[Cryptography] PRISM-Proofing and PRISM-Hardening

ianG iang at iang.org
Tue Sep 24 04:52:46 EDT 2013

I think, if we are about redesigning and avoiding the failures of the 
past, we have to unravel the false assumptions of the past...

On 20/09/13 01:21 AM, Phillip Hallam-Baker wrote:
> Bear in mind that securing financial transactions is exactly what we
> designed the WebPKI to do and it works very well at that.

Reasonable people may disagree with that claim.

PKI for the web was designed to secure *one small part* of the financial 
process -- sending credit card numbers over the net.  To secure 
financial transactions without limit, we'd need an end-to-end solution. 
  E.g., online banking (which comes much later) requires an 
authentication solution, which offering by WebPKI (the client cert) is 
infamously not used;  and, as a counterpoint, the biggest hacks occur at 
the server, being that "large part" of financial transactions that 
WebPKI explicitly ignored.

Further, "very well" is a gross exaggeration of marketing proportions. 
In order to say it works "very well" at even its small part of 
protecting access to servers, we'd have to solve the browser 
authentication problem that is at the root cause of phishing.  I grant 
that the phishing bug was addressed at a level of PKI-me-harder, but we 
still lack a solution...

> Criminals circumvent the WebPKI rather than trying to defeat it. If they
> did start breaking the WebPKI then we can change it and do something
> different.

Oh, they broke it.  Criminals send an unauthenticated URL and the user 
goes to that URL.  The browser doesn't notice, the user doesn't notice, 
and the implementors conspire not to notice.  WebPKI is totally broken. 
  The fact that the criminals didn't follow the cutesy rules laid out in 
the WebPKI security model is not a circumvention but a breach and an 
excuse -- the rules weren't applicable to the real world.

And, regardless of whether we decide that it is circumvention or breach, 
nothing positive was ever done about it.  So we're left arguing about 
the point of something that is too easy to circumvent and doesn't get 
fixed.  WebPKI is either an historical oddity or an economic drag on 
real security.

(Quite where reasonable people might have a reasonable disagreement is 
where the breach/circumvention is;  that's an argument that will (and 
did) roll on for a decade, which is perhaps why it never gets fixed... 
insert long thread.)

> But financial transactions are easier than protecting the privacy of
> political speech because it is only money that is at stake. The
> criminals are not interested in spending $X to steal $0.5X. We can do
> other stuff to raise the cost of attack if it turns out we need to do that.
> So I think what we are going to want is more than one trust model
> depending on the context and an email security scheme has to support
> several.

Yes.  Challenge is to get that into the supply chain.

> If we want this to be a global infrastructure we have 2.4 billion users
> to support. If we spend $0.01 per user on support, that is $24 million.
> It is likely to be a lot more than that per user.
> Enabling commercial applications of the security infrastructure is
> essential if we are to achieve deployment. If the commercial users of
> email can make a profit from it then we have at least a chance to co-opt
> them to encourage their customers to get securely connected.

It's either that, or bypass completely.  I agree email looks difficult, 
and the economics suggest bypass not rebuild.

> One of the reasons the Web took off like it did in 1995 was that
> Microsoft and AOL were both spending hundreds of millions of dollars
> advertising the benefits to potential users. Bank America, PayPal etc
> are potential allies here.

Curiously (digression), Paypal bought Skype for a secure end-to-end 
solution to many of these problems.  They never capitalised on it.  Did 
they ever say why?


More information about the cryptography mailing list