WYTM?

Ian Grigg iang at systemics.com
Mon Oct 13 22:07:39 EDT 2003 

Eric Rescorla wrote:
> 
> Ian Grigg <iang at systemics.com> writes:
> > I'm sorry, but, yes, I do find great difficulty
> > in not dismissing it.  Indeed being other than
> > dismissive about it!
> >
> > Cryptography is a special product, it may
> > appear to be working, but that isn't really
> > good enough.  Coincidence would lead us to
> > believe that clear text or ROT13 were good
> > enough, in the absence of any attackers.
> >
> > For this reason, we have a process.  If the
> > process is not followed, then coincidence
> > doesn't help to save our bacon.

> Disagree. Once again, SSL meets the consensus threat
> model. It was designed that way partly unconsciously,
> partly due to inertia, and partly due to bullying by
> people who did have the consensus threat model in mind.


(If you mean that the ITM is consenus, I grant
you that two less successful protocols follow
it - S/MIME and IPSec (partly) but I don't
think that makes it consensus.  I know there
are a lot of people who don't think in any other
terms than this model, and that is the issue!
There are also a lot of people who think in
terms completely opposed to ITM.

So to say that ITM is consensus is something
that is going to have to be established.

If that's not what you mean, can you please
define?)


> That's not the design process I would have liked,
> but it's silly to say that a protocol that matches
> the threat model is somehow automatically the wrong
> thing just because the designers weren't as conscious
> as one would have liked.


I'm not sure I ever said that the protocol
doesn't match the threat model - did I?  What
I should have said and hoped to say was that
the protocol doesn't match the application.

I don't think I said "automatically," either.
I did hold out hope in that rant of mine that
the designers could have accidentally got it
right.  But, they didn't.

Now, SSL, by itself, within the bounds of the
ITM is actually probably pretty good.  By all
reports, if you want ITM, then SSL is your
best choice.

But, we have to be very careful to understand
that any protocol has a given set of characteristics,
and its applicability to an application is an
uncertain thing;  hence the process of the threat
model and the security model.  In SSL's case, one
needs to say "use SSL, but only if your threat
model is close to ITM."  Or similar.  Hence the
title of this rant.

The error of the past has been that too many
people have said something like "Use SSL, because
we already got it right."  Which, unfortunately,
skips the whole issue of what threat model one
is dealing with.  Just like happened with secure
browsing.

In this case, the ITM was a) agreed upon after
the fact to fill in the hole, and b) not the right
one for the application.


> > > And on the client side the user can, of course, click "ok" to the "do
> > > you want to accept this cert" dialog. Really, Ian, I don't understand
> > > what it is you want to do. Is all you're asking for to have that
> > > dialog worded differently?
> >
> >
> > There should be no dialogue at all.  Going from
> > HTTP to HTTPS/self signed is a mammoth increase
> > in security.  Why does the browser say it is
> > less/not secure?
> Because it's giving you a chance to accept the certificate,
> and letting you know in case you expected a real cert that
> you're not getting one.


My interpretation - which you won't like - is that
it is telling me that this certificate is bad, and
asking whether me if I am sure I want to do this.

A popup is symonymous with bad news.  It shouldn't be
used for good news.  As a general theme, that is,
although this is the reason I cited that paper:  others
have done work on this and they are a long way ahead
in their thinking, far beyond me.


> > > It's not THAT different from what
> > > SSH pops up.
> >
> >
> > (Actually, I'm not sure what SSH pops up, it's
> > never popped up anything to me?  Are you talking
> > about a windows version?)
> SSH in terminal mode says:
> 
> "The authenticity of host 'hacker.stanford.edu (171.64.78.90)' can't be established.
> RSA key fingerprint is d3:a8:90:6a:e8:ef:fa:43:18:47:4c:02:ab:06:04:7f.
> Are you sure you want to continue connecting (yes/no)? "
> 
> I actually find the Firebird popup vastly more understandable
> and helpful.


I'm not sure I can make much of your point,
as I've never heard of nor seen a Firebird?


iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list