Re: employment market for applied cryptographers?
On the employment situation... it seems that a lot of applied cryptographers are currently unemployed... Adam, just interested: do you have a definition of what an applied cryptographer is? -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
How effective is open source crypto?
How effective is open source crypto? http://www.securityspace.com/s_survey/sdata/200302/protciph.html One measure is to look at how effective the open source crypto regime is in getting product out there. From the above, it is fairly easy to suggest that strong crypto is totally available to all, probably thanks to the efforts of open source crypto providers. How effective is the SSL cert regime? Last page showed 9,032,963 servers. This page shows 112,153 servers using certs. http://www.securityspace.com/s_survey/sdata/200302/index.html That's right, folks. In the particular case of web browsing, the USAGE of crypto has been relegated to 1% of potential opportunities. (Pprobably much less than that due to other factors, but 1% makes for a nice soundbite.) Why? Because a) it is relatively hard to get a server configured with a cert, and b) the browsers discriminate against self-signed certs, forcing administrators to go the more troublesome, costly and frustrating way of requiring purchased and approved certs. (For no measurable added value to the security.) (So they don't.) I suggest that open source crypto has won the crypto wars, and the implementations of SSL have bungled the peace for us. It is ludicrously easy to encourage more use of crypto, by repairing the browsers and servers in these two ways: Fix 1. browsers should not negatively discriminate between self-signed, CA-signed and unprotected HTTP. (For example, browsers might show one icon for the self-signed and another icon for the CA-signed - maybe a branded icon from the CA. There should be no FUD warnings when going from totally unprotected HTTP to connections secured by self-signed certs.) Fix 2. Apache and other servers should be configured out of the box automatically with SSL enabled over the default site. (Which means, a self-signed cert [unencrypted on disk] and the server listening on its port.) (There are plenty of minor fixes as well, such as renaming the self-signed certs to be self-signed. At the moment, they are sometimes incorrectly labelled as snake oil, thus confusing the users by implying that that are not definitively better than unprotected HTTP.) To conclude, open source crypto has not shown itself to be effective, at least within the one protocol examined above, but could easily be so with some changes to the implementations. -- iang PS: I don't know who Security Space is, there is also another company called Netcraft that provides similar stats, but they do not release the results in so timely a fashion, so conclusions tend to suffer from being already out of date. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Who's afraid of Mallory Wolf?
Who's afraid of Mallory Wolf? By common wisdom, SSL is designed to defeat the so-called Man in the Middle attack, or MITM for short. Also known as Mallory, in crypto circles. The question arises, why? For what reason is the MITM a core part of the SSL threat model? And, why do all the implementations assume this? (It is, in fact, possible to use SSL, or TLS as it is now known, without regard to the MITM protection that is part of the model - certs - but I ignore that here, as do implementations!) One has to go back to the original invention of SSL, back in 1994 or so: the web was storming the barricades as the 2nd great killer application for the net (email was the 1st). Companies were dipping their toes into the endless possibilities of commerce. Netscape was evolving as the master of the new net, the challenge to Microsoft, the owner of all things it surveyed. And, as with all dot-com crazies to follow, it had nothing spectacular in the way of a business model. Selling a few secured servers, was all. This whole commerce thing was, at that time, a great wonder, because it involved earning money, and money that was honestly earnt was a precious short commodity at Netscape in those days. To cut a long story off at the knees, Netscape put together a variant of the HTTP protocol layered over crypto. This was sold in addition to its servers as the way to secure credit card payments over the net. The analysis of the designers of SSL indicated that the threat model included the MITM. On what did they found this? It's hard to pin it down, and it may very well be, being blessed with nearly a decade's more experience, that the inclusion of the MITM in the threat model is simply best viewed as a mistake. Consider this simple fact: There has been no MITM attack, in the lifetime of the Internet, that has recorded or documented the acquisition and fraudulent use of a credit card (CC). (Over any Internet medium.) Even worse, there's not been any known MITM of any aggresive form. The only cases known are a bunch of demos, under laboratory conditions. They don't count, and MITM remains a theoretical attack, more the subject of learnings and design exercises than the domain of business or crypto engineering. How hard is this