The state-level attack on the SSL CA security model
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security. Essentially a state somewhere between Iraq and Pakistan snatched valid certs for: - mail.google.com - www.google.com - login.yahoo.com - login.skype.com - addons.mozilla.org - login.live.com - "global trustee" https://blog.torproject.org/blog/detecting-certificate-authority-compromises... http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html http://www.imperialviolet.org/2011/03/18/revocation.html (on epic failure of cert revocation lists implementations in browsers, failing open (!)) http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-cert... http://www.microsoft.com/technet/security/advisory/2524375.mspx For over a week users of browsers, and the internet at large, were/was not informed by COMODO that their security was compromised. "Why not" is beyond many of us. Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less. Conclusion: protecting people must not be a priority in the SSL CA model. In some places, failure of internet security means people die, and it is high time to start serious work to replace this time-and-time again proven flawed model with something that, at the very least, does not fail this tragically. DNSSEC is a good but insufficient start in this particular case. Regards, Martin
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less.
An argument against doing this prior to fixes being available is that miscreants who didn't know about this previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on one) in conjunction with name resolution manipulation. Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in the underground economy, making them much more attractive/lucrative. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
* Dobbins, Roland (rdobbins@arbor.net) wrote:
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less.
An argument against doing this prior to fixes being available is that miscreants who didn't know about this previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on one) in conjunction with name resolution manipulation.
The fix here is to delete the compromised UID and revoke the certs, thats done immediately, then inform the public, no reason to wait after that. IF the speculations about a specific nation is true then there is a risk that people there run real (like physical) risks by using e.g. yahoo the last few days. They would have appreciated being informed.
Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in the underground economy, making them much more attractive/lucrative.
Why? Surely the value of stolen certs are higher if the public do not know that they exist. /Joakim
On Mar 24, 2011, at 6:19 PM, Joakim Aronius wrote:
Surely the value of stolen certs are higher if the public do not know that they exist.
A wider swathe of interested parties would know of their existence, and their existence would be officially confirmed, which would make them more valuable. Unfortunately, the general public neither know, understand, or care about such things. They happily click 'I Understand the Risks' or whatever the button says in their browsers of choice to accept self-signed certificates all the time. I don't know enough details of what actually transpired to have an actual opinion on the Comodo situation one way or another; but I can see both sides of the argument. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
* Roland Dobbins:
A wider swathe of interested parties would know of their existence, and their existence would be officially confirmed, which would make them more valuable.
This is at odds with what happens in other contexts. Disclosure devalues information. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing' to be bartered. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
----- Original Message -----
From: "Roland Dobbins" <rdobbins@arbor.net> To: "nanog group" <nanog@nanog.org> Sent: Friday, 25 March, 2011 9:33:27 AM Subject: Re: The state-level attack on the SSL CA security model On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing' to be bartered.
Isn't there any law that obliges company to disclose security breaches that involve consumer data?
On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck@genius.com> wrote:
----- Original Message -----
From: "Roland Dobbins" <rdobbins@arbor.net> To: "nanog group" <nanog@nanog.org> Sent: Friday, 25 March, 2011 9:33:27 AM Subject: Re: The state-level attack on the SSL CA security model On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing' to be bartered.
Isn't there any law that obliges company to disclose security breaches that involve consumer data?
I don't think SSL certs are consumer data, per se. Back on original point - if the *actual effective* model of browser security is browsers with an internal revoked cert list - then there's a case to be made that a pre-announcement in private to the browser vendors, enough time for them to spin patches, and then widespread public discussion is the most responsible model approach. The public knowing before their browser knows how to handle the bad cert isn't helpful, unless you can effectively tell people how to get their browser to actually go verify every cert. -- -george william herbert george.herbert@gmail.com
* George Herbert (george.herbert@gmail.com) wrote:
Back on original point - if the *actual effective* model of browser security is browsers with an internal revoked cert list - then there's a case to be made that a pre-announcement in private to the browser vendors, enough time for them to spin patches, and then widespread public discussion is the most responsible model approach. The public knowing before their browser knows how to handle the bad cert isn't helpful, unless you can effectively tell people how to get their browser to actually go verify every cert.
