WYTM?

Eric Rescorla ekr at rtfm.com
Mon Oct 13 12:37:39 EDT 2003


Ian, you and I have discussed this before, so I'll
just make a few comments.

iang at systemics.com (Ian Grigg) writes:
> Problem is, it's also wrong.  The end systems
> are not secure, and the comms in the middle is
> actually remarkably safe.
> 
> (Whoa!  Did he say that?)  Yep, I surely did: the
> systems are insecure, and, the wire is safe.
As you know, I think it's more in the middle. As I've
mentioned before, password sniffing was a real problem
before SSH. I totally agree that the systems are
insecure (obligatory pitch for my "Internet is Too
Secure Already") http://www.rtfm.com/TooSecure.pdf,
which makes some of the same points you're making,
though not all.

> And, it's wrong.  There are, then, given these
> stated assumptions, three questions:
> 
>    1.  why was it chosen?
I think it was chosen for two reasons:
(1) It actually was once a viable threat model, especially
    for military and financial communications, where the
    end systems were secure.
(2) It's a problem we know how to solve.

I don't think that solving the problems one knows how
to solve is always a bad thing, as long as they're
real problems. What's not clear is how real they are.
    
>       Designers of Internet security
>       protocols typically share a more
>       or less common threat model.
> 
> It's para three, section 1.2.  And, it is of course,
> famously not true [10].
> 
> SSH is the most outstanding example of not sharing
> that threat model [11].  In fact, it's fair to say
> that most Internet security protocols do not share
> that threat model, unless they happen to have
> followed in SSL's footsteps and also forgotten to
> do their threat model analysis.
This isn't strictly true. IPsec and S/MIME use the
same threat model, for instance. And even SSH mostly
adopts it, since there's actualy a fair amount of
concern about active attack after the first leap
of faith. One could, after all, just use encryption
with no message integrity at all.

> [9] I'd love to hear the inside scoop, but all I
> have is Eric's book.  Oh, and for the record,
> Eric wasn't anywhere near this game when it was
> all being cast out in concrete.  He's just the
> historian on this one.  Or, that's the way I
> understand it.

Actually, I was there, though I was an outsider to the
process. Netscape was doing the design and not taking much
input. However, they did send copies to a few people and one
of them was my colleague Allan Schiffman, so I saw it.
It's really a mistake to think of SSL as being designed
with an explicit threat model. That just wasn't how the
designers at Netscape thought, as far as I can tell.

Incidentally, Ian, I'd like to propose a counterargument
to your argument. It's true that most web traffic 
could be encrypted if we had a more opportunistic key
exchange system. But if there isn't any substantial
sniffing (i.e. the wire is secure) then who cares?

-Ekr




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list