fact? A bit softish, actually, but given the amount of traffic we have seen in the last decade, one would think that MITMs would have made their appearance in aggressive attacks by now, perhaps by scanning emails, perhaps by listening to unprotected HTTP. (In fact, there are now fertile grounds for the attack, with the advent of 802.11b. There are even kits available for it.) But so far, no cases have been found. (In fact, there isn't too much evidence, beyond the circumstantial bemoanings of those that can't, to indicate that aggressors are even passively listening, let alone trying more sophisticated MITM attacks.) Within the world of credit cards, the people who work directly within the ecommerce industry admit privately that this is true [1]. All lost credit card events are based on other attacks. Which leads one to wonder what the threat is? And if there is a threat? That is, should the MITM be in the threat model for SSL, or should it be excluded? Internet cryptography gives us one answer: If it can be protected against, it should be, as to do otherwise results in a false sense of security. This is what I call 100% cryptography for want of a better term. It's a sort of journeyman phase of crypto-plumbing, at that time when as beginners, we read from the big read book. We imagined how to deal with many dark and scary threats and we all agreed, no question, the goal was to cover more of them than the next guy. We would swap conspiracy theories well into the night, all the while, bemoaning the lack of usage of real cryptography, the poverty of our opponent's wit, and the fruitiness of our cheap red wine. I miss those days, if not the product of those mad times. It was also a time where we rarely saw the real life implications of our code, deployed in a threatening environment. In short, we 100%-ers built systems based on expectations, but we did not close the feedback loop to push the real life results back into the deployed systems. Economics gives us another answer: a standard approach to deciding how to spend money. 1. estimate the average cost of each attack. 2. estimate the number of attacks 3. multiply the above two to get a total cost. 4. likewise, estimate the total cost of avoiding the attacks. 5.a if you can avoid these attacks by spending less money, you profit. 5.b if you spend more than you save, you lose. It's just economics, and statistics, and the validity here is simply that credit cards are nothing if they are not economically- and statistically-based models of commerce and fraud. So, let's guess the cost of each CC lost to our MITM as $1000. (Pick your own number if you don't
Re: Keysigning @ CFP2003
On Saturday 22 March 2003 17:12, Douglas F. Calvert wrote: I will be organizing a keysigning session for CFP2003. Please submit your keys to [EMAIL PROTECTED] and I will print out sheets with key information in order to speed up the process. Bring a photo ID and a copy of your key information so that you can verify what is on the printout. A list of submitted keys and a keyring will be available on: I must be out of touch - since when did PGP key signing require a photo id? -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Monday 24 March 2003 11:37, Peter Clay wrote: On Sun, 23 Mar 2003, Ian Grigg wrote: Consider this simple fact: There has been no MITM attack, in the lifetime of the Internet, that has recorded or documented the acquisition and fraudulent use of a credit card (CC). (Over any Internet medium.) How do you view attacks based on tricking people into going to a site which claims to be affiliated with e.g. Ebay or Paypal, getting them to enter their login information as usual, and using that to steal money? Yes, that's definately an attack. As was pointed out, the use of the cert seems to do two things: stop the MITM (via a secured key exchange so the listener cannot see inside the packets) and confirm the site as per what is stated in the URL. My post of last night addressed the MITM only. I completely ignored the issue of spoofing, which would only be possible if there is no complex relationship between them - which is a debateable point. It's not a pure MITM attack, but the current system at least makes it possible for people to verify with the certificate whether or not the site is a spoof. Does the cert stop spoofing? That's the question! If it does, then there might be value there. In which case we can measure it and construct a cost- benefit analysis to decide whether to protect against it. So, let's guess the cost of each CC lost to our MITM as $1000. (Pick your own number if you don't like that one.) Then, how many attacks? None, from the above. Multiplied together, and you get ... nothing. So, you claim that a system designed to make MITM attacks impossible has not suffered a successful MITM attack. Sounds rather tautologous to me. No, there has been little evidence of MITMs *outside* the system. (I said none, Steve Bellovin said some...) The fact that there are none within the system, yes, that would only show either the attacks were defeated, or there weren't going to be any, or that there are better pickings elsewhere... It doesn't allow you to conclude anything about the need for protection. Check Lynn Wheeler's