[Cryptography] Toxic Combination

Jerry Leichter leichter at lrw.com
Mon Dec 1 00:00:28 EST 2014 

On Nov 30, 2014, at 4:55 PM, Guido Witmond <guido at witmond.nl> wrote:
> I'm starting to consider the combination of current best practice with
> server certificates and password to be a Toxic Combination.
> 
> 
> The general issue is twofold:
> 
>    People need to validate the authenticity of a site before typing in
> their password;
> 
>    The password gets transmitted to the other party.
> 
> Most people assume that if it looks like their bank and the address bar
> is green then it should be safe. Regrettably, it’s not. Criminals obtain
> valid certificates using stolen creditcards and passports.
The weaknesses of current PKI system are well documented.  There are examples governments getting false credentials by having effective control over CA's.  But I'm not aware of any attack in which criminal organizations got a fake EV certificate (it would have to be an EV cert to turn the address bar green).  The *potential* vulnerabilities are real and there are a number of ideas out there (cert pinning, certificate transparency, others) that would make them much hard to pull off.  Nevertheless, at the moment, this does not appear to be a vulnerability that's widely exploited.

> The true method for authenticating a site requires verification of server
> certificate fingerprints. And if you don’t know what that means, you
> have to spot the spelling errors, the differences in layout and other
> mistakes to detect the scammers. Good luck!
No clue what this is supposed to mean.  Checking certificate fingerprints would only be useful if you had some independent way of know what those fingerprints were supposed to be.  What would that independent way be?  This sounds like a poor man's approach to certificate pinning - which is automated, not based on human matching.

> The second part is just as problematic: The password must remain secret,
> yet it must be transmitted to the other side to log in.
I'm unaware of any broad attacks based on stealing passwords this way.  Why bother?  If you can get the user to trust a bogus site, you just act as a MITM of the conversation.  No problem with slight (or major) differences in how the site looks - it *is* the real site.  Send whatever commands you want.

> This is the Toxic Combination. One failure to detect a scammer’s site
> and the password is compromised. The scammers can do everything that you
> can do with the password.
Again, this is a *potential* vulnerability, but it's not one that scammers are exploiting in any big way.  It's so much easier to steal the password file from the site itself.  It may not even be hashed - and if hashed, is often hashed using bad techniques, make brute force attacks easy.  And then people re-use passwords on other sites.

Security is not an absolute; it's about managing risk.  The *actual* risk of an attack by "scammers" based on getting a fake certificate and successfully impersonating a site in order to get passwords appears to be very small; other risks are *much* greater.  (Again, if you're talking about attacks by intelligence agencies and similar institutions, the story is different - but in many ways, making it a much harder problem.)  There are a number of mechanisms out there that ameliorate entire classes of related risks, including these.

                                                        -- Jerry

More information about the cryptography mailing list