[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 28/04/13 22:00, Simon Waters wrote: > On 28/04/13 20:58, Brad Rogers wrote: >>> the "web of trust" of certificate authorities to the point where many >> The cert authorities don't do web of trust, unless I've missed >> something. They simply sell a 'certificate' to anyone with the money to >> pay for it. You or I could buy one. > The certificate authorities all do some sort of check aside from taking > your money. > > The issue is you are reliant on the security, integrity and checks of > the weakest of the certificate authorities that your browser trusts. > > So the list doesn't scale well, and currently in my browser has a lot of > entries. Apparently my browser trusts Vodaphone, and Versign, Google, > AOL, Deutsche Telekom, Microsoft, organisations in Turkey whose name I > can't even read the alphabet for, and various banks and companies in > Japan, Switzerland, America, South Africa etc. > > The Web of Trust scales better, since you are reliant on a small number > of people you trust to introduce others. There is also gradation of > trust (well a little). > > Both can be subverted, but they are typically used for different things. > > If I get a GPG signed email which is in my web of trust, it is likely to > be reporting a security issue and the encryption is for privacy. > Obviously if I use it for immediate wire transfer I need to be more > careful. But even then it is unusual to exchange sensitive information > via email with people you've never met unless you are directly > introduced via a third party (hopefully someone in your web of trust). > > If I connect to my bank via HTTPS the security is to prevent immediate > theft/fraud, typically I don't check the details beyond "it works > without errors". > > There is a partial solution to the dodgy certificate authority issue, > which is the use of an HTTPS certificate notary. Instead of simply > checking the certificate is valid, you also check with a trusted third > party (or more than one if really paranoid) if this is the same > certificate other people are seeing for the same website (and also if it > has changed recently). > > Thus if you are in Iran, and contact accounts.google.com over https to > login to google mail, and receive a certificate from a Turkish > certificate authority, rather than the one you've had previously from > Google's certificate authority, your browser checks with the notary and > flags up a discrepancy. > > HSTS will be the technology for improving HTTPS security in 2013 (it is > already keeping most of us safer using Google and Paypal and you > probably never noticed). It is there and working in Chrome and Firefox, > and is one header in your web server to set up, so easy and simple with > no real downside. > > Notary type checks will probably take a few years more to become the > default behaviour in browsers, but unless a better solution emerges, I'm > pretty sure it will happen because all certificate authorities are not > created equal. Let us hope it doesn't take a major cock-up for it to happen. > > If you have a trusted third party who checks if certificates are > trustworthy, you arguably may not need the certificate authorities. > Since they could validate that self signed certificates are consistent > over time, or manage your list of trusted authorities in some other way. > Much money could be at stake during this transition. > > Of course none of this protects you from a genuine but stolen > certificate, or a compromised remote server, which are probably bigger > threats for most people (but not all). > The great Moxie Marlinspike is all over this, check out: http://tack.io/ Also, DNSSEC must be implemented everywhere at the first possible opportunity, if not sooner. I am one of the people who believe that the current CA infrastructure is hopelessly, pathetically inadequate and effectively broken. HSTS is not going to be a pancea to cure everything, but I am hopeful and looking forward to it being much more widely implemented (if nothing else it should stop SSL stripping MITM attacks, another of Moxie's firsts). Internet security is in a terrible state at the moment. Cheers -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq