[Cryptography] hard to trust all those root CAs

[ianG]

On 23/07/2014 13:32 pm, John Denker wrote:
> On 07/22/2014 04:59 PM, Russ Nelson wrote:
> 
>> Crypto without a threat model is like cookies without milk. Keep
>> saying it until it becomes second nature to specify the threat model.
...
> A question for each person on this list:  Are you sure
> that all of your communications with your banker, doctor, 
> lawyer, mistresses, etc. move over networks that are 
> immune to MITM attacks?  If so, please raise your hand.


This is the sort of argumentation that was used in the mid 1990s :)
Basically:  the threat exists, therefore we must defend against it.

The problem with this approach is that it ignores costs.  If it costs
something to defend against it, and that cost is in the aggregate
greater than the value saved, then this is not a good use of our money.
 We should accept the risk, and pay the cost when it happens.


> On 07/22/2014 03:07 PM, Jerry Leichter wrote:
>> I forget the name, but there was a plugin that would warn you of
>> unexpected changes in location of the CA.
> 
> It can't be a very successful solution, if people refer
> to it in the past tense, and can't remember the name.


Back in the 2000s when phishing was debated-not-fought, Pinning was
basically rejected by Browser Vendors, in line with everything else.
It's got a new lease of life because 'one of their own' was hit by
phishing, and is now experimenting with solutions.

My point is, the solution is whatever the 4 majors want to do here.  It
isn't anything to do with security, it's more to do with getting the
gang of 4 to move together and find a lowest common denominator.


> Note the contrast:  As currently deployed:
>   SSL relies on authority, with no pinning or notary.
>   SSH relies on pinning, with no authority or notary.
>   PGP relies on web-of-trust, which usually boils down
>    to little more than a labor-intensive form of pinning.
> 
> As discussed on 09/27/2013 09:43 AM, I reckon a heterotic 
> approach would greatly increase security in all three cases.
> I use the term "pinning" to refer to local approaches, 
> and "notary" to refer to network-based online approaches.
> 
> AFAICT no "perfect" solution is possible.


By definition, no "perfect" solution is possible because there is no
"perfect" definition of security.  The best we've come up with is a menu
of risks, and you get to choose which ones you pay to slow/stop, and
which you can live with.  Like the insurance game or options trade, it
isn't wise to over-insure.


> If somebody 
> wants to make a Truman Show / Matrix fake universe for 
> you to live in, they can do so -- in principle.  However,
> I reckon that good crypto engineering can make this much 
> more expensive to do, and much easier to detect.


Unfortunately, much security thinking was bedevilled by the fake
universe approach:  Construct a perfect security model, construct your
threat model to be beaten by your security model, and market the threats
accordingly.

An interesting question is why we should think like this...  but I digress.


> Evidently there are no widely-deployed solutions;  
> otherwise we wouldn't be seeing forged certificates 
> in the wild.


It's worth being a little bit more scientific about this whole threat
thing [0].

Before 2003, there wasn't much of a threat, just isolated incidents, and
we could have ignored it ('accepted the risk').  If 2003 means anything,
up until that point HTTPS was indistinguishable from a placebo.

In 2003, phishing started up against HTTPS, but it was ignorable because
it was outside the envelope.  The users carried the costs, no response
needed.

In 2011, things warmed up.


> Is there anything on the horizon?
> If not, why not?


My answer:  17 years was spent defending against a threat that didn't
exist or could be ignored.  When it finally turned up, the machinery for
dealing with the threats was so sclerotic that it couldn't respond any more.

(In military affairs this is called the Maginot Line syndrome.)



iang



[0] http://wiki.cacert.org/Risk/History