Re: [HASMAT] Fwd: [TLS] TLS, PKI, and web security. Was: Eleven out of every ten SSL certs aren't valid
Adam Barth <ietf@adambarth.com> Fri, 02 July 2010 20:39 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A63C3A6886 for <hasmat@core3.amsl.com>; Fri, 2 Jul 2010 13:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.074
X-Spam-Level:
X-Spam-Status: No, score=-3.074 tagged_above=-999 required=5 tests=[AWL=-1.696, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2fsCNFhj0in for <hasmat@core3.amsl.com>; Fri, 2 Jul 2010 13:39:16 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 04C963A68AC for <hasmat@ietf.org>; Fri, 2 Jul 2010 13:39:15 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1342038iwn.31 for <hasmat@ietf.org>; Fri, 02 Jul 2010 13:39:27 -0700 (PDT)
Received: by 10.231.15.4 with SMTP id i4mr1403788iba.9.1278103161842; Fri, 02 Jul 2010 13:39:21 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id h8sm4606257ibk.15.2010.07.02.13.39.20 (version=SSLv3 cipher=RC4-MD5); Fri, 02 Jul 2010 13:39:20 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1341936iwn.31 for <hasmat@ietf.org>; Fri, 02 Jul 2010 13:39:19 -0700 (PDT)
Received: by 10.231.11.3 with SMTP id r3mr1316305ibr.68.1278103159215; Fri, 02 Jul 2010 13:39:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.145.84 with HTTP; Fri, 2 Jul 2010 13:38:57 -0700 (PDT)
In-Reply-To: <4C2E081D.9020605@stpeter.im>
References: <4C2E081D.9020605@stpeter.im>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 02 Jul 2010 13:38:57 -0700
Message-ID: <AANLkTimq4Ai9W87yLf1p6po73ORC1lW3WauazjqKyyHf@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: hasmat@ietf.org
Subject: Re: [HASMAT] Fwd: [TLS] TLS, PKI, and web security. Was: Eleven out of every ten SSL certs aren't valid
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jul 2010 20:39:18 -0000
Yeah, Strict-Transport-Security is meant to address at least one of the threats discussed below (namely users who click through TLS error messages). FWIW, empirical measurements from the Chrome browser (of those users who opt in to sharing anonymous usage statistics) show that users click through approximately 80% of TSL warning screens. This statistic is not as dispositive as it might seem because it says nothing about whether clicking through those screens was or was not the correct security decision at the time. Some people have the notion that you should focus only on one threat model, but it seems entirely sensible to design security systems that provide a protection across a spectrum of threat models. Lastly, most of the studies about the prevalence of TLS certificate errors have serious methodological errors. For example, most would conclude that E*TRADE has misconfigured TLS certificates because https://etrade.com/ gives such an error, even though the vast, vast majority of E*TRADE customers never see that "error." (E*TRADE uses https://us.etrade.com/, which does have a valid TLS certificate.) Adam On Fri, Jul 2, 2010 at 8:39 AM, Peter Saint-Andre <stpeter@stpeter.im> wrote: > Some interesting discussions from the TLS WG list. Marsh's reflections > on the state of the art have some applicability to the HASMAT effort, I > think. > > /psa > > -------- Original Message -------- > Subject: [TLS] TLS, PKI, and web security. Was: Eleven out of every ten > SSL certs aren't valid > Date: Fri, 02 Jul 2010 03:47:23 -0500 > From: Marsh Ray <marsh@extendedsubset.com> > To: Peter Gutmann <pgut001@cs.auckland.ac.nz> > CC: tls@ietf.org > > On 07/01/2010 10:54 PM, Peter Gutmann wrote: >> >> (I'm dreading someone asking "OK, list all these refs" because then >> I'll have to go away and spend several hours digging them all up... >> how many do people want before they say "OK, that's enough"?. >> Cormac's paper has about eight, and that's barely scratching the >> surface). > > I believe you - surely most people will click through most warnings most > of the time. > >> No, it says that what we're doing doesn't work, has never worked, and >> as far as anyone can tell will never work (and we have a >> multibillion(?) dollar global cybercrime indistry to prove it), so >> lets look for alternatives that do work. > > But still, most of those people lost their online banking credentials to > the global cybercrime industry to a phishing email, because they use the > same password everywhere, because their endpoint PC is owned by a > keylogging botnet, or all of the above. They got this way by buying > downloading commercial application software in brightly colored boxes, > not keeping it up-to-date, and trusting a UI when it says "this > executable is signed and has a shield icon, click OK to let it own your > computer". > > They likely did not get owned by a MitM of their SSL/TLS connection > where they clicked through a scary page. > > Some observations: > > 1. This is not evidence that "browser warnings are ineffective". If > anything it shows that HTTPS is categorically better than most other > parts of this system. > > 2. These users are completely incompetent relative to the impossibly > hard job of keeping a general-purpose computer secure