
Alexei Roudnev
-
David Lesher
-
Doug White
-
Gregh
-
Iljitsch van Beijnum
-
joe
-
Martin J. Levy
-
Randy Bush
-
Robert E. Seastrom
-
Robert M. Enger
-
Scott Francis
-
Sean Donelan
-
Stephen Sprunk
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu