On Oct 7, 2013, at 12:45 PM, Ray Dillinger <b...@sonic.net> wrote:
> Can we do anything ...[to make it possible to remove old algorithms]? If the
> protocol allows correction (particularly remote or automated correction) of
> an entity using a weak crypto primitive, that opens up a whole new set of
> attacks on strong primitives.
>
> We'd like the answer to be that people will decline to communicate with you
> if you use a weak system, but honestly when was the last time you had that
> degree of choice in from whom you get exactly the content and services you
> need?
>
> Can we even make renegotiating the cipher suite inconveniently long or heavy
> so defaulting weak becomes progressively more costly as more people default
> strong? That opens up denial of service attacks, and besides it makes it
> painful to be the first to default strong.
>
> Can a check for a revoked signature for the cipher's security help? That
> makes the CA into a point of control.
>
> Anybody got a practical idea?
I don't see how there can be any solution to this. Slow renegotiation doesn't
affect users until it gets to the point where they feel the "something is
broken"; at that point, the result to them is indistinguishable from just
refusing connections with the old suites. And of course what's broken is never
*their* software, it's the other guy's - and given the alternative, they'll go
to someone who isn't as insistent that their potential customers "do it the
right way". So you'll just set off a race to the bottom.
Revoking signatures ... well, just how effect are "bad signature" warnings
today? People learn - in fact, are often *taught* - to click through them. If
software refuses to let them do that, they'll look for other software.
Ultimately, I think you have to look at this as an economic issue. The only
reason to change your software is if the cost of changing is lower than the
estimated future cost of *not* changing. Most users (rightly) estimate that
the chance of them losing much is very low. You can change that estimate by
imposing a cost on them, but in a world of competitive suppliers (and consumer
protection laws) that's usually not practical.
It's actually interesting to consider the single counter-example out there;
The iOS world (and to a slightly less degree, the OSX world). Apple doesn't
force iOS users to upgrade their existing hardware (and sometimes it's
"obsolete" and isn't software-upgradeable) but in fact iOS users upgrade very
quickly. (iOS 7 exceeded 50% of installations within 7 days - a faster ramp
than iOS 6. Based on past patterns, iOS 7 will be in the high 90's in a fairly
short time.) No other software comes anywhere close to that. Moving from iOS
6 to iOS 7 is immensely more disruptive than moving to a new browser version
(say) that drops support for a vulnerable encryption algorithm. And yet huge
numbers of people do it. Clearly it's because of the new things in iOS 7 - and
yet Microsoft still has a huge population of users on XP.
I think the real take-away here is that getting upgrades into the field is a
technical problem only at the margins. It has to do with people's attitudes in
subtle ways that Apple has captured and others have not. (Unanswerable
question: If the handset makers and the Telco vendors didn't make it so hard -
often impossible - to upgrade, what would the market penetration numbers for
different Android versions look like?)
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
