Re: [TLS] TLS, PKI, and web security. Was: Eleven out of every ten SSL certs aren't valid

[Peter Gutmann <pgut001@cs.auckland.ac.nz>]

[Just a general note, if people think this is off-topic and want it moved to
 private mail I'd be happy to do that, but I think it's an interesting
 discussion, TLS is more than just getting the bits on the wire right, it's
 also a matter of applying it effectively]

Marsh Ray <marsh@extendedsubset.com> writes:

>But still, most of those people lost their online banking credentials to the
>global cybercrime industry to a phishing email, because they use the same
>password everywhere, because their endpoint PC is owned by a keylogging
>botnet, or all of the above.

If browsers implemented credential security properly (client-side password
deversification and failsafe mutual auth) then the only one on that list
that'd still be a threat is man-in-the-browser attacks, and for that one, once
your machine is 0wned it's pretty much game over anyway.  So there are things
that can be fixed, they're just not getting fixed.

>1. This is not evidence that "browser warnings are ineffective". If anything
>it shows that HTTPS is categorically better than most other parts of this
>system.

Uhh, going back to the list of studies again, there's been study after study
after study showing they are ineffective - they have next to no effect on user
behaviour.  I'll list just one of them:

  "You've Been Warned: An Empirical Study of the Effectiveness of Web Browser
  Phishing Warnings", Serge Egelman, Lorrie Cranor and Jason Hong, Proceedings
  of the 2008 Conference on Human Factors in Computing Systems (CHI.08), April
  2008, p.1065.

because the title sprung to mind when you mentioned "browser warnings".  These
things don't work.

>Therefore I strenuously object to this "least-common-denominator users
>confidently spending money online" model being allowed to drive the
>discussion of TLS. It is simply not possible to have a meaningful technical
>discussion about a cryptographic data security protocol unless we can agree
>that both Alice and Bob have a baseline of self-interest and competence to
>secure their endpoints.

My interest is in keeping real-world users secure.  If I'm providing security
tools that don't do that then I'm not doing my job properly.  It's not the
user's job to learn whatever geeky stuff I think they need to know, it's my
job to give them something that keeps them secure (or at least as secure as
possible under the circumstances, I can't do much about an 0wned PC).  So I
think it is very valid to discuss it in terms of lowest-common-denominator
users, because that's who'll be using our tools.

>No! Not this user, and not the systems I help to build and deploy. There are
>all kinds of interesting, embedded, automated, unattended, and large-scale
>systems successfully using TLS for securing critical data communications.

Uhh, but what does that have to do with protecting users going to bank and
online shopping web sites?

(Two points in response to this: (1) if you control the environment then you
can push out pretty much anything you want as your security system, including
nothing at all (geographic entitlement, to authenticate yourself you have to
enter the room where the equipment is and plug in an ethernet cable), so this
isn't really a major feat, and (2) compared to the Internet at large there are
close to zero attacks on these sorts of systems (and in the odd exceptions
when SCADA-type stuff has been attacked in the past it's been found to be
swiss cheese), so "successfully using TLS" really means "we got data from A to
B", not "it's been proven resistant to a concerted attack").

>More importantly, there _are_ careful and conscientious admins who do a
>totally professional job at maintaining their production systems according to
>recommended best practices. It is the requirements of this group that TLS
>must be optimized to meet.

Uh... I thought it was to protect Joe Sixpack from having his credit card
stolen?  Professional sysadmins are the last person you want to worry about
optimising for, any sysadmin worth his salt will be able to secure their data
given no more than chewing gumm and rubber bands.  It's the 1.7-billion or so
global population of users who aren't professional sysadmins that I'm
interested in helping, not a handful of sysadmins somewhere.

>* Users must be informed of the essential role they have in the security
>architecture. They need to know a bit more of the mechanics of PKI in order
>to bring to bear the common sense that people are actually pretty good at.

Umm... I better not reply to a statement like this, because the response would
be... inflammatory.

>* TLS client certificate auth can allow the server to disprove the MitM. Web
>clients and servers should implement first-rate support for this
>configuration and provide integrated tools for users and admins to manage
>them.

Steffen, you've won your prize :-).

(For people who don't get the ref, it's:

 "Now comes the part where somebody replies that this is all solved by client
 certificates and the discussion is closed 'til next time...)"

Peter.