new post (thanks Lynn!) which points to a lot of inside knowledge about the absence of any aggressive MITM activity inside the credit card world. And, see Steve Bellovin's post for some evidence of MITM outside the credit card world. The software mandates it: mostly the browsers, but also the servers, are configured to kick up a stink at the thought of talking to a site that has no certificate. As such, SSL, as implemented, shows itself to include a gross failure of engineering. The system was engineered very well to requirements with which you disagree. :-) Terms are always debatable! I'd say that engineering *includes* the appropriateness of the requirements. Science does not. Where I would agree: the _protocol_ was engineered very well to meet its requirements. It's not a bad protocol, by any logic. However, no protocol exists within a vacuum, this one exists within a _system_ that is commonly also known as SSL. (Therein lies a big problem here: I know of no separate term to distinguish SSL the protocol from SSL, the secure browsing system that you or I use to send our credit card numbers safely.) [2] AFAIR, Anonymous-Diffie-Hellman, or ADH, is inside the SSL/TLS protocol, and would represent a mighty fine encrypted browsing opportunity. Write to your browser coder today and suggest its immediate employment in the fight against the terrorists with the flappy ears. Just out of interest, do you have an economic cost/benefit analysis for the widespread deployment of gratuitous encryption? No, but it would be an interesting exercise! It's just not that important. It's interesting that you say that ... why is it then that people like Ben Laurie, Eric Young, Eric Rescola and others spent years writing and deploying software for free? Why do the people at Safari and Mozilla and Konqueror also spend all that time getting SSL to work? I don't claim to know the answer. But, if their answer is to protect credit card numbers well, actually, I don't think so! And that's the point of the rant: to identify some of these underlying assumptions like SSL protects your credit card numbers and reveal the truth or otherwise. Hopefully, if we can strip out the myths, we'll find the truth. If your browsing privacy is important, you're prepared to click through the alarming messages. If the value of privacy is less than the tiny cost of clicking accept this certificate forever for each site, then it's not a convincing argument for exposing people who don't understand crypto to the risk of MITM. People don't think like us techies do. They see the messages, and they ask for explanations from other people. Who may or may not know what it all means. The end result is the lowest common denominator - if there is a message, then something is wrong. And that's the point
Re: Who's afraid of Mallory Wolf?
On Monday 24 March 2003 13:02, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Ian Grigg writes: Who's afraid of Mallory Wolf? Even worse, there's not been any known MITM of any aggresive form. The only cases known are a bunch of demos, under laboratory conditions. They don't count, and MITM remains a theoretical attack, more the subject of learnings and design exercises than the domain of business or crypto engineering. Sorry, that's flat-out false. If nothing else, there was a large-scale MITM attack on the conference 802.11 net at the 2001 Usenix Security Symposium. Thanks Steve, now we are getting closer. 802.11b is where I'd been expecting it to happen, as the costs of the MITM come right down there. Would you characterise the attack as a bunch of techies mucking around, or would you characterise it as an aggressive attempt to gain a commercial advantage? I.e., did the attackers steal anything? Or did they just annoy people by showing how cool they were? I would surmise that's a techie conference, and is thus a demonstration, not a measurable risk. Spammers are hijacking BGP prefixes; see http://www.merit.edu/mail.archives/nanog/2002-10/msg00068.html for one such incident. I'm can't see clearly whether this is an MITM or a spoofing - did they stand in the middle and listen and divert? Or, did they just tell innocent servers to start re-routing traffic? It seems like an announcement of routes, and the listeners just believed... (But, it is an aggressive attack, someone tried to steal traffic for commercial gain.) I think you may be right in that my use of the term MITM is too broad. The cert in SSL protects against a cryptographic MITM in, for example, an ADH session. But, MITMs outside that are important measurable risks so we can create our threat model. The fact that this attack appears not to be analogous to the SSL-style MITM may or may not be relevant. Eugene Kashpureff was pleaded guilty to domain-name hijacking; used very slightly differently, that's a MITM attack. See http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm for details. From what I recall, this was a demo. He didn't do it to steal. He did it to highlight the business aspects. Sadly for him, he miscalculated (grossly, it seems). But, his case fits in the sense of not a criminal seeking to steal value, and therefore not a case of measurable risk. I warned of the possibility of hijacking via routing attacks