No. In the case of a remote exploitable hole in the client OS I agree, then the user can do nothing and will benefit if there is a patch before the knowledge of the problem is spread. But in this case it is a security hole in the server side. IF users are informed they can avoid using the service and thus avoid the risk. (And if the risk is to be on the wrong end of a stick, at least I would appreciate a warning.) So what about a general warning that secure communication with site X, Y and Z could be compromised? Maybe even a big warning on the sites themself to give a warning before you login? (It could be removed by a 'man in the middle', but it would spread the word.) I wonder why that didn't happen.. /J
On Mar 24, 2011, at 2:44 PM, George Herbert wrote:
On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck@genius.com> wrote:
----- Original Message -----
From: "Roland Dobbins" <rdobbins@arbor.net> To: "nanog group" <nanog@nanog.org> Sent: Friday, 25 March, 2011 9:33:27 AM Subject: Re: The state-level attack on the SSL CA security model On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing' to be bartered.
Isn't there any law that obliges company to disclose security breaches that involve consumer data?
I don't think SSL certs are consumer data, per se.
No, but, a weak SSL cert in use by your company could disclose consumer data due to its weakness. Owen
* Roland Dobbins:
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing' to be bartered.
Private keys have been traded openly for years. For instance, when your browser tells you that a web site has been verified by "Equifax" (exact phrasing in the UI may vary), it's just not true. Equifax has sold its private key to someone else long ago, and chances are that the key material has changed hands a couple of times since. I can't see how a practice that is completely acceptable at the root certificate level is a danger so significant that state-secret-like treatment is called for once end-user certificates are involved. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On Mar 25, 2011, at 5:21 PM, Florian Weimer wrote:
I can't see how a practice that is completely acceptable at the root certificate level is a danger so significant that state-secret-like treatment is called for once end-user certificates are involved.
Again, I don't know enough about what happened to form an opinion one way or another. I'm just setting forth some reasons which spring to mind for not announcing this immediately, that's all. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
>>> On 3/25/2011 at 2:21 AM, Florian Weimer <fweimer@bfk.de> wrote:
> * Roland Dobbins:
>
>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>
>>> Disclosure devalues information.
>
>> I think this case is different, given the perception of the cert as
>> a 'thing' to be bartered.
>
> Private keys have been traded openly for years. For instance, when
> your browser tells you that a web site has been verified by "Equifax"
> (exact phrasing in the UI may vary), it's just not true. Equifax has
> sold its private key to someone else long ago, and chances are that
> the key material has changed hands a couple of times since.
>
> I can't see how a practice that is completely acceptable at the root
> certificate level is a danger so significant that state-secret-like
> treatment is called for once end-user certificates are involved.
Any large, well funded national-level intelligence agency
almost certainly has keys to a valid CA distributed with
any browser or SSL package. It would be trivial for the US
Gov't (and by extension, the whole AUSCANNZUKUS intelligence
community) to simply form a shell company CA that could get
a trusted cert in the distros or enlist a "legit" CA to do
their patriotic duty (along with some $$$) and give up a key.
Heck, it's so easy, private industry sells this as a product
for the law enforcement community. It's an easy recipe,
1) Go start your own CA (or buying an existing one may be
easier, as Florian points out).
2) Get your key put in Windows, Firefox, Opera, etc.
3) Build an appliance that uses your key to do MIM attacks
on the fly.
4) Sell appliance to law enforcement (or anyone else with the
money, maybe a smaller nation's intelligence apparatus?).
5) Profit!
Just Google around for commercial products aimed at LI that
have this capability.
Commercial SSL/TLS, i.e. using built-in CAs, offers no
protection against nation-states at the intelligence or law
enforcement level.
--
Crist Clark
Network Security Specialist, Information Systems
Globalstar
408 933 4387
* Crist Clark:
Any large, well funded national-level intelligence agency almost certainly has keys to a valid CA distributed with any browser or SSL package. It would be trivial for the US Gov't (and by extension, the whole AUSCANNZUKUS intelligence community) to simply form a shell company CA that could get a trusted cert in the distros or enlist a "legit" CA to do their patriotic duty (along with some $$$) and give up a key.
