[Cryptography] The business of web hosting, was Commercial PKI as dog poop

Mon May 17 12:42:35 EDT 2021

On Sun, May 16, 2021 at 5:41 PM jrzx via cryptography <
cryptography at metzdowd.com> wrote:

> On Saturday, May 15, 2021 6:56 PM, John Levine <johnl at iecc.com> wrote:
> > Once again, this is an Internet very much unlike the one
> > the rest of us use.
>
> > For my bank, the bank is in upstate NY but all of their
> > web sites are handled by their contractor somewhere in
> > the midwest, and I am quite certain the contractor
> > manages the SSL certs,
>
> You may be certain, but I see no evidence for your certainty
> in their certs.
>
> And if their contractor does indeed control their secrets,
> then were he to stuff their certs into a CDN, which he did
> not, then not only would their contractor have control, and
> they not have control, but no end of unknown people and
> machines between the machine servicing their web pages,
> and the machine holding the secrets controlling their
> certs, would also have control.
>

Security has no ideology. If it did, it would hardly choose a synthesis of
Trotskyite and Libertarian ideologies.

Security is about risk control. John is making an argument about control of
specific risks. John has an asset (funds in the account) which are
protected by various controls, among which are the WebPKI controls that
assure him that the Web site through which he interacts with his bank is
the one he expects. The risks of a WebPKI failure is really not relevant to
that interaction, an EV cert is adequate to give the necessary level of
assurance.

There are many, many aspects of online banking that are unsatisfactory that
are in the power of Google to fix. The real weak point in online banking is
that the passwords are transmitted to the site for validation rather than a
proof of knowledge of the password being used such as the one I designed
for HTTP in 1993.

But bleating on about the insecurity of other providers is so much easier
than fixing the stuff that matters. The WebPKI is designed to do a
particular job which it does almost flawlessly. The fact that it does not
perform every task that people might want it to is irrelevant, it does its
job as it is supposed to.

I played a part in building the WebPKI, I designed the assertion
infrastructure of SAML, both work well for the purposes that I designed
them to serve. If you would like to apply PKI to other problems then why
not take a look at the work I have done since that is designed to meet many
of those concerns?

HTTP+TLS is a good solution for the specific problem of protecting browser
interactions. It is a lousy solution for transactional and telemetry
interactions. I have spent the past couple of months focused on that issue
with RUD and the number of glaring omissions in the existing approach is
interesting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210517/366d5411/attachment.htm>