Maybe It's Snake Oil All the Way Down

Jeroen C. van Gelderen jeroen at vangelderen.org
Tue Jun 3 17:21:49 EDT 2003 

On Tuesday, Jun 3, 2003, at 01:13 US/Eastern, Lucky Green wrote:
> Given that SSL use is orders of magnitude higher than that of SSH, with
> no change in sight, primarily due to SSL's ease-of-use, I am a bit
> puzzled by your assertion that ssh, not SSL, is the "only really
> successful net crypto system".

(I noticed that SSL and HTTPS are sometimes used interchangeably in 
this thread and sometimes not (i.e. STARTTLS). I'll concentrate on 
HTTPS in this mail. Note that HTTPS is slightly broader than just SSL: 
it also includes the browser interface.)

Absolute numbers are one measure. Another would be to consider the 
ratio of HTTPS/HTTP and SSH/telnet. You could define a successful 
protocol by ability to displace its unprotected equivalent. I for one 
would consider that a more useful measure. I bet you find that HTTPS is 
non-existent according to this definition, completely disappearing in 
the noise. Interestingly (and IMHO correctly) enough OpenPGP fails this 
test too. Miserably.

Perhaps that measure is too coarse grained. For instance, in the domain 
of "security advisories" most emails are digitally signed with OpenPGP. 
And in the domain of online credit card payments HTTPS has displaced 
HTTP.

But HTTPS covers only those transactions for which users demand 
protection. Actually, that isn't quite correct. It is those 
transactions for which the users want to *feel* [2] protected. It is 
mindbogglingly easy to spoof an HTTPS site. Either with or without the 
impostor using a certificate. (Today, I can register 
http://www.e-g0ld.com/ and obtain a matching certificate for $100. All 
the user will see is a lock icon and he thinks he is safely on 
http://www.e-gold.com/.)

A large part of the problem obviously is the browser's user interface. 
The other part mainly concerns the use of CA certificates. Self-signed 
certificates only compound the problem by teaching the user bad habits. 
("Oh, if the browser asks a question, just click yes." Guess what: 
people will now always click "YES" on certificate related questions, 
whatever the question or warning is.)

Penetration? Even privacy-sensitive sites like, say, 
http://www.cypherpunks.to/ do not utilize HTTPS by default. The 
possibility of HTTPS access isn't even mentioned on the homepage. No 
support for RFC 2817 and no transparent redirect either. You have to 
manually change http: to https: for it to work.

Same for http://www.cryptorights.org/. When you manually go to the 
HTTPS version you will note that they use a self-signed certificate 
which:
  a) requires user interaction and a user
     knowing what she is doing;
  b) erodes the value of security questions
     (through teaching bad habits)
  c) doesn't cache the key so subsequent
     MITM attacks are not defended against.

Another sensitive site? How about HTTPS access to Google ... ?


SSH on the other hand succeeded in protecting network infrastructure 
nearly transparently. It virtually replaced telnet in places where it 
matters (and a whole lot where it doesn't). I don't have to change 
addresses or port numbers. Open-source UNIXes have it enabled by 
default. It completely redefined how X screens are remoted for the 
(small?) set of users that are interested in that. Of course its 
protocol isn't perfect and it certainly is vulnerable to the MITM on 
the first connection. But I bet it offers more real protection than 
HTTPS, as *presently* implemented, ever will. SSH is the closest thing 
to opportunistic encryption I know of.


I guess this is qualified agreement with Ian's statement that SSH is 
the "only really successful net crypto system". I can only hope that 
people will adopt the displacement ratio as a measure of success and 
design their protocols (all the way up to the user interface) 
accordingly.


Lifting and modifying a quote from Peter Gutmann's homepage:

"I think a lot of purists would rather have cryptographic protocols be 
useless to anyone in any practical terms than to have it made simple 
enough to use, but potentially "flawed"." -- with apologies to Chris 
Zimman.


-J


[1] One exception would be the subset of mail roughly corresponding to 
security advisories. There OpenPGP signatures are the norm.

[2] Airport "security" anyone?

-- 
Jeroen C. van Gelderen - jeroen at vangelderen.org

A single glass of beer was passed, from which I was the last
one to sip - a ritual signifying that I was not to be poisoned.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list