I think this is far too complicated. You just add your state PKI to the browsers, and the CPS does not require any checks on the Common Name, to verify it's actually somehow controlled by the certificate holder. Curiously, such CAs can pass Webtrust audits. Now I'm a realist and assume that the bureaucrats involved are just too incompetent to write a proper CPS (and the auditors to lazy to notice). Authoring policies and paying attention to detail, should be second nature to them, but somehow I doubt that the FPKI (say) issues certificates for non-federal entities to help with ongoing FBI investigations. (Same for the German government agencies who actually managed to get Mozilla approval for their non-CN-checking CAs.) -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
>>> On 3/29/2011 at 12:30 AM, Florian Weimer <fweimer@bfk.de> wrote: > * Crist Clark: > >> Any large, well funded national-level intelligence agency >> almost certainly has keys to a valid CA distributed with >> any browser or SSL package. It would be trivial for the US >> Gov't (and by extension, the whole AUSCANNZUKUS intelligence >> community) to simply form a shell company CA that could get >> a trusted cert in the distros or enlist a "legit" CA to do >> their patriotic duty (along with some $$$) and give up a key. > > I think this is far too complicated. You just add your state PKI to > the browsers, and the CPS does not require any checks on the Common > Name, to verify it's actually somehow controlled by the certificate > holder. Curiously, such CAs can pass Webtrust audits. > > Now I'm a realist and assume that the bureaucrats involved are just > too incompetent to write a proper CPS (and the auditors to lazy to > notice). Authoring policies and paying attention to detail, should be > second nature to them, but somehow I doubt that the FPKI (say) issues > certificates for non-federal entities to help with ongoing FBI > investigations. (Same for the German government agencies who actually > managed to get Mozilla approval for their non-CN-checking CAs.) I would expect intelligence agencies to not use CA certificates that are publically associated with a gov't owned or operated CA. It makes it too easy for the target to figure out they are being spied on and by whom. To a lesser extent, the same goes for law enforcement. They could not care less about being discovered after the fact, but may not want the surveillance target to know they are being watched. Here's a Wired Threat Level blog entry, from just about a year ago, about these commercially available tools for law enforcement, http://www.wired.com/threatlevel/2010/03/packet-forensics/ -- Crist Clark Network Security Specialist, Information Systems Globalstar 408 933 4387
What other choice does the public have? By locking them into the current trust model (for good or bad), the community has created this mess. Is it far fetched to supplement the existing system with a reputation based model such as PGP? I apologize if this was discussed before. -----Original Message----- From: Dobbins, Roland [mailto:rdobbins@arbor.net] Sent: Thursday, March 24, 2011 3:28 AM To: nanog group Subject: Re: The state-level attack on the SSL CA security model ... Unfortunately, the general public neither know, understand, or care about such things. They happily click 'I Understand the Risks' or whatever the button says in their browsers of choice to accept self-signed certificates all the time. ...
On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
Is it far fetched to supplement the existing system with a reputation based model such as PGP? I apologize if this was discussed before.
That would be great, if you could ensure the following: 1) That Joe Sixpack actually knows enough somebodies who are trustable to sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the same old CA). 2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion scrape unknown signatures off my PGP key on the keyservers, when people I've never heard of before have signed my key "just because somebody they recognized signed it"). The PGP model doesn't work for users who are used to clicking everything they see, whether or not they really should...
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-) -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, March 25, 2011 9:05 AM To: Akyol, Bora A Cc: Dobbins, Roland; nanog group Subject: Re: The state-level attack on the SSL CA security model On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
Is it far fetched to supplement the existing system with a reputation based model such as PGP? I apologize if this was discussed before.
That would be great, if you could ensure the following: 1) That Joe Sixpack actually knows enough somebodies who are trustable to sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the same old CA). 2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion scrape unknown signatures off my PGP key on the keyservers, when people I've never heard of before have signed my key "just because somebody they recognized signed it"). The PGP model doesn't work for users who are used to clicking everything they see, whether or not they really should...
Not entirely unreasonable. A button for "friend" and then one for "trusted friend" :) On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A <bora@pnl.gov> wrote:
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-)
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, March 25, 2011 9:05 AM To: Akyol, Bora A Cc: Dobbins, Roland; nanog group Subject: Re: The state-level attack on the SSL CA security model
On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
Is it far fetched to supplement the existing system with a reputation based model such as PGP? I apologize if this was discussed before.
That would be great, if you could ensure the following:
1) That Joe Sixpack actually knows enough somebodies who are trustable to sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the same old CA).
2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion scrape unknown signatures off my PGP key on the keyservers, when people I've never heard of before have signed my key "just because somebody they recognized signed it").
The PGP model doesn't work for users who are used to clicking everything they see, whether or not they really should...
