On Tue, Mar 06, 2012 at 11:00:56PM +0000, James Harper wrote:
The only thing you are getting out of it is encryption, but that's of little value when you have no idea that you are communicating with the right server, which is the whole point of TLS/SSL.
Wrong on both points. encryption alone is incredibly valuable, and encryption is the whole point of TLS/SSL. identify verification is a secondary, and entirely optional, point. [...]
I disagree. If you can't be sure of who you are connecting to then you have already lost.
since you can't actually trust commercial CAs, then you've lost just as badly as if you trust a self-signed cert.
There's liability to consider to. If your bank account is emptied because a commercial CA was compromised then you should have no trouble getting the bank to make things right again - it's not your fault that they made a bad decision in who to trust. It will certainly be inconvenient but the actual loss should be minimal.
You may be sitting in an internet café quite happily conducting an encrypted connection to a man-in-the-middle. If you information is worth securing then it is worth securing properly. As you say below the informed user would weigh up the pro's and con's of each situation and act accordingly, but just dismissing the identification aspect of SSL is a mistake.
i'm not dismissing it. I'm saying that it's not relevant in some, possibly even many or most, situations. situations where encryption to deter casual interception is sufficient. the meaning of "securing properly" varies depending on the circumstances - how important privacy is, what the risks and consequences of compromise are.
and anyone who does internet banking in an internet cafe is a fuckwit who has only themself to blame when their bank account is emptied.
e.g. if i were running an internet cafe, I could buy certificates for paypal, google, various internet banks etc from a rogue commercial CA - call them Komodo, like the giant lizard, for an entirely fictional hypothetical example :) - and divert all related traffic to my own bogus versions of those sites. The end-user using their laptop in my cafe would be none-the-wiser. The certs *would* be signed by a CA cert that their browser had pre-installed to trust. There would be no warning, no sign that there was anything wrong.
Yes this is a problem. DNS poisoning is always a possibility though, and you are only marginally safer at home. One thing I wish my browser would tell me is when a cert has changed. Eg: Warning: This site previously used a certificate signed by Verisign and owned by bigbank pty ltd, but the certificate presented today is signed by CheapCA and is owned by bankofnigeria pty ltd. Are you sure you want to proceed? or even: Warning: The previous certificate for this site was due to expire in 2014 but has been replaced today and has not been revoked. Please confirm that this is expected. So basically any unexpected change in certificate. The only expected change would be one where the cert was about due to expire and replaced with a renewed cert (with all other details the same), or (maybe) a new certificate with the same signing details with the previous certificate having been revoked, although I'd probably like to see a warning in that case too if only for curiosity's sake. Maybe such a plugin already exists??
and if you're conducting a private conversation that you *really* don't want intercepted then the *ONLY* way to ensure that is to exchange keys with the person you're talking to - i.e. trust the key that THEY gave you, not the key that some third-party (a commercial CA) says is the right one. you could do this directly (e.g. effectively a two-person web of trust), or by using the existing web of trust infrastructure.
Agreed. James