while consuming > content from the hostile internet. (This is not to say anything bad > about them, they are probably wiser for not wasting too much personal > energy on managing data security.) It will be forever impossible to keep > them "safe online", just like 200 years of experience in postal > technology has not eliminated mail fraud. > > Therefore I strenuously object to this "least-common-denominator users > confidently spending money online" model being allowed to drive the > discussion of TLS. It is simply not possible to have a meaningful > technical discussion about a cryptographic data security protocol unless > we can agree that both Alice and Bob have a baseline of self-interest > and competence to secure their endpoints. > >>Let's just admit >> that what users are getting now is effectively unauth'd DH and then >> try and give them something that actually works. > > No! Not this user, and not the systems I help to build and deploy. There > are all kinds of interesting, embedded, automated, unattended, and > large-scale systems successfully using TLS for securing critical data > communications. > > More importantly, there _are_ careful and conscientious admins who do a > totally professional job at maintaining their production systems > according to recommended best practices. It is the requirements of this > group that TLS must be optimized to meet. For if the competent > professional cannot successfully employ the full security of this > protocol, what chance does that leave for the typical user? > > Consider the biggest shift in data processing in decades is cloud > computing. Cloud management and seemingly every piece of new networking > gear presents a web-based admin UI for use with your ordinary browser. > So the security of the apps, documents, servers, VPNs, and even big > parts of the network itself has been rebuilt atop TCP port 443. > > This architecture self-organized due to powerful economic and social > forces, not because anyone felt it was the best way from a security > perspective. So we really have no choice but to get our protocol > primitives nailed down air-tight: > > * Users must be informed of the essential role they have in the security > architecture. They need to know a bit more of the mechanics of PKI in > order to bring to bear the common sense that people are actually pretty > good at. I suspect most people will take it seriously and can actually > do a respectible job of it, just like most people understand not to use > a hair dryer in the bathtub. Note that that little bit of user education > cost neither bathtubs nor hair dryers any market share. > > * PKI built on the absolute trust of hundreds of omnipotent root certs > from friend and foe alike just doesn't cut it any more. Vendors of the > disintegrating status quo need to lead with some real improvements or > embrace obsolescence. > > * Server admins need to be informed that HTTPS does not allow the server > to prove the nonexistence of a MitM, the protocol relies on the client > to do a good job of this. Therefore the server ends up having no choice > but to transitively trust the union of all the sets of trusted root > certs of all the clients that could be used to access the system. > > * TLS client certificate auth can allow the server to disprove the MitM. > Web clients and servers should implement first-rate support for this > configuration and provide integrated tools for users and admins to > manage them. > > * A limited, securable subset of this insane layer cake of protocols we > currently call "the web" needs to be precisely defined and adopted. Its > use must become accepted as required best practice in security critical > contexts, much like https has. It must include a browser security model > with well-defined and strong boundaries. > > * Much as we once thought security would result naturally from a > thorough analysis of functional requirements, current designs sometimes > meet stated security goals yet have undesirable properties relating to > expectations of privacy. Mechanisms for identifying and metadata tagging > relevant information (as we may sometimes retain character data encoding > information) and implementing data handling policies (much like database > integrity constraints) should be standardized. > > * The identities of all parties contributing content, script, and > cookies affecting the current page need to be prominently displayed and > greatly restricted for secure systems. There may yet still be time to > prevent your firewall's admin page from hosting web bugs for advertisers > and participating in social networking mashups. > > Anyway, just some thoughts on things that could use improving. It seems > like TLS itself is decent shape and is in a good position to expand its > role in support of some larger goals. > > - Marsh > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > HASMAT mailing list > HASMAT@ietf.org > https://www.ietf.org/mailman/listinfo/hasmat > >
- [HASMAT] Fwd: [TLS] TLS, PKI, and web security. W… Peter Saint-Andre
- Re: [HASMAT] Fwd: [TLS] TLS, PKI, and web securit… Adam Barth