[Cryptography] phishing, was Encryption opinion

[ianG]

On 10/09/2014 12:45 pm, Jerry Leichter wrote:
> On Sep 9, 2014, at 10:21 PM, ianG <iang at iang.org> wrote:
>> ...MITM was introduced to the net from various sources as a key threat.  The one big threat that would tear everything apart.  So people responded to it....
> If you're talking about SSL/HTTPS - this is a re-writing of history.  Some of the re-writing was almost contemporaneous, but it's still a re-writing.


Rewriting of history?  Well, I'd say it was already rewritten several
times and we're into the revisionist phase, trying to find out what the
real forces were that made SSL what it was, leading up to today's
post-phishing and post-Snowden world.


> SSL/HTTPS were introduced to "make the Web safe for e-commerce".  One part of this is obvious:  To this day, e-commerce sites tell you that your transactions are "protected by encryption", with the meaning being that they can't be observed and (perhaps, but few get that sophisticated) can't be altered.  But the threat most people understand is observation, and they want to be assured of protection against that.


The stated threat was against credit cards, its a bit more precise that
the hand-wavy e-commerce term.  There was no value to an attack that
changes your credit card; the value of the alleged attack was all in
revealing the credit card to someone who could snoop.

Which is why SSL v1 was opportunistic, it dealt with the attack at a
reasonable level.  However this was strongly criticised because SSL v1
could be MITM'd and therefore it should ("must") have certificates in
order to stop the MITM attack revealing the credit card.


> The more subtle point, though, is what I call the secure introduction problem.  If I'm in a city I've never visited before and I see a sign for a Sheraton hotel, I know they'll have nice, clean rooms and be safe.  If I need to buy a new piece of luggage because the airline destroyed my bag, I can go into Macy's and buy one with the assurance that it won't be a piece of junk, that they'll stand behind it, etc.  If I'm hungry and I see a McDonald's ... well, let's not go there.
> 
> In all these cases, there are various external indicia of trustworthiness.  I listed examples that rely on trademarks, but there are plenty of other indicia in the real world that would lead me to trust (or not trust) a hotel that's not part of a chain, or local leather goods store, or a restaurant.  For those of us in the Western world, these indicia, while certainly not perfect, are in practice highly reliable.  (That's not true, for example, in China - where there have been whole fake divisions of well-known companies set up.)  A combination of economics - fakes that will fool people are expensive to produce - and enforced legal mechanisms, particularly trademarks - made, and keeps, the system effective.
> 
> When e-commerce was abornin', it wasn't at all clear that people would buy into it.  "On the Internet, no one knows you're a dog" was already a widely repeated trope.  With the screen resolutions and network speeds then available, no Web site could "look" very trustworthy (not that quality of visual representation ever *really* meant much - but it's something people are used to looking at).  The big problem was:  How do you get people to treat these new-fangled sites as "the real thing", worthy of trust and my hard-earned cash?  With so few existing businesses on line, it wasn't even clear that people would trust that "macys.com" really was Macy's.
> 
> Enter the certificate.  Here was an attestation by a "Higher Authority" that the site was what it claimed.  Psychologically, it also put a kind of stamp of approval on the site:  Having a certificate felt like having an expensive-looking storefront:  No scammer would bother to make the investment.


Well indeed.  But you will note that no CA will state any of that in
writing.  It is all self-marketing.  So whether you can claim this as a
reasoning for the introduction of certificates is difficult because
we're resting on claims we know to be false but deliberately widespread.


> That certificates provided no guarantee even vaguely related to this apparent assurance was something only a small coterie of crypto experts understood.  And when scammers did indeed start buying certificates, the response was to double down with EV certificates - deliberately made expensive "to keep the scammers out" (right) and providing all kinds of words to re-assure you that these really were checked and backed by some "Higher Authority" (though they really weren't).  That wonderful green bar - in the US, at least, the color of money:  What a nice way to keep the illusion going.
> 
> MITM attacks?  Try and find people outside of the small group of experts who have any clue what those are.  If the term means anything at all to most people, it means that someone can *observe* transactions.


Indeed, what we are talking about is *entirely perceptional* in that
there are a group of people who've built their careers on a classical
threat model.

The disconnect is that the concept does not meet the needs of users.
How do we get back to meeting the needs of users?


> Note that there's a second problem, the Ongoing Connection problem:  I found the macys.com Web site last month and used it successfully (stuff arrived in a real Macy's box).  Just as in the real world I feel safe going back to a store that treated me well - implicitly assuming that "it's the same place" - I'm willing to go back to "the same web site".  While all the certificate stuff is nice, I doubt many people think it has a role in making sure that when I go to macys.com today, it's really the same macys.com I went to last month.  (And, in fact, *it doesn't even do that* - so in this case, that's a good thing!)


Yes.  Most people in the western world get by on the ability to use
various visual signals and domains to create a relationship mapped in
the mind.  Including on the net.

The farcity of the situation is proven when you connect to do all your
shopping using the HTTP service, then click to payout -- if the payout
takes you to a remote site called "secure-payments.com" then users don't
blink.

Part of the problem I suspect is that most security people haven't ever
really studied marketing and institutional relationships.  There's a
whole world out there that changes all our assumptions.  E.g., it is
deals like Apple's recent pay thing that make things tick, the security
stuff is just geek-candy.


> Once you see the distinctions between the problems, you can also see why encrypted email has never caught on.  Most email is exchanged by people who already know each other - or who are introduced by mutual friends.  Most people never need their email systems to solve the Introduction Problem.  And we believe we can recognize our correspondents, just as we recognize our friends by their faces, or their voice and manner of speaking on the phone, or their styles of writing, the subjects they talk about, the real-world events they refer to, in letters.  As a result, we believe we really don't need a solution to the Ongoing Connection problem either.  By the time email from commercial sites became commonplace, "everyone already knew" that you could validate the sender by these kinds of indicia.  All that was left was concern about eavesdropping - and it's not as if we've really worried much about eavesdropping on our phone conversations for many decades.  (I suspect the fact that so ma
 n
y
>   people initially used the Internet over dialup connections helped establish the feeling that "listening in on Internet connections" is like "listening in on phone calls" - something that most people just don't worry about.)

Right.  But marketing tells us that, if we assume a counterfactual that
emails are only sent to companies, then companies would have been sold
certificates...  It's not the emails that are vulnerable to spying, it's
the companies that are vulnerable to selling.

> There are multiple disconnects here:  Between what most people think systems are capable of providing; what they think they *actually do* provide; what makers of those systems *sell* as their capabilities; and what they systems actually can and do provide.


I think we're all in agreement here :)

> Pointing at one particular problem - MITM, which has, at least to me, a fairly narrow and clear *technical* definition - and somehow trying to stretch it to cover all the complex issues (either by broadening its definition to the point where it essentially means "any attack", or by saying it's the one problem that all the systems out there are trying to solve) doesn't help.  In fact, it makes things harder.


The reason to point it out is that it is mentally ingrained into some
security folks minds that the MITM is why we do things.  Meanwhile the
world has moved on.  The question is for those people who structure
their entire designs around the MITM (certificates/PKI/etc) whether
they'll be able to retain any relevance, or the world will bypass them.

Unfortunately some of those people have the lock on certain very
important core technologies -- IETF.  It is 2014, and only this year
have they woken up and started working on opportunistic security.



iang