WYTM?

Ian Grigg iang at systemics.com
Mon Oct 13 20:24:35 EDT 2003 

Eric Rescorla wrote:
> 
> Ian Grigg <iang at systemics.com> writes:
> > > It's really a mistake to think of SSL as being designed
> > > with an explicit threat model. That just wasn't how the
> > > designers at Netscape thought, as far as I can tell.
> >
> >
> > Well, that's the sort of confirmation I'm looking
> > for.  From the documents and everything, it seems
> > as though the threat model wasn't analysed, it was
> > just picked out of a book somewhere.  Or, as you
> > say, even that is too kind, they simply didn't
> > think that way.
> >
> > But, this is a very important point.  It means that
> > when we talk about secure browsing, it is wrong to
> > defend it on the basis of the threat model.  There
> > was no threat model.  What we have is an accident
> > of the past.
> 
> Maybe so, but it coincides relatively well with the
> common Internet threat model, so I think you can't
> just dismiss that out of hand as if it were pulled
> out of the air.


I'm sorry, but, yes, I do find great difficulty
in not dismissing it.  Indeed being other than
dismissive about it!

Cryptography is a special product, it may
appear to be working, but that isn't really
good enough.  Coincidence would lead us to
believe that clear text or ROT13 were good
enough, in the absence of any attackers.

For this reason, we have a process.  If the
process is not followed, then coincidence
doesn't help to save our bacon.

It has to follow, for it to be valuable.  If
it doesn't follow, to treat it as anything
other than a mere coincidence to be dismissed
out of hand is leading us on to make other
errors.

I think that Matt Blaze said it fairly well.
There are some security practices that in
the recent past are now considered appalling.

It's time to be a little bit appalled, and
to recognise SSL for what it is - a job that
survived not on its cryptographic merits, but
through market and structural conditions at
the time.


> > > Incidentally, Ian, I'd like to propose a counterargument
> > > to your argument. It's true that most web traffic
> > > could be encrypted if we had a more opportunistic key
> > > exchange system. But if there isn't any substantial
> > > sniffing (i.e. the wire is secure) then who cares?
> >
> >
> > Exactly.  Why do I care?  Why do you care?
> >
> > It is mantra in the SSL community and in the
> > browsing world that we do care.  That's why
> > the software is arranged in a a double lock-
> > in, between the server and the browser, to
> > force use of a CA cert.
> 
> You keep talking about the server locking you in, but it doesn't.


(No, it's a double-lock-in, or maybe more.  It's
a complex interrelated scenario.)

Here's specifically what the server does:  When
it is installed, it doesn't also install and
start up the SSL server.  You know that page
that has the feather on?  It should also start
up on the SSL side as well, perhaps with a
different colour.

Specifically, when you install the server, it
should create a self-signed certificate and use
it.  Straight away.  No questions asked.

Then, it becomes an administrator issue to
replace that with a custom signed one, if the
admin guy cares.


> The world is full of people who run SSL servers with self-signed
> certs.


Right.  I'm looking to improve those numbers,
my guess would be 10-fold is not unreasonable.


> And on the client side the user can, of course, click "ok" to the "do
> you want to accept this cert" dialog. Really, Ian, I don't understand
> what it is you want to do. Is all you're asking for to have that
> dialog worded differently?


There should be no dialogue at all.  Going from
HTTP to HTTPS/self signed is a mammoth increase
in security.  Why does the browser say it is
less/not secure?

Further, the popups are a bad way to tell the
user what the security level is.  The user can't
grok them and easily mucks up on any complex
qeustions.  There needs to be a security display
on the secured area that is more prominent and
also more graded (caching numbers) than the
current binary lock symbol.

There has been some research on this area, I
think it was Sean Smith (Dartmouth College)
that posted on this subject.  Yes, here it is:

  From: Sean Smith <sws at cs.dartmouth.edu>
  > Or, if we should bother to secure it, shouldn't
  > we mandate the security model as applying to the
  > browser as well?

  Exactly.

  That was the whole point of our Usenix paper last year

  E. Ye, S.W. Smith.
  ``Trusted Paths for Browsers.''
  11th Usenix Security Symposium. August 2002
  http://www.cs.dartmouth.edu/~sws/papers/usenix02.pdf

Oh, and:

  Advertisement: we also built this into Mozilla, for Linux and Windows.
  http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/



> It's not THAT different from what
> SSH pops up.


(Actually, I'm not sure what SSH pops up, it's
never popped up anything to me?  Are you talking
about a windows version?)


iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list