WYTM?
Eric Rescorla
ekr at rtfm.com
Mon Oct 13 12:37:39 EDT 2003
Ian, you and I have discussed this before, so I'll
just make a few comments.
iang at systemics.com (Ian Grigg) writes:
> Problem is, it's also wrong. The end systems
> are not secure, and the comms in the middle is
> actually remarkably safe.
>
> (Whoa! Did he say that?) Yep, I surely did: the
> systems are insecure, and, the wire is safe.
As you know, I think it's more in the middle. As I've
mentioned before, password sniffing was a real problem
before SSH. I totally agree that the systems are
insecure (obligatory pitch for my "Internet is Too
Secure Already") http://www.rtfm.com/TooSecure.pdf,
which makes some of the same points you're making,
though not all.
> And, it's wrong. There are, then, given these
> stated assumptions, three questions:
>
> 1. why was it chosen?
I think it was chosen for two reasons:
(1) It actually was once a viable threat model, especially
for military and financial communications, where the
end systems were secure.
(2) It's a problem we know how to solve.
I don't think that solving the problems one knows how
to solve is always a bad thing, as long as they're
real problems. What's not clear is how real they are.
> Designers of Internet security
> protocols typically share a more
> or less common threat model.
>
> It's para three, section 1.2. And, it is of course,
> famously not true [10].
>
> SSH is the most outstanding example of not sharing
> that threat model [11]. In fact, it's fair to say
> that most Internet security protocols do not share
> that threat model, unless they happen to have
> followed in SSL's footsteps and also forgotten to
> do their threat model analysis.
This isn't strictly true. IPsec and S/MIME use the
same threat model, for instance. And even SSH mostly
adopts it, since there's actualy a fair amount of
concern about active attack after the first leap
of faith. One could, after all, just use encryption
with no message integrity at all.
> [9] I'd love to hear the inside scoop, but all I
> have is Eric's book. Oh, and for the record,
> Eric wasn't anywhere near this game when it was
> all being cast out in concrete. He's just the
> historian on this one. Or, that's the way I
> understand it.
Actually, I was there, though I was an outsider to the
process. Netscape was doing the design and not taking much
input. However, they did send copies to a few people and one
of them was my colleague Allan Schiffman, so I saw it.
It's really a mistake to think of SSL as being designed
with an explicit threat model. That just wasn't how the
designers at Netscape thought, as far as I can tell.
Incidentally, Ian, I'd like to propose a counterargument
to your argument. It's true that most web traffic
could be encrypted if we had a more opportunistic key
exchange system. But if there isn't any substantial
sniffing (i.e. the wire is secure) then who cares?
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list