in 1989, and via DNS attacks in 1995. (See the 'papers' directory on my Web site.) I certainly accept them as possible. That's not disputed, and never has been, as indeed, that was the whole thrust of the discussion: The SSL designers put the protection in because the threat was possible. They quite rightly offered the choice in the protocols. Where I am concerned is that they also wrongly forced the certificate path on browsers and servers. To our detriment, and to theirs.) Given that the attacks were demonstrably feasible, Netscape would have been negligent not to design for it. Given that such attacks or their near cousins have actually occurred, I'd say they were right. No, I'm afraid that does not hold. The reason we protect against attacks is because when they happen, they incur costs. But, designing in protection also incurs costs. We must do a cost-benefit analysis to decide if it is appropriate to protect against it. To say that attacks are feasible and therefore must be defended against is not how we work. We can guaruntee that you are immune to car accidents, simply by asking you to stay at home. You (probably) chose not to do so, because you chose to enjoy the higher benefit of travelling, as against the smaller expected cost of a suffering an accident. And yes, you're probably right that no one has stolen credit card numbers that way. Of course, since the defense was in place before people had an opportunity to try, one can quite plausibly argue that Netscape prevented the attack Right. But it's an empty argument if there is no need. We don't carry umbrellas when the sun is shining, only when the sky is grey. And, we don't build meteorite protection at all, even though we could, and they happen! We use information about real threats and how they hurt us to decide whether to worry about them. And that's why the question about MITMs is so key! The question is, is there a need? From several economic points of view, the need fails to show itself. And, the cost is quite high, both in cash, and lost security. Taking your links above at face value, I'll assume that the cost of stolen/hijacked IP number there was about $10,000 in lost business and customers being annoyed at unexpected porn. Say that happens once a metric month to some random victim ... or, $100,000 per year. That cost simply fails to justify any level of signed-certificate infrastructure, so, I'd conclude that the BGP protocol designers have done
Re: Who's afraid of Mallory Wolf?
On Monday 24 March 2003 14:11, David Turner wrote: Grigg counts the benefits of living in a MITM-protected world (no MITM attacks recorded), as though they would happen with or without MITM protection. Is there any reason to believe that's this is, in fact, true? That is indeed the question, sans personal issues. That is, if zero dollars were spent on MITM protection, would there still be no recoreded attacks? Actually, I think that if zero dollars had been spent on MITM protection for SSL, then there may well have been some MITM attacks. That then would be a good position to be in, because we could measure the costs of those attacks, and decide from a monetary perspective whether protection at the level of requiring signed certificates is a good thing or just a waste of money. My own guess is that MITM activity is so low across all domains of the net that we would not be able to reliably measure it, and if we could measure it, we'd find it not sufficient to mandate certificates as is currently done. Which - to repeat - is not to remove certs from the servers or browser, but to change the way in which we assume that only cert-protected browsing is good enough. The certs are really good for high end sites (because, economically, they return benefits even if there was no MITM threat). But why are they needed for smaller things? Why do I need a certficate to run an SSL server so that my family can share snapshots for instance? Just a hypothetical... Until that's answered, Grigg's economic analysis is flawed. I used to get picked on, but since I bulked up and learned karate, nobody's picked on me. I guess it was pointless to do those things. You provided your own answer :-) You used to get picked on, so you had a measure of its cost. You acted to defend against those costs. Did you ever get MITM'd? Anywhere? Any time? Anyone you know? -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Monday 24 March 2003 19:26, bear wrote: On Mon, 24 Mar 2003, Peter Clay wrote: On Sun, 23 Mar 2003, Ian Grigg wrote: Consider this simple fact: There has been no MITM attack, in the lifetime of the Internet, that has recorded or documented the acquisition and fraudulent use of a credit card (CC). (Over any Internet medium.) There have, however, been numerous MITM attacks for stealing or eavesdropping on email. A semi-famous case I'm thinking of involves a rabid baptist minister named fred phelps and a topeka city councilwoman who had the audacity to vote against him running roughshod over the law. He set up routing tables to fool DNS into thinking his machine was the shortest distance from the courthouse where she worked to her home ISP and eavesdropped on her mail. Sent a message to every fax machine in town calling her a Jezebellian