Thanks The other point I wanted to make is that not every solution is going to work for every person. If we can improve the current state of things and make life better for say another 50% of users, that's better than what we have now. For example in Firefox 4, I could write an extension (if possible) that intercepts the certificate acceptance dialog and instead does a web query to see how many of my friends and also their friends accepted the same cert and at least allow me to decide with more information than I am presented now. And you could argue that this should also apply to certs signed by CAs that are in the trust store of the web browser too. Just thinking out loud here. ----------------------------------------------------------------------------------------------- From: Dorn Hetzel [mailto:dorn@hetzel.org] Sent: Friday, March 25, 2011 9:24 AM To: Akyol, Bora A Cc: Valdis.Kletnieks@vt.edu; nanog group Subject: Re: The state-level attack on the SSL CA security model Not entirely unreasonable. A button for "friend" and then one for "trusted friend" :) On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A <bora@pnl.gov> wrote: One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-) -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, March 25, 2011 9:05 AM To: Akyol, Bora A Cc: Dobbins, Roland; nanog group Subject: Re: The state-level attack on the SSL CA security model On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
Is it far fetched to supplement the existing system with a reputation based model such as PGP? I apologize if this was discussed before.
That would be great, if you could ensure the following: 1) That Joe Sixpack actually knows enough somebodies who are trustable to sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the same old CA). 2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion scrape unknown signatures off my PGP key on the keyservers, when people I've never heard of before have signed my key "just because somebody they recognized signed it"). The PGP model doesn't work for users who are used to clicking everything they see, whether or not they really should...
On 25/03/2011 6:45 PM, Valdis.Kletnieks@vt.edu wrote:
On Fri, 25 Mar 2011 09:19:52 PDT, "Akyol, Bora A" said:
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-) Gee thanks. I'm going to have nightmares for *weeks* now... :) Based on the Facebook model:
1. Friends - people among whom are some I most probably never knew before, or some I would not even say hello to. 2. Trusted friends - people I actually say hello to I think you'll need "Highly trusted friends" as a 3rd level :) And that will hold for about 1 month, until people will start banging on your "inner circle" virtual door, and soon enough your list of trusted and highly trusted friends will start filling up. What does "trusted" mean in this particular case ? There is no one list of criteria for being "trust worthy", and some people are more trusting that others. How would trustworthyness be measured anyhow ? How many people signed your thing, who are also trustworthy themselves (which means that their SIG was also signed by trustworthy people, see the vicious circle). And would people from a certain part of the globe or certain countries be more trust worthy based on their country trustworthyness, or maybe on their culture being more open and trusting ? If this is to become some kind of global meaningful thing, it needs to be standardized, so it will have the same meaning regardless of where this is applied, and it will have straightforward means of "measuring" trust. Is there such a standard in place ? Just for an example, we have in Israel a CA that is recognized by the government - they are allowed to issue certificates used for signing documents - and signing with certs issued by this CA is admissible in court under the electronic signatures law. The government has put up a certain standard for what a CA needs to do in order to be recognized as trustworthy. Only one CA in Israel attained this status. Does that mean they are trustworthy to you ? I don't think so. So it can't be a local thing, it needs to be a global thing, and the standard needs to be global and accepted as well. --Ariel
On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A <bora@pnl.gov> wrote:
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-)
Indeed not very unreasonable at all, except a) it would be kind of unfortunate if Facebook would not make the data available under adequate conditions, b) Facebook can already infer level of relationships between people based on a whole lot of their other data (it's kind of what makes them spin). I agree in seeing it coming though: "Web-of-trust 2.0". soBGP takes on a similar approach to securing BGP. Not a bad idea at all at first sight, IMHO. Anyone knows why it died out and why other (perhaps poorer) ideas are floating around now? http://tools.ietf.org/html/draft-white-sobgp-architecture-02 Regards, Martin
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, March 25, 2011 9:05 AM To: Akyol, Bora A Cc: Dobbins, Roland; nanog group Subject: Re: The state-level attack on the SSL CA security model
On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
Is it far fetched to supplement the existing system with a reputation based model such as PGP? I apologize if this was discussed before.
That would be great, if you could ensure the following:
1) That Joe Sixpack actually knows enough somebodies who are trustable to sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the same old CA).
2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion scrape unknown signatures off my PGP key on the keyservers, when people I've never heard of before have signed my key "just because somebody they recognized signed it").
The PGP model doesn't work for users who are used to clicking everything they see, whether or not they really should...
