Who's afraid of Mallory Wolf?

Ian Grigg iang at systemics.com
Wed Mar 26 12:50:28 EST 2003 

On Tuesday 25 March 2003 22:34, Steven M. Bellovin wrote:

> Let me quote what the (U.S.) 2nd Circuit Court of Appeals said in the
> T.J. Hooper case (60 F.2d 737, 1932):
> 
>         Indeed in most cases reasonable prudence is in face common prudence;
>         but strictly it is never its measure; a whole calling may have unduly lagged
>         in the adoption of new and available devices.
>         It may never set its own tests, however persuasive be its usages.
>         Courts must in the end say what is required; there are precautions
>         so imperative that even their universal disregard will not
>         excuse their omission....
> 
> 	But here there was no custom at all as to receiving sets; some had
>         them, some did not; the most that can be urged is that they had
>         not yet become general.  Certainly in such a case we need not
>         pause; when some have thought a device necessary, at least we may
>         say that they were right, and the others too slack.
> 
> Given that there were published warnings of *practical* MITM attacks (my 
> papers, Radia Perlman's dissertation on secure routing, Lawrence 
> Joncheray's paper on TCP hijacking, etc.), I have no doubt whatsoever 
> what a (U.S.) court would have ruled if there had ever been a real attack.

I'm sorry, I won't be able to do more than
speculate on this, and I wasn't aware of
your legal background, so please take the
below as "not advice."  I.e., IANAL and
all that.

Courts are notoriously difficult to predict.
That's why they say "take legal advice" :-)

And, it may very well be that Netscape
took legal advice, and at that time, it did
seem that MITM protection at the level
of CA-certificates was a reasonable choice
(c.f., David Wagner's post) amongst other
reasonable choices, so I don't think there
is any doubt that what was done back in
'94 was reasonable in the circumstances.

But, on the face of it, you appear to be
saying that because the court saw warnings
then it ruled that the warnings were sufficient.

I don't read that at all.  I see that interpretatation
as a Chicken Little argument.  This opens the
way to Info-war style consultants saying that
because you were warned, you are liable.

That above snippet says "there are precautions
so imperative" which implies the court had already
reached its opinion on the merits of this protection,
which is precisely what this discussion has
aimed to address.  In fact, the court said very
clearly that it is the one to decide what the test
is - not the industry.

The court then went on to say that, as it found
the precautions imperitive, and as the industry
had warned, albeit contraversially, then, it
concluded, relying on the lack of industry custom
and agreement as a defence was insufficient.

So, with respect, I would say that the above
should be read as "do not rely on discordant
others, be they so-called experts or Chicken
Littles on either side, in applying your own
prudential measures," which is quite the
reverse of your reading.



Now, the above is speculation;  not having
the full ruling and the full training, one can't
do more.  But, to take mere warnings as
liabilities is to forgoe ones profession as an
engineer, and hand ones responsibilities
over on the one hand to the religious seers
of doom, and on the other, to the lawyers.

The ludicrousness of this approach is
perhaps more crystallised when we consider
that half of the world's web servers are
shipped for free (c.f Apache).  The crypto
components are still, AFAIK, dealt with
outside America for the most part.

And, a growing share of browsers are now
shipping for free or near-free.  We've seen
over the last year or so, Konqueror, Mozilla,
and Safari rise to take back the forgotten
gauntlet of "browser for the rest of us."

These are not sold products.  There are no
contracts that imply security.  The world
of open source is not necessarily going to
be treated in the courts the same as a
purchased product with implicit liabilities
of a consumer nature.

I grant that America may be moving towards
a world where Eric Y or Ben L will be norieged
and hailed before a california court in some
case for inadequate MITM protection, but,
I personally don't see that as a world that I
would accept on the face value of some
legal handwaving.

Is that really what we want for our Internet?

-- 
iang

PS:  It is apropos that the CA industry uses
the same approach in trying to define industry
custom as sufficient;  see Jane K Winn,
_Courriers without Luggage_ for her expose of
the fallacy in this.  In contrast to your implied
claim that SSL providers would be at risk if
they didn't do the MITM approach, I'd suspect
that CAs are on the hook, because of the
very arguments that Winn and, now, Hooper
advance. )


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list