-------- Original Message -------- Subject: Financial Cryptography Update: SSL secure browsing - attack tree Mindmap
http://www.financialcryptography.com/mt/archives/000136.html
------------------------------------------------------------------------
Here is a /work in progress/ Mindmap on the threats to the secure browsing process.
http://iang.org/maps/browser_attack_tree.html
The mindmap purports to be an attack tree, which is a technique to include and categorise all possible threats to a process. An attack tree is one possible aid to constructing a threat model, which latter is a required step to constructing a security model. The mindmap supports another /work in progress/ on threat modelling for secure browsing at http://iang.org/ssl/browser_threat_model.html for the Mozilla project.
(The secure browsing security model uses SSL as a protocol and the Certificate Authority model as the public key authentication regime, all wrapped up in HTTPS within the browser. Technically, the protocol and key regime are separate, but in practice they are joined at the hip, so any security modelling needs to consider them both. SSL - the protocol part - has been widely scrutinised and has evolved to what is considered a secure form. In contrast the CA model has been widely criticised, and has not really evolved since its inception. It remains the weak link in security.
As part of a debate on how to address the security issues in secure browsing and other applications that use SSL/CA such as S/MIME, the threat model is required before we can improve the security model. Unfortunately, the original one is not much use, as it was a theoretical prediction of the MITM that did not come to pass.)
-- Powered by Movable Type Version 2.64 http://www.movabletype.org/
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]