SSL, client certs, and MITM (was WYTM?)

Wed Oct 22 20:30:36 EDT 2003

"Perry E. Metzger" wrote:
> 
> Ian Grigg <iang at systemics.com> writes:
> > In threat analysis, you base your assessment on
> > economics of what is reasonable to protect.  It
> > is perfectly valid to decline to protect against
> > a possible threat, if the cost thereof is too high,
> > as compared against the benefits.
> 
> The cost of MITM protection is, in practice, zero.

Not true!  The cost is from 10 million dollars to
100 million dollars per annum.  Those certs cost
money, Perry!  All that sysadmin time costs money,
too!  And all that managerial time trying to figure
out why the servers don't just "work".  All those
consultants that come in and look after all those
secure servers and secure key storage and all that.

In fact, it costs so much money that nobody bothers
to do it *unless* they are forced to do it by people
telling them that they are being irresponsibly
vulnerable to the MITM!  Whatever that means.

Literally, nobody - 1% of everyone - runs an SSL
server, and even only a quarter of those do it
"properly."  Which should be indisputable evidence
that there is huge resistance to spending money
on MITM.

> Indeed, if you
> wanted to produce an alternative to TLS without MITM protection, you
> would have to spend lots of time and money crafting and evaluating a
> new protocol that is still reasonably secure without that
> protection. One might therefore call the cost of using TLS, which may
> be used for free, to be substantially lower than that of an
> alternative.

I'm not sure how you come to that conclusion.  Simply
use TLS with self-signed certs.  Save the cost of the
cert, and save the cost of the re-evaluation.

If we could do that on a widespread basis, then it
would be worth going to the next step, which is caching
the self-signed certs, and we'd get our MITM protection
back!  Albeit with a bootstrap weakness, but at real
zero cost.

Any merchant who wants more, well, there *will* be
ten offers in his mailbox to upgrade the self-signed
cert to a better one.  Vendors of certs may not be
the smartest cookies in the jar, but they aren't so
dumb that they'll miss the financial benefit of self-
signed certs once it's been explained to them.

(If you mean, use TLS without certs - yes, I agree,
that's a no-won.)

> How low does the risk have to get before you will be willing not just
> to pay NOT to protect against it? Because that is, in practice, what
> you would have to do. You would actually have to burn money to get
> lower protection. The cost burden is on doing less, not on doing
> more.

This is a well known metric.  Half is a good rule of
thumb.  People will happily spend X to protect themselves
from X/2.  Not all the people all the time, but it's
enough to make a business model out of.  So if you
were able to show that certs protected us from 5-50
million dollars of damage every year, then you'd be
there.

(Mind you, where you would be is, proposing that certs
would be good to make available.  Not compulsory for
applications.)

> There is, of course, also the cost of what happens when someone MITM's
> you.

So I should spend the money.  Sure.  My choice.

> You keep claiming we have to do a cost benefit analysis, but what is
> the actual measurable financial benefit of paying more for less
> protection?

Can you take that to the specific case?

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com