[Cryptography] "Trust in digital certificate ecosystem eroding"

[Anne & Lynn Wheeler]

On 05/02/15 08:20, John Levine wrote:
>> One thing that might help is to display, by default or simple UI
>> action, the trust chain. E.g. "Verisign.com says that this page
>> is from WellsFargo.com." The CAs should like it since it puts
>> their brand in front of users. It also might make organizations
>> reluctant to change CAs.
>
> Has there ever been an instance where punting a security decision to
> the user improved the situation?  Not that I can think of.
>
> In this example, it isn't even Verisign saying that Verisign says that
> it's Wells Fargo.  It's now Symantec using Verisign's name under
> licsnse saying that it's Wells Fargo.  Chanelling one's grandmother,
> what should she do now?
>

we were brought in as consultants to a small client/server startup that
wanted to do payment transactions on their server, the startup had also
invented this technology called "SSL" they wanted to use; the result is
now frequently called "electronic commerce". Early on we started calling
them "comfort" certificates ... not because they provided security ... but
they provided users with a sense of comfort.

Browsers were being paid by CAs to include their certificate ... so the
CAs could sell certificates (paid for by merchants).

we were tangentially involved in the cal. state breach notification
legislation having been brought in to help word smith the electronic
signature act. lots of the participants were heavily involved in
privacy issues and had done detailed, indepth public surveys. The
#1 issue was "identify theft", primarily the form of fraudulent
financial transactions as a result of breaches ... about which there
was little or nothing being done; it was hoped that the publicity
from the breach notification would prompt corrective action. The
issue is that normally security efforts are taken in self-protection,
in breach scenario, the institutions aren't at risk, it is there customers.

In the congressional hearings into the pivotal role that the ratings
agencies played in the economic mess ... it was pointed out that their
business model was misaligned (and the rating agencies were motivated
to do the wrong thing ... and regulation where business model is misaligned
is enormously more difficult). The buyers benefit from the ratings ... but
the sellers were the ones paying the rating agencies.

Securitized mortgages had been used during the S&L crisis to obfuscate
fraudulent mortgages ... but had limited market. In the late 90s we were
asked to look at improving the integrity of supporting documents as a
countermeasure. In the early part of the century, the sellers found that
they could pay the rating agencies for triple-A (when both the sellers and
the rating agencies knew they weren't worth triple-A, from Oct2008
congressional testimony). Triple-A trumps documents and they could now do
no-down, no-documentation lair loans, pay for triple-A and sell to customers
... including large institutional funds restricted to dealing in "safe"
investments (like large pension funds, claims caused 30% or more loss in
pension funds contributing to trillions in pension shortfall). As a result
over $27T was done between 2001 & 2008
http://www.bloomberg.com/apps/news?pid=newsarchive&refer=home&sid=a0jln3.CSS6c

 From the law of unintended consequences ... the lack of documentation leads
to the TBTF having to form the large robo-signing mills to fabricate the
(missing) documents.

If that wasn't enough, they then started doing securitized mortgages
designed to fail, pay for triple-A, sell to their customers and then
take out CDS gambling bets that they would fail ... creating enormous
demand for dodgy loans.

-- 
virtualization experience starting Jan1968, online at home since Mar1970