[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

iang iang at iang.org
Wed Apr 23 19:22:21 EDT 2025 

On 23/04/2025 01:51, John Gilmore wrote:
> iang via cryptography <cryptography at metzdowd.com> wrote:
>> If you go back into the history of the thing, the evil MITM was like a
>> religious devil that was much talked about and never seen. And when the
>> first real MITMs turned up around 2003 (they called themselves phishers) ...
> Uh, NSA has been a "real MITM" for many decades.  Other major spying
> countries are doing this too -- both the US's "adversaries" and "allies".
>
> I agree that NSA works hard to never be seen.  Yet sometimes they ARE
> seen:
>
>    https://en.wikipedia.org/wiki/Tailored_Access_Operations#QUANTUM_attacks
>    https://en.wikipedia.org/wiki/MUSCULAR
>
> Protection against MITM attacks remains vital.


Right, if you go even further into history of the MITM what we discover 
is that various governments and militaries and TLAs did in fact employ 
MITMs whenever they felt like. This leads to to some speculations:

1. Gov / military / TLAs could employ MITMs because they had no 
liabilities - no come back. If they got caught, they simply shrugged it 
off.  Also, the stakes were somewhat higher. They weren't stealing a 
credit card, which goes for a buck, they were deploying large teams 
against other large teams, with costs in treasure of 6 figures and 
sometimes in blood.

These economics didn't work for commercial attackers. One doesn't steal 
a credit card any more, one buys them by the thousand. And even bank 
accounts are sold in batches (although stolen crypto accounts are often 
sold individually). Also, economic actors can be followed by their MITM 
if caught, they don't get to shrug it off as easily (altho they did a 
lot of shruggin with phishing, seemingly, and you could say that foreign 
attack gangs have no liabilities).

So the question remains:  would an ADH SSL solution have worked just as 
well for commercial internet?  Could users have then negotiated a 
FIDO2-like secure relationship going forward?


2. Back in the 70s and before, commercial cryptography didn't really 
exist, or it wasn't that serious, and it was heavily but quietly 
suppressed. Some time around the 80s things started to warm up with the 
invention of the message digest (so Unix password algorithms could be 
shipped without breaking export laws), DES opened up encryption, DH & 
RSA invented, and variations like Chaum.

As the academic world got into this stuff, they were drawn close and 
connected to the NSA secret world. And that world had its security 
models. And in that security model, the MITM was an important factor.

Did the commercial world of cryptography acquire its models from the 
NSA/natsec/mil world, de facto? Did we inherit our fetish for anti-MITM 
algorithms from the academics who got it from the NSA? And should we 
have re-evaluated the models & assumptions against the change in 
environment?

I'd say YES. I think it's pretty clear from our commercial cryptography 
sector that the MITM is so rare as to be questionable, whereas 
eavesdropping has a lot more track record. We are biased for a number of 
reasons towards slaying this dragon - and our historical teachings from 
the world of natsec/military cryptography is just one of them.


3. Generally I'd suggest that any commercial model draw the line at 
trying to stop the TLA/mil/natsec attack. That's a complete other fight, 
and it involves so many other considerations. It's pointless to just try 
and do that in a software protocol, it's an all-of-life process.


iang

More information about the cryptography mailing list