[Cryptography] Moving forward on improving HTTP's security
ianG
iang at iang.org
Fri Nov 22 03:58:48 EST 2013
(apologies for late reply)
On 15/11/13 16:43 PM, John Kelsey wrote:
> On Nov 15, 2013, at 2:44 AM, ianG <iang at iang.org> wrote:
> ...
>> i. Get all-TLS & get all-CAs: fail. All CAs will fall to the state.
>>
>> (This of course can be seen as a tinfoil claim, and it is easy to dismiss because people simply don't know the reality. FWIW, been there, got the t-shirt: CAs are a legitimate, popular and priority target of the TLAs.)
>
> CAs can participate in MITM attacks, but there are additional measures that can make that behavior very likely to get caught.
Right. There are of course many documented threats & mitigations. I
would suggest that CAs remain breachable against today's attacker, but
it doesn't seem to be germane to the actual problems we face.
> And right now, most traffic doesn't even need a MITM attack, just eavesdropping to listen in on the unencrypted traffic.
>
>> For my money, I assume that everyone can see that if we TLS-everything, then we cannot accept CAs everywhere, and we must add easy opportunistic encryption.
>
> It seems to me that anything that gives us easy opportunistic encryption is about as vulnerable to MITM attacks as TLS with possibly-compromised CAs.
Yes, more or less. No work has been done on this from an academic pov,
so we only have some historical data.
Phishing is the outlier -- thousands or millions of attacks, and
millions or billions of damages. The claim that TLS+CAs provided MITM
protection wasn't true, it only pushed the MITM around a bit, and in the
end not enough to justify the cost at the application level.
If we leave out phishing, the numbers of known CA breaches are in the
low double-digits [0], and the numbers of other beaches on the direct
TLS protocol side are about the same. Likewise, damages are low or
unimpressive.
To a large extent is all comes back to WYTM? or what's your threat model?
I'm assuming here, today, we are adding the NSA's mass surveillance into
the equation as a valid and important threat model. That's an
assumption that can be challenged...
If NSA mass surveillance is our threat model (addition), then the
solution to that is probably mass opportunistic encryption, to force
them to go active.
Is that right or wrong?
Obviously, we can change our conclusion by flipping our assumptions [1]
What are they and what do we agree on?
iang
> ...
>> iang
>
> --John
>
[0] what I know as breaches relevant to CA risk modelling are here:
http://wiki.cacert.org/Risk/History
[1] e.g., if we assume that only google/yahoo/microsoft are valid
targets, we could mitigate with HTTPS-everywhere. Might be enough?
More information about the cryptography
mailing list