[Cryptography] The business of web hosting, was Commercial PKI as dog poop

[John Levine]

It appears that jrzx <jrzx at protonmail.ch> said:
>On Sunday, May 16, 2021 9:23 AM, John Levine <johnl at iecc.com> wrote:
>> A bank or any organization has a bunch of employees and
>> contractors whose roles and authorities are defined by law
>> and contract and to some extent custom.
>
>To do business over the internet requires trusting people,
>but not unlimited trust. ...

>If your website has a CDN certificate, you are being asked
>to trust considerably more than you should be asked.
>
>And, in practice, banks and such *don't* use CDN certificates.

Once again, the world you're describing is quite different from the one
the rest of us live in, so this is my last round.

At my local bank, the person in charge of computer security is probably
the same person who has to explain to grandma that, no, she did not win
a sweepstakes and the nice man in Nigeria will not be returning her money.
There's no reason to expect him or her to know a lot about asymmetric
encryption.

Running reliable and secure systems is hard, which is why it often makes
sense to outsource it to an organization that has the skills to do it
competently.  Managing SSL certificates is just one small part of that.

As we've already seen, my bank outsources its entire site to
specialist contractor Jack Henry. I also do business with BBVA, who
recently absorbed fintech startup Sinple, and HSBC US, the US part of
a giant global bank. Their web sites, certs and all, are both at AWS
(check the IP addresses.) I happen to know that HSBC outsources part
of their site at www.services.online-banking.us.hsbc.com to Akamai.
Other parts are handled by FISERV, another large specialiist.  Look
at other banks and they're all over the place, e.g., large regional
bank First Third is in Google's cloud.

In any organization bigger than one person has to figure out who does
what, and "don't trust anyone" and trying to do it all yourself isn't realistic.

R's,
John