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-)
Except, of course, for the fact that people tend to have hundreds of "friends", many of whom they don't know at all, and who achieved that status simply by asking. You need a much stronger notion of interaction, to say nothing of what the malware in your "friends'" computers are doing to simulate such interaction. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On 03/25/2011 11:12 PM, Steven Bellovin wrote:
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-)
Except, of course, for the fact that people tend to have hundreds of "friends", many of whom they don't know at all, and who achieved that status simply by asking. You need a much stronger notion of interaction, to say nothing of what the malware in your "friends'" computers are doing to simulate such interaction.
Then again there are all the "friend us for a chance to win $prize" gimmicks... not a far jump to "friend us, _with trust bits enabled_ for a chance to win $prize" Yeah sounds like a wonderful idea. :P -- Joe Sniderman <joseph.sniderman@thoroquel.org>
On 3/26/11 15:36 , "Joe Sniderman" <joseph.sniderman@thoroquel.org> wrote:
On 03/25/2011 11:12 PM, Steven Bellovin wrote:
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-)
Except, of course, for the fact that people tend to have hundreds of "friends", many of whom they don't know at all, and who achieved that status simply by asking. You need a much stronger notion of interaction, to say nothing of what the malware in your "friends'" computers are doing to simulate such interaction.
Then again there are all the "friend us for a chance to win $prize" gimmicks... not a far jump to "friend us, _with trust bits enabled_ for a chance to win $prize"
Yeah sounds like a wonderful idea. :P
Wasn't PGP based on a web of trust too?
On Mar 26, 2011, at 12:21 12AM, Franck Martin wrote:
On 3/26/11 15:36 , "Joe Sniderman" <joseph.sniderman@thoroquel.org> wrote:
On 03/25/2011 11:12 PM, Steven Bellovin wrote:
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the facebook model (or facebook itself). I can see it coming. Facebook web of trust app ;-)
Except, of course, for the fact that people tend to have hundreds of "friends", many of whom they don't know at all, and who achieved that status simply by asking. You need a much stronger notion of interaction, to say nothing of what the malware in your "friends'" computers are doing to simulate such interaction.
Then again there are all the "friend us for a chance to win $prize" gimmicks... not a far jump to "friend us, _with trust bits enabled_ for a chance to win $prize"
Yeah sounds like a wonderful idea. :P
Wasn't PGP based on a web of trust too?
Yes -- see Valdis' posting on that: http://mailman.nanog.org/pipermail/nanog/2011-March/034651.html --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Thu, Mar 24, 2011 at 6:19 AM, Joakim Aronius <joakim@aronius.se> wrote:
IF the speculations about a specific nation is true then there is a risk that people there run real (like physical) risks by using e.g. yahoo the last few days. They would have appreciated being informed.
if speculation is true, then all bets are off, and telling anyone isn't necessarily going to help those under the thumb of the speculated attacker.... just sayin! (also, vote now, vote often for dane-wg to get it's work done... dns-sec secured key fingerprints for ssl certs)
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security.
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
In some places, failure of internet security means people die
Those people know that using highly visible services like gmail and skype is asking to be exposed... -- Harald
On Mar 24, 2011, at 7:09 AM, Harald Koch wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security.
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
<snip> -- Harald
I'd hardly call the fact that it required manual blacklist patches to every browser a "success". SSL is a failure if real revocation requires creating a patch for browsers and relying on users to install it. -- bk
Harald Koch <chk@pobox.com> writes:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security.
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
But revocation doesn't work, and people don't install updates, so this is only a *theoretical* success. -- Leif Nixon - Security officer National Supercomputer Centre - Swedish National Infrastructure for Computing Nordic Data Grid Facility - European Grid Infrastructure
Harald Koch <chk@pobox.com> wrote:
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
It would have been much easier if certificate revocation actually worked properly. http://www.imperialviolet.org/2011/03/18/revocation.html Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Viking, North Utsire, South Utsire: Westerly veering northerly, 4 or 5, occasionally 6 at first. Moderate or rough. Occasional rain. Moderate or good, occasionally poor at first.
Which is especially funny since Comodo is citing the fact that they've had no OCSP requests for the bad certs as evidence that they haven't been used. --Richard On Thu, Mar 24, 2011 at 10:53 AM, Tony Finch <dot@dotat.at> wrote:
Harald Koch <chk@pobox.com> wrote:
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
It would have been much easier if certificate revocation actually worked properly.
http://www.imperialviolet.org/2011/03/18/revocation.html
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Viking, North Utsire, South Utsire: Westerly veering northerly, 4 or 5, occasionally 6 at first. Moderate or rough. Occasional rain. Moderate or good, occasionally poor at first.