whore after getting the skinny on the aftermath of an affair that she was discussing with her husband. I love it! Then, I'm wrong on that point, we do in fact have some aggressive MITMs occuring in some mediums over the net. Steve Bellovin pointed one out, this is another. Which gets us to the next stage of the analysis (what did they cost!). And as for theft of credit card numbers, the lack of MITM attacks directly on them is just a sign that other areas of security around them are so loose no crooks have yet had to go to that much trouble. Weakest link, remember? No need to mount a MITM attack if you're able to just bribe the data entry clerk. I'd say, SSL with the cert protection is the strongest link in the chain. In fact, it's ludicrously strong. It's like a Chubb vault lock on a screen door. If we were getting physical here, the door wouldn't be strong enough to hold up the lock. So, cut to the chase: if we mandate that from now on, all commerce servers use ADH, just hypothetically, for the sake of argument, do you think that the connection would then become anything other than the strongest link in the chain? (I think it would remain the strongest link, by far. In fact, even if it was unencrypted, I think it would be one of the stronger links, c.f., David Wagner's devilish advocacy. But, nobody would suggest we throw away the current cert infrastructure, just that we back off a little and accept the intermediate path of ADH / self-signed certs.) Just because most companies' security is so poor that it's not worth the crook's time and effort doesn't mean we should throw anyone who takes security seriously enough that a MITM vulnerability might be the weakest link to the wolves. Nobody's saying that we should. I'm saying that the server and browser should offer the choice to deploy and use more convenient levels of security. The message should congratulate the user for moving up to a more secure channel than HTTP, not annoy them with imponderables about how self-signed certs might be insecure under a certain hard-to-measure threat model... as is the case now. -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Keysigning @ CFP2003
On Tuesday 25 March 2003 00:22, Jeroen van Gelderen wrote: On Monday, Mar 24, 2003, at 22:32 US/Eastern, bear wrote: On Mon, 24 Mar 2003, Jeroen C. van Gelderen wrote: It's rather efficient if you want to sign a large number of keys of people you mostly do not know personally. Right, but remember that knowing people personally was supposed to be part of the point of vouching for their identity to others. Not that I heard of. I always understood that I should be 'convinced' of the identity and willing to state that to others. Well, that's a surprise to me! My understanding of the PGPid signature was that the semantics were loose, deliberately undefined. And, within that limitation, it came down to I met this guy, he called himself Micky Mouse. I've only been to one key signing event, and no identity was flashed around that I recall. So, do we have two completely disjoint communities here? One group that avoids photo id and another that requires it? Or is one group or the other so small that nobody really noticed? I'm curious, is all! Yes. But PGP doesn't mandate either interpretation. That is what you use your trust knobs for: you decide on a per-user basis how trustworthy an identity certification from that user is. The redundancy of a well-connected WoT then helps you a bit in eliminating simple errors. Um. So, there are people out there that I am convinced are who they say they are. They happen to be nyms, but I know that, and they are consistent nyms. Can I sign their key with the highest level? -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Tuesday 25 March 2003 12:07, bear wrote: On Tue, 25 Mar 2003, Ian Grigg wrote: Which gets us to the next stage of the analysis (what did they cost!). Wait. Time out. good stuff snipped I don't think mere monetary costs are even germane to something like this. The costs, publicly and personally, are of a different kind than money expresses. I'm sorry to disagree, but I'm sticking to my cost-benefit analysis: monetary costs are totally germane. You see, we need some way in which to measure the harm. It's either subjective as you describe above, which can't support an infrastructure decision, or its objective, which means, money. But, luckily, there is a way to turn the above subjective morass of harm into an objective hard number: civil suit. Presumably, (you mentioned America, right?) this injured party filed a civil suit against the person and sought damages. Now, even if the case did not get filed, I imagine that you would be able to find a few legal types to provide an upper and lower bound on the sort of damages that case would go for. And there's your number! From my ignorant position, I'd scratch in a figure of about a million dollars there, and wait for someone to refine it. And we're going to continue to have this problem for as long as we continue to use unencrypted SMTP for mail transport. I would agree. Which is why we are having this discussion - how can we get this poor victim's traffic onto some form of crypto so she doesn't get her life ripped apart by some