[Cryptography] Questions about crypto that lay people want to understand

Fri Dec 25 11:44:15 EST 2015

On 21/12/2015 02:26 am, John Levine wrote:
>>> Your bank only accepts https because they have insurance that will
>>> reimburse them if their certificate gets spoofed.
>> I'm not aware of any such insurance.  Given that the CA's consistently refuse to accept any
>> liability, ...
>
> Uh, what? Symantec says their warranty will pay up to $1.75M, although
> when one looks at the fine print, the breaches they cover seem pretty
> unlikely:
>
> https://www.symantec.com/en/in/page.jsp?id=compare-ssl-certificates

That's marketing.  This is liability:

NEITHER PARTY WILL BE LIABLE UNDER ANY CIRCUMSTANCES WHATSOEVER FOR ANY
CONSEQUENTIAL, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR EXEMPLARY
DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS OR REVENUES, WHETHER
FORESEEABLE OR UNFORESEEABLE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

http://www.symantec.com/content/en/us/about/media/repository/ssl-subscriber-agreement.pdf

> The usual approach in bank spoofing is to use a different domain that
> sort of looks like the target. It's hard to see how anyone could blame
> that on the bank's own CA.

It's hard to see, yes.  How about:  the CAs actively stop the browsers 
from changing the security model to deal with any alternate model that 
might prevent the spoofing, on the assumption that any better security 
model won't sell as many certificates.

Showing that in court is a bit more work though :)

>  I presume banks have general insurance
> against fraud losses but I don't know the details or how willing
> insurers are to cover these particular losses.
>
>> generally get away with it.  These are not attacks on HTTPS - they usually "go around" the
>> encryption by planting virus on the end-user machines using spear-fished emails.
>
> Somewhat surprisingly, companies are gettting better at preventing
> malware attacks, I think through combinations of using a dedicated
> computer for bank transactions and two-factor dongles into which you
> put some part of the recipient's account number to generate a
> validation code.  We can consider this a minor crypto success.
>
> The attack du jour is spear phishing a company's CFO or accounting
> clerk to send fake mail appearing to be from the boss telling them to
> wire money to the crook's account.  Since the transaction is entered
> and validated correctly, banks are generally off the hook, although
> well run banks will notice atypical transactions and try to warn the
> company.

Which in theory is stopped by the security model - email that is signed 
by the real boss looks different to the non-real boss.  Problem is, it 
doesn't work, in practice.  Fundamental reason it doesn't work is 
because the CAs can't figure out a way to get everyone to pay for 
individual certs.  And even if they can't figure it out, they're sure to 
block any attempts to use another technology.  Deadlock, users are screwed.

iang