[Cryptography] Is it time for a revolution to replace TLS?

Jerry Leichter leichter at lrw.com
Mon May 19 17:28:55 EDT 2014 

On May 18, 2014, at 9:29 AM, Anne & Lynn Wheeler <lynn at garlic.com> wrote:
> ...Almost immediately this was violated. Webservers found that "SSL"
> cut their throughput by 90+% and so they dropped back to use "SSL"
> just for check-out/paying. As a result, users were contacting a
> non-validated webservers and then they would click on a button
> and the non-validated webserver would provide a (SSL) URL ... which
> the browser would validate. Now the best that could be said is that
> the webserver that the user was talking to was the webserver that
> they claimed it was (not necessarily the webserver the user thought
> they were talking)....
Beyond this, site owners quickly found all kinds of reasons to mix content from different domains - e.g., put the static assets in one domain and the dynamic stuff in another.  So even if you really had an SSL connection all the way through ... it wasn't clear what on the page was being validated.

SSL really has a remarkable history of giving the world enough confidence to actually get e-commerce going while at the same time *never* really providing any reasonable security properties.  The best one can say is that it raised the minimum level of competence required to pull of certain kinds of attacks - though whether anyone would have found those attacks to be the most efficacious ones available even lacking SSL, we'll never know.

To this day, I've never seen a good description of a full protocol - from the end-user-visible components down to the bits on the wire - that, were it implemented, would solve the problem:  How can I be sure that when the browser says I'm talking to eBay, I'm *really* talking to eBay?  (I not even concerned with the "my conversation is visible only to me and eBay" (encryption) part, was that's trivial once you've solved the "is it the right eBay" (authentication) part.)  Things like certificate pinning and such are an attempt to solve this problem without ripping out the entire existing SSL/PKI infrastructure - and are likely the only *practical* solution we are likely to get; but I'm not sure we even know what a "clean whiteboard" solution would look like.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140519/9210e004/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140519/9210e004/attachment.bin>

More information about the cryptography mailing list