On 24/03/11 10:09 -0400, Harald Koch wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security.
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
The point is that the 'short amount of time' should have been zero (from the time of the update of the CRL) which would have allowed an immediate announcement of the revocation to the public, with sufficient details for the public to make educated decisions about their internet usage. But because the CRL publication did not facilitate that, due to whatever deficiency there existed in the procotol or in browser implementations, announcement had to be delayed, providing a small group of attackers a larger window than necessary to compromise information. -- Dan White
On Thu, Mar 24, 2011 at 7:09 AM, Harald Koch <chk@pobox.com> wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security.
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
In some places, failure of internet security means people die
Those people know that using highly visible services like gmail and skype is asking to be exposed...
This is definitively not true. There is no evidence of the active use of these services (or circumvention systems to reach them) being used as evidence or an indication that a particular target should be detained, threatened or punished, in Iran in particular and actually globally. I say this, because such evidence would actually reinforce some security recommendations that I and other human rights groups have made, so I'm always on the look out for it. On the other hand, both gmail and Skype are used by many individuals on the assumption that they are more secure than the alternatives (non-SSL protected webmail or those with servers in local jurisdictions; unencrypted instant messaging clients). You can argue about whether these tools *are* more protective, but you certainly can't say that these high-risk groups use them on the understanding they can expect the same level of knowledge or retribution by their adversaries than if these systems were openly surveillable. A security breach like this makes the details of specific communications readable, which also places people who do *not* use these tools at far more risk also. I'm personally not yet convinced that the attackers in this case were the Iranian state; that's something that is incredibly hard to ascertain, and I'm surprised Comodo were so quick to draw this conclusion. Even if these attacks came from Iran, that could be for false flag reasons, plus as others have pointed out, criminals have as much interest in obtaining these certificates as the Iranian state -- although factions within the Iranian government could certainly be potential clients. Other states might have an interest too. Just because you have an organisation with CA authority within the reach of a government doesn't mean you'd want to use those signing powers when dealing with dissidents. The arguments on NANOG about why non-disclosure in this case might have been a good idea I think contribute to the debate. Nonetheless, I'd strongly urge anyone not to assume that activists and journalists at physical risk in states like Iran assume that risk by using specific tools, or that major (if temporary) failures in the PKI structure don't put them and their colleagues at far greater risk. Best, d. Danny O'Brien, Committee to Protect Journalists https://cpj.org/internet
-- Harald
That’s a really important point, Martin. The Comodo breach and similar incidents highlight just how fragile the SSL CA trust model really is. When a single compromised authority can issue valid certs for critical services like Google, Yahoo, or Skype, the entire ecosystem suffers. And as you noted, the delay in public disclosure only worsens the damage—users are left in the dark while attackers potentially exploit the window of opportunity. I’ve read similar takes suggesting DNSSEC and even certificate transparency logs as partial remedies, but none of them are perfect. What seems clear is that continuing to rely on the current CA structure without significant reform is just asking for repeat failures. Honestly, it reminds me of juggling academic work—sometimes the “trusted” systems in place let you down, and you either need a backup plan or external help. I can’t count how many times I’ve thought “someone should just do my assignment so I can focus on the real issues at hand.” 😅 For anyone feeling the same academic overload, services like https://myassignmenthelp.com/do_my_assignment.html step in as that backup system. But back to the main point—do you think a decentralized, multi-sourced trust model (like Web of Trust or blockchain-based identity verification) could ever realistically replace the CA system, or are we stuck with patching it?
participants (24)
-
Akyol, Bora A -
Ariel Biener -
Brian Keefer -
Christopher Morrow -
Crist Clark -
Dan White -
Danny O'Brien -
Dobbins, Roland -
Dorn Hetzel -
Florian Weimer -
Franck Martin -
Franck Martin -
George Herbert -
Harald Koch -
huddr69@gmail.com -
Joakim Aronius -
Joe Sniderman -
Leif Nixon -
Martin Millnert -
Owen DeLong -
Richard Barnes -
Steven Bellovin -
Tony Finch -
Valdis.Kletnieks@vt.edu