Re: [TLS] Security concerns around co-locating TLS and non-secure

[Martin Rex <mrex@sap.com>]

Marsh Ray wrote:
> 
> > SSH has been so successful in large part because leap-of-faith works
> > rather well -- it has a very small window of vulnerability, a very big
> > vulnerability, yes, and requiring persistent storage, true, but
> > difficult to exploit without users eventually noticing.
> 
> I know I read a study somewhere of what users (a university setting I 
> think) typically did when presented with the "WARNING: REMOTE HOST 
> IDENTIFICATION HAS CHANGED!...Are you sure you want to continue 
> connecting (yes/no)?" question. I think the results were pretty dismal.

How surprising.  If you furnish your users with software that will
perform a social engineering attack on your users whenever an
outside attacker asks for it, why should you expect a different
reaction?  (btw. the SSH clients that I'm using do not suggest
to override a changed host key and in particular don't offer to
do so with a simple "Y" keypress, they just fail.)


Curiosity kills cats and makes social attacks succeed.


If you send an intriguing Email with a dangerous attachment to
a significantly large fraction of employees in a company, _some_
of the users _will_ double-click the attachment -- guaranteed.

For something that sounds moderately interesting it may be
around ~10% of the recipients blindly relying on the safety of
the AV-software to protect them from dangerous stuff.



The underlying problem with the "TLS PKI" is that it is an
ants-level solution to ant-level problems.  "Smells like its from
our nest -- just let it in".


Evolution caused more advanced species to use more sophisticated
schemes of trust and protection against impersonation, and I really do
not understand why there is so much resistance against evolving
TLS security beyond ants level.

All trust decisions performed by more advanced species are based on
leap-of-faith on initial encounter and memorizing information for
validating future encouters of the same individuals (and things),
including recognizing ones parents.


Personally, I find it frightening just how wildly successful
a tool like Firesheep is in attacking services like GoogleMail,
Hotmail, Facebook, ebay and sorts.  If the services themselves
already subvert the security so throughly by doing parts or most
of the communication totally unprotected, then it seems pretty
pointless to discuss the (lack of) value of the commercial CA TLS PKI.


For a number of "selling" players around the TLS technology, the most
interesting part appears to be the business models / business opportunities,
not the security.  And for a number of "consumers" of the TLS technology
the most appealing part is continuity in authenticating end users
with weak passwords.


> 
> So, except in cases where explictly unauthenticated endpoints are 
> involved, isn't it reasonable that for WG discussions to presume that a 
> security protocol will be building upon some form of trust framework?

There will always be both.  Starting from scratch with no
trust framework, and integrating into an existing trust framework
(personal, home/family, organizational/corporate or governmental).


> 
> Or is there a new world happening where we're retreating from that 
> principle and we now expect systems to somehow bootstrap their own 
> security out-of-the-box or not get used at all?


There are out-of-band key distribution & personalization schemes,
One that is being used quite heavily around the globe is distribution
"SIM" cards.  Another one is TPM modules.  Or smartcards containing
public key crypto and credentials.

The most popular schemes are "bootstrapping" with leap-of-faith,
and bootstrapping with (simple|default|anything) passwords.

And "thanks to TLS" traffic encryption, password based authentication
schemes will be with us for very much longer...


-Martin