On Tue, Mar 06, 2012 at 11:00:56PM +0000, James Harper wrote:
The only thing you are getting out of it is encryption, but that's of little value when you have no idea that you are communicating with the right server, which is the whole point of TLS/SSL.
Wrong on both points. encryption alone is incredibly valuable, and encryption is the whole point of TLS/SSL. identify verification is a secondary, and entirely optional, point. [...]
I disagree. If you can't be sure of who you are connecting to then you have already lost.
since you can't actually trust commercial CAs, then you've lost just as badly as if you trust a self-signed cert.
You may be sitting in an internet café quite happily conducting an encrypted connection to a man-in-the-middle. If you information is worth securing then it is worth securing properly. As you say below the informed user would weigh up the pro's and con's of each situation and act accordingly, but just dismissing the identification aspect of SSL is a mistake.
i'm not dismissing it. I'm saying that it's not relevant in some, possibly even many or most, situations. situations where encryption to deter casual interception is sufficient. the meaning of "securing properly" varies depending on the circumstances - how important privacy is, what the risks and consequences of compromise are. and anyone who does internet banking in an internet cafe is a fuckwit who has only themself to blame when their bank account is emptied. e.g. if i were running an internet cafe, I could buy certificates for paypal, google, various internet banks etc from a rogue commercial CA - call them Komodo, like the giant lizard, for an entirely fictional hypothetical example :) - and divert all related traffic to my own bogus versions of those sites. The end-user using their laptop in my cafe would be none-the-wiser. The certs *would* be signed by a CA cert that their browser had pre-installed to trust. There would be no warning, no sign that there was anything wrong. and if you're conducting a private conversation that you *really* don't want intercepted then the *ONLY* way to ensure that is to exchange keys with the person you're talking to - i.e. trust the key that THEY gave you, not the key that some third-party (a commercial CA) says is the right one. you could do this directly (e.g. effectively a two-person web of trust), or by using the existing web of trust infrastructure.
Well yes, ideally you would receive a tamper-evident letter from your bank containing the public key, or at least a hash of the public key, and then no third-party trust is required. But I think there is a world of difference between trusting a self-signed cert and a cert that chains to a commercial CA.
it's entirely situational. In some cases, identity verification just doesn't matter at all. when all you want is encryption so your traffic can't easily be snooped. e.g so you can be reasonably sure that some script-kiddie sitting near you in the cafe doesn't steal the password to your myfavouritehobby.org forum and troll in your name. In some cases, it does matter. banking is the obvious example where trusting a self-signed cert would be a bad idea. but that doesn't mean that blindly trusting a commercial CA is a good idea. IMO commercial CAs, and the entire commercial PKI industry are a scam. Netscape fucked up big time when they invented that. They had a chance to establish a web-of-trust as the industry standard, but they wanted to cash in on being the gatekeepers to an artificial monopoly. i'd trust a bank certificate that happened to be co-signed by several other banks, the banking industry ombudsman and a few other relevant parties FAR MORE than i trust a key signed by some commercial CA. And, because the bank created the key themselves, it would be less likely that a copy of the private key could be stolen from the CA or handed over as a matter of course to some governmental spool agency. A commercial CA is a single point of failure, just one place that needs to be compromised - hacked, blackmailed, subverted, run as a TLA agency front, etc. A web of trust is far harder to compromise, especially when the parties (other banks, in this instance) are putting their reputations on the line when they sign a key. I don't really trust my bank's certificate....there just isn't enough information available for me to do that. Sure, it's signed by a commercial CA but I have no way of knowing if that CA has been compromised or not...or that I'm getting the bank's real site and real cert and haven't been redirected to a bogus site using a bogus cert from a rogue CA. and, IMO, I would be a fool if i ever allowed myself to become complacent and forget that. I accept the cert mostly because I don't have any choice if want to do online banking. and even then, i only login from home (where i keep the little push-button auth token they supplied) from a web browser that I never use for anything else.
Nothing is perfect though.
absolutely true. there's no such thing as perfect security. can not be achieved. what *can* be achieved is security that is good enough to meet the current purpose, especially if that current purpose is low risk (or the risk has low consequences) the higher the risk, the more effort you need to put in to secure the connection. craig -- craig sanders <cas@taz.net.au> BOFH excuse #187: Reformatting Page. Wait...