dirtbag? As far as SSL goes (switching from the context of her mail to the system we are discussing here), here's the answer: Make ADH / self-signed certs a respectable half-way house to CA-signed certs. Encourage all servers to accept them, by default. Encourage all browsers to switch up to ADH / self-signed secured traffic. Don't discourage it, encourage it. The problem is, it is just too darned hard expensive for sites to get into SSL. That's what we are looking at, here, lowering the cost of entry into SSL. -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Tuesday 25 March 2003 13:17, David Wagner wrote: I'm skeptical. Just because the cost is subjective doesn't mean we should ignore the cost. I agree with that ... I was converting the subjective harm into an objective cost. I certainly wasn't intending to ignore it :-) But, luckily, there is a way to turn the above subjective morass of harm into an objective hard number: civil suit. That's using a questionable measuring stick. That being part and parcel of the problem. It's a subjective harm, there is no solid way to move subjective to objective, by definition. We can only make estimates. What is beneficial here is that - at least - we have one way to do this. And, it is a way that has lots of disinterested observers, lots of experience, and lots of interested parties. Much as I dislike courts, it is a fair and auditable way of dollarising a harm. Bear says: You honestly haven't heard of Fred Phelps? Nope. But, all we want is an estimated cost of the attack. Ask some lawyers for a quote. Ignore the guy's family, we are only after an estimate of the cost. David says: The damages paid out in a civil suit may be very different (either higher, or lower) than the true cost of the misconduct. Remember, the courts are not intended to be a remedy for all harms, nor could they ever be. The courts shouldn't be a replacement for our independent judgement. This of course is true especially with the low level of MITM activity that we've found to date. If such a case were to happen once a year, I'd not be really confident of the accuracy of the numbers, especially if we were estimating based on lawyer's opinions rather than awarded damages. (But that wouldn't so much matter if the numbers came out as also too low to consider, as I suspect they will.) If however, we had such MITMs once per month, then costs could be averaged over the size of the activity. Something like this: There are 500 million email users in the world today (guess!). Cost of failures that could be rectified with proper crypto (amounts to 12 cases per year) is 12 million dollars. Some judgements less than a million, some more. [ if you like, you could add in a fudge factor for unreported harms and other judgement calls. ] Now, the cost of prevention: assume we pass a law to make every ISP sell every user a copy of OpenPGP to protect their privacy. Bulk discount gives us $1 each copy, annually updated to cover for the inevitable new release. So, cost to protect: 500 million x $1. Saved costs in cases: $12million. That law won't get passed :-) -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Tuesday 25 March 2003 15:22, Bill Stewart wrote: I get the impression that we're talking at cross-purposes here, with at least two different discussions. Yep. I haven't counted them up yet, but the full discussion includes at least 6 disparate threads. The challenge is to not arbitrarily switch from one thread to another without losing the context of the first. The way I got where (I think) I am is this: Fact: The SSL cert that is required for the server is expensive. Question: Why do we have to pay that expense, and what happens if we use a self-signed cert? Answer: the MITM! Spoofing! OK, so now let's challenge the assumptions: Question: What is the MITM? And why should we care? And, when we've answered that question, let's plug that truth back into the 1st question. (And, the same for spoofing.) Let's look at several cases: 1 - Sites that have SSL and Expensive Certs that need them and need MITM protection 1a - These sites, but with other security holes making it easy to break in. 1b - These sites, broken by SSL bugs or browser bugs 2 - Sites that have SSL and Expensive Certs that don't need them, as long as they've got some crypto like self-signed certs, which don't give MITM protection 3 - Sites that don't have SSL today because it's too annoying, for which crypto would be useful, and ADH or self-signed certs would be good enough, because MITM isn't a big threat for them. 4 - Sites that don't need crypto. Fantastic! a 2 x 2: GOTHTTP SSL+ ONLY cert Want Crypto1 Want (may have bugs) certs Want 2 3 Crypto (adh/ssc) Don't4 want Crypto Totals: 1% 99% Hmm, it drew out as a 2 x 3 (only in fixed font). So, I wonder what the totals on the right would be? How many people want crypto/MITM, how many would be happy with crypto/no MITM protection, and how many don't want any crypto? -- iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Tuesday 25 March 2003 22:34, Steven M. Bellovin wrote: Let me quote what the (U.S.) 2nd Circuit Court of Appeals said in the T.J. Hooper case (60 F.2d 737, 1932): Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It may never