On 09/11/2011 11:24 PM, Paul Hoffman wrote:
On Sep 11, 2011, at 6:40 PM, Marsh Ray wrote:
On 09/11/2011 07:26 PM, Paul Hoffman wrote:
Some of us observe a third, more likely approach: nothing
significant happens due to this event. The "collapse of faith" is
only among the security folks whose faith was never there in the
first place. A week after the event, who was talking about it
other than folks on these lists and lists like them?
The 300,00+ Iranians who were actively attacked and now have to
change their password and are wondering if they'd said anything in
Gmail to get them arrested and interrogated.
Do you have any evidence that improving crypto is being talked about
by those affected in Iran? I haven't seen it yet.
I don't know that they're discussing "improving crypto". But they're
talking about it:
http://www.google.com/search?q=diginotar+site:*.ir
The title translates as "online magazine for the young":
http://translate.google.com/translate?hl=en&sl=fa&u=http://irjavan.persianblog.ir/post/130&ei=5TFuTpneFqmQsAL4yfy5BA&sa=X&oi=translate&ct=result&resnum=3&ved=0CCoQ7gEwAjgU&prev=/search%3Fq%3Ddiginotar%2Bgmail%2Bsite:*.ir%26start%3D20%26hl%3Den%26client%3Dubuntu%26sa%3DN%26channel%3Dfs%26prmd%3Divns
Today Google announced on its official blog of the event of a serious security
problem for Internet users in Iran has.
Apparently, some Internet users in Iran, according to Google's Gmail to your
browser when faced with security warnings.
The security warning means that someone is trying to access their e-mail!
SSL man-in-the-middle (MITM) attacks Google today announced an attack on
your website with SSL man-in-the-middle (MITM) attacks on Internet users
residing in Iran, declared that the person or group of Iranian security services
are trying to choose between Google and the company DigiNotar security
certificate can be forged and fake a page and create a way to access
their email. SSL Certificate According to Google's work in Iran has been
using Gmail for a fake SSL Certificate.
and let's not forget the alert Iranian who reported it in the first place:
https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en
The unknown numbers of Chinese (and people in other countries) who
were hoping a US product like Gmail could provide a censorship-free
email service.
Same question. However, I have first-hand evidence that people in
China are not talking about that, but instead are talking about how
to make *Chinese* services work outside of government censorship. And
those people aren't talking about PKIX.
Uh huh. The "fix" may come in terms of a replacement and will quite
likely not be recognized as such by those invested in the old system.
The Dutch IT people who have to replace the ~58,000 certs issued by
DigiNotar PKIoverheid CA.
http://www.techworld.com.au/article/400068/dutch_government_struggles_deal_diginotar_hack/
Look what you just wrote. Those folks aren't looking for us to fix
PKIX: they are looking for different CAs. That's not a "collapse of
faith", just a desire for a quick fix.
Obviously they are in desperate need of a quick fix. When they get their
head above water again they may be more interested in shopping around.
The management at Google who are likely scared as hell that the
webmasters and security auditors of the 50% of major sites that
source Javascript from https://google-analytics.com/ will realize
that they would have been pwned too (and possibly been obligated to
report it) had the attacker issued a cert for that.
Could be, but neither you nor I work at Google so that's pure
speculation. (There are likely some Googlers on this list who can
speak authoritatively on whether their management are "scared as
hell" or even noticing.)
These are the people who are authoring the web origin, strict HTTPS, and
related documents in the IETF.
http://tools.ietf.org/html/draft-ietf-websec-origin
http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec
They are the ones who put the pinning in the browser for their own
certs. That's how this attack was detected. They recognize the threat.
The people responsible for security at Amazon, PayPal, every other
big retailer and the financial services companies that handle
high-value accounts.
Again: where is your evidence that they (other than Andy) care
enough? I have seen zero in the serious business press (Forbes,
BusWeek, etc.) after the first few days.
Yeah, why is that? We all know it's critically important. Surely they're
getting tired of stories about cloud computing by now.
Perhaps maybe we're not doing a good enough job communicating the
reality of the hundreds of weakest links in the PKI reliability equation?
If there was much interest
on the part of their readers (as in "every other big retailer and the
financial services companies"), they would likely be milking it, but
they are not.
I never said the readership of Forbes and BusWeek were up in arms about
it. But I believe that many of the disproportionally clueful and
influential people have by now realized that Google and Microsoft
(through Windows Update) had implemented certificate pinning for their
own purposes.
The herd follows "best practices" (and for good reasons) established by
the industry leaders, but "do as I say not as I do" doesn't always work
so well.
The governments and government contractors who depend on SSL VPNs
with an in-band second factor of auth (like hardware token codes)
to secure their remote access.
I have first-hand evidence that they are not discussing the topic.
As a point of reference, did they discuss the RSA SecurID compromise?
The attacker himself: https://twitter.com/#!/ichsunx2
Why do you think he's not on this list? :-)
Fair enough! :-)
The people who've generated the 367,772 views (so far) of
Comodohacker's Pastebin texts: http://pastebin.com/u/ComodoHacker
Pageviews != concern.
It's not completely unrelated.
See above. Many of the people who you and I *want* to be concerned
are not as concerned as you say.
Well that's probably true.
Slashdot commenter are, by and large, not "influential people".
Please show evidence of the other groups you list above.
We have an enthusiastic Iranian young man claiming he owns four CAs,
known issued certs for things like *.*.com, working with government
security services with the stated goal of payback for Stuxnet.
Come on. People are making phone calls and not liking the answers
they're getting.
True. The fact that Mozilla is doing a review that might cause them
to delist the worst CAs is more than we have seen in the past.
However, if they delist only a few, the result will be that people
will think that the rest of the CAs are just fine. If they delist a
significant proportion, *that* will cause more discussion and concern
among the non-security-geek populace than the current news because it
will hit businesspeople in their pocketbooks.
Yeah. It may be that the current industry structure is incapable of
meaningful change. It may be inevitable that we end up with a fragmented
spectrum of varying-degrees-of-inelegant solutions.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
