Maybe It's Snake Oil All the Way Down
Jeroen C. van Gelderen
jeroen at vangelderen.org
Tue Jun 3 17:21:49 EDT 2003
On Tuesday, Jun 3, 2003, at 01:13 US/Eastern, Lucky Green wrote:
> Given that SSL use is orders of magnitude higher than that of SSH, with
> no change in sight, primarily due to SSL's ease-of-use, I am a bit
> puzzled by your assertion that ssh, not SSL, is the "only really
> successful net crypto system".
(I noticed that SSL and HTTPS are sometimes used interchangeably in
this thread and sometimes not (i.e. STARTTLS). I'll concentrate on
HTTPS in this mail. Note that HTTPS is slightly broader than just SSL:
it also includes the browser interface.)
Absolute numbers are one measure. Another would be to consider the
ratio of HTTPS/HTTP and SSH/telnet. You could define a successful
protocol by ability to displace its unprotected equivalent. I for one
would consider that a more useful measure. I bet you find that HTTPS is
non-existent according to this definition, completely disappearing in
the noise. Interestingly (and IMHO correctly) enough OpenPGP fails this
test too. Miserably.
Perhaps that measure is too coarse grained. For instance, in the domain
of "security advisories" most emails are digitally signed with OpenPGP.
And in the domain of online credit card payments HTTPS has displaced
HTTP.
But HTTPS covers only those transactions for which users demand
protection. Actually, that isn't quite correct. It is those
transactions for which the users want to *feel* [2] protected. It is
mindbogglingly easy to spoof an HTTPS site. Either with or without the
impostor using a certificate. (Today, I can register
http://www.e-g0ld.com/ and obtain a matching certificate for $100. All
the user will see is a lock icon and he thinks he is safely on
http://www.e-gold.com/.)
A large part of the problem obviously is the browser's user interface.
The other part mainly concerns the use of CA certificates. Self-signed
certificates only compound the problem by teaching the user bad habits.
("Oh, if the browser asks a question, just click yes." Guess what:
people will now always click "YES" on certificate related questions,
whatever the question or warning is.)
Penetration? Even privacy-sensitive sites like, say,
http://www.cypherpunks.to/ do not utilize HTTPS by default. The
possibility of HTTPS access isn't even mentioned on the homepage. No
support for RFC 2817 and no transparent redirect either. You have to
manually change http: to https: for it to work.
Same for http://www.cryptorights.org/. When you manually go to the
HTTPS version you will note that they use a self-signed certificate
which:
a) requires user interaction and a user
knowing what she is doing;
b) erodes the value of security questions
(through teaching bad habits)
c) doesn't cache the key so subsequent
MITM attacks are not defended against.
Another sensitive site? How about HTTPS access to Google ... ?
SSH on the other hand succeeded in protecting network infrastructure
nearly transparently. It virtually replaced telnet in places where it
matters (and a whole lot where it doesn't). I don't have to change
addresses or port numbers. Open-source UNIXes have it enabled by
default. It completely redefined how X screens are remoted for the
(small?) set of users that are interested in that. Of course its
protocol isn't perfect and it certainly is vulnerable to the MITM on
the first connection. But I bet it offers more real protection than
HTTPS, as *presently* implemented, ever will. SSH is the closest thing
to opportunistic encryption I know of.
I guess this is qualified agreement with Ian's statement that SSH is
the "only really successful net crypto system". I can only hope that
people will adopt the displacement ratio as a measure of success and
design their protocols (all the way up to the user interface)
accordingly.
Lifting and modifying a quote from Peter Gutmann's homepage:
"I think a lot of purists would rather have cryptographic protocols be
useless to anyone in any practical terms than to have it made simple
enough to use, but potentially "flawed"." -- with apologies to Chris
Zimman.
-J
[1] One exception would be the subset of mail roughly corresponding to
security advisories. There OpenPGP signatures are the norm.
[2] Airport "security" anyone?
--
Jeroen C. van Gelderen - jeroen at vangelderen.org
A single glass of beer was passed, from which I was the last
one to sip - a ritual signifying that I was not to be poisoned.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list