set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission But here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. Given that there were published warnings of *practical* MITM attacks (my papers, Radia Perlman's dissertation on secure routing, Lawrence Joncheray's paper on TCP hijacking, etc.), I have no doubt whatsoever what a (U.S.) court would have ruled if there had ever been a real attack. I'm sorry, I won't be able to do more than speculate on this, and I wasn't aware of your legal background, so please take the below as not advice. I.e., IANAL and all that. Courts are notoriously difficult to predict. That's why they say take legal advice :-) And, it may very well be that Netscape took legal advice, and at that time, it did seem that MITM protection at the level of CA-certificates was a reasonable choice (c.f., David Wagner's post) amongst other reasonable choices, so I don't think there is any doubt that what was done back in '94 was reasonable in the circumstances. But, on the face of it, you appear to be saying that because the court saw warnings then it ruled that the warnings were sufficient. I don't read that at all. I see that interpretatation as a Chicken Little argument. This opens the way to Info-war style consultants saying that because you were warned, you are liable. That above snippet says there are precautions so imperative which implies the court had already reached its opinion on the merits of this protection, which is precisely what this discussion has aimed to address. In fact, the court said very clearly that it is the one to decide what the test is - not the industry. The court then went on to say that, as it found the precautions imperitive, and as the industry had warned, albeit contraversially, then, it concluded, relying on the lack of industry custom and agreement as a defence was insufficient. So, with respect, I would say that the above should be read as do not rely on discordant others, be they so-called experts or Chicken Littles on either side, in applying your own prudential measures, which is quite the reverse of your reading. Now, the above is speculation; not having the full ruling and the full training, one can't do more. But, to take mere warnings as liabilities is to forgoe ones profession as an engineer, and hand ones responsibilities over on the one hand to the religious seers of doom, and on the other, to the lawyers. The ludicrousness of this approach is perhaps more crystallised when we consider that half of the world's web servers are shipped for free (c.f Apache). The crypto components are still, AFAIK, dealt with outside America for the most part. And, a growing share of browsers are now shipping for free or near-free. We've seen over the last year or so, Konqueror, Mozilla, and Safari rise to take back the forgotten gauntlet of browser for the rest of us. These are not sold products. There are no contracts that imply security. The world of open source is not necessarily going to be treated in the courts the same as a purchased product with implicit liabilities of a consumer nature. I grant that America may be moving towards a world where Eric Y or Ben L will be norieged and hailed before a california court in some case for inadequate MITM protection, but, I personally don't see that as a world that I would accept on the face value of some legal handwaving. Is that really what we want for our Internet? -- iang PS: It is apropos that the CA industry uses the same approach in trying to define industry custom as sufficient; see Jane K Winn, _Courriers without Luggage_ for her expose of the fallacy in this. In contrast to your implied claim that SSL providers would be at risk if they didn't do the MITM approach, I'd suspect that CAs are on the hook, because of the very arguments that Winn and, now, Hooper advance. ) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Russia Intercepts US Military Communications?
Arnold G. Reinhold [EMAIL PROTECTED] wrote: The Army actually has a training course (from 1990) on-line that describes such a system in detail. The cipher system, called DRYAD is covered in https://hosta.atsc.eustis.army.mil/cgi-bin/atdl.dll/accp/is1100/ch4.htm . Your description fits, it sounds like DRYAD. rest of good post, snipped, except:- Consider these difficulties: it was *banned* to use any form of comsec that wasn't centrally approved. No personal code words, no CB radios, no knicknames, no nothing... (In practice there was some leakage, I recall on my last exercise, logistics back to the battalion HQ in the city was handled over a cellular phone!) I wonder if such bans are intended to make sure the military can read the traffic of its own soldiers as much as they are to protect against enemy exploits. :-) The reason was that sigint on the other side could note particular differences from standard procedure, and use that to track units up and down the front. For the same reason, all plan names are generated randomly, from a dictionary program in HQ; sigint people could derive a lot of clues from the personally picked plan names. (Hence you can always tell when the professionals have lost control, as the plan names become political.) iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
