Re: [therightkey] Basically, it's about keeping the CAs honest

Phillip Hallam-Baker <hallam@gmail.com> Mon, 13 February 2012 18:32 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B7E221F8550 for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 10:32:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.384
X-Spam-Level:
X-Spam-Status: No, score=-3.384 tagged_above=-999 required=5 tests=[AWL=0.216, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIrUEgYTE32m for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 10:32:49 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8B6DC21F8559 for <therightkey@ietf.org>; Mon, 13 Feb 2012 10:32:49 -0800 (PST)
Received: by ggnq2 with SMTP id q2so2931181ggn.31 for <therightkey@ietf.org>; Mon, 13 Feb 2012 10:32:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5/SYBm3Q3tC2FqXtQIRjx5GN/zunAoXCzxyymg1c7V8=; b=MKLODMB7yv5TVWkEQafHRkmttYH66E6rkPlBUZ3TRHoAh/HivBIUN5Cjind0v91H/B 6fDS6DjIif1/AqOZfqz9NUH+I/CYJL9caUMcBhXgS4cCqdEuy51H4vxgEPC5C+1DKIWg IN0wHDjOfw7uCs68pQcZrlUX1JRNAyKmhexuU=
MIME-Version: 1.0
Received: by 10.60.19.73 with SMTP id c9mr4920908oee.19.1329157969036; Mon, 13 Feb 2012 10:32:49 -0800 (PST)
Received: by 10.182.75.138 with HTTP; Mon, 13 Feb 2012 10:32:48 -0800 (PST)
In-Reply-To: <0600CF7A-A8CB-4E35-B729-43D626434645@virtualized.org>
References: <201202131636.q1DGafVR006049@fs4113.wdf.sap.corp> <0600CF7A-A8CB-4E35-B729-43D626434645@virtualized.org>
Date: Mon, 13 Feb 2012 13:32:48 -0500
Message-ID: <CAMm+LwjkPZm9FF=FGx+vb_JxLRbygm-y1H85Powq6U0UfxSKCQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: David Conrad <drc@virtualized.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: therightkey@ietf.org, mrex@sap.com
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 18:32:50 -0000

+1

It is also worth pointing out that the MITM certs stopped being
offered commercially as soon as it became public knowledge that they
had been.

Presumably the next step the companies providing this facility will
take is to offer their own browser with the capability built in. It is
no good jumping up and down saying people should not make such
devices. The choice we have is whether to do the job right or let them
do it without any input.


What I find wrong with the MITM proxies is that they offer a
completely transparent mechanism. The user is not notified that they
are being logged. I think that is a broken approach because the whole
point of accountability controls is that people behave differently
when they know they are being watched.

I don't mean just changing the color of the address bar either. I
would want to see something like the following:

0) The intercept capability is turned on in the browser, this would be
done using a separate tool and lock the browser to a specific
intercept cert root.

1) User attempts to connect to https://www.example.com
2) Browser throws up splash screen for 5secs stating 'Your connection
has been intercepted'
3) Business as usual.

The splash screen would appear once per session with a new host and
reset periodically.

It should show the interception cert being used as well.


On Mon, Feb 13, 2012 at 1:21 PM, David Conrad <drc@virtualized.org> wrote:
> On Feb 13, 2012, at 8:36 AM, Martin Rex wrote:
>> The fact that there are products (client-side HTTPS proxies that
>> perform MITM and inspect content) actively sold and used,
>> which are vitally dependent on being able to exploit weaknesses
>> of the existing TLS X.509 PKI security&trust model, is a sure proof
>> that something is wrong with the existing security model.
>
> Well, it is proof that the theoretical model in which authorized MITM was disallowed was seen as too limiting.
>
>> I do not think there is value in maintaining backward compatible
>> weaknesses, and personally, I do not mind the slightest about breaking
>> those protocol subverting middle boxes, be it by the use of TLS channel
>> bindings, or the checking of DANE TLSA records.
>
> Pragmatically speaking, if you come up with an architecture that disallows people from doing what they want/need to do, they'll either figure out ways around it or not use that architecture.
>
> Regards,
> -drc
>
> _______________________________________________
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey



-- 
Website: http://hallambaker.com/