On 2011-09-07 14:47, Ian G wrote: [...the original > security requirement was to protect Credit cards. Only. Which have a > known value range, a loss model, an insurance model, institutions > already at arms to protect Robbie Relier. > > So, when people started using SSL for other purposes (email, banking, > but not porn) ... what happens? > > Well, the value changed (up or down?) ... and the insurance disappeared.
Ian raises a very important point here that is all too often overlooked. The core security objective of SSL and the public CA model was to ensure that online transmissions of credit card information is at least as secure as offline transaction of credit card information. The SSL/public CA model did an admirable job in that regard and Taher ElGamal and Paul Kocher deserve full credit for this accomplishment. Recall that credit cards have been subject, and remain subject, to skimming by dishonest gas station attendants and restaurant waiters even in a "card present" scenario. The credit card infrastructure risk management procedures evolved under this evolutionary pressure and they too are doing a good job at mitigating (not eliminating) this risk as credit card association and processor annual reports readily attest. Both on an overall amount and a percentage basis, losses from intercepted https submissions of credit cards are far lower than losses from "card present" or stored credit card information misuse. SSL's design goals explicitly excluded protection against national government security and law enforcement entities. Indeed, SSL original design contains a wide selection of features exclusively geared towards facilitating interception by governmental entities. RC4-40 being one such feature. With 40-bit crypto as the designated burst plate, there was no sound engineering reason to fortify the rest of the plumbing to withstand the pressures generated by national government level adversaries. Alas, the design goals of SSL were soon (well, within 5-10 years) forgotten and SSL and the public PKI infrastructure upon which it depends started to be deployed protecting users subject to oppressive regimes in which the threat model is resilience of the public PKI infrastructure against national government adversaries eager to torture and/or execute a subset of those for whom the design fails. The SSL system, which today includes the TLS protocol and the notion of global public CAs, was not designed to guard against this particular threat. It should come as no surprise that the system does not defend against such a treat. If the treat is national government level adversaries, a different system designed to withstand that threat is required. And thanks to Ian for raising that point. --Lucky Green _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
