On Fri, Sep 16, 2011 at 5:21 PM, Marsh Ray <[email protected]> wrote:
> On 09/16/2011 03:58 AM, Ben Laurie wrote: > >> On Fri, Sep 16, 2011 at 8:57 AM, Peter Gutmann >> <[email protected]> wrote: >> >>> Marsh Ray<[email protected]> writes: >>> >>> The CAs can each fail on you independently. Each one is a potential >>>> weakest >>>> link in the chain that the Relying Party's security hangs from. So their >>>> reliability statistics multiply: >>>> >>>> one CA: 0.99 = 99% reliability >>>> two CAs: 0.99*0.99 = 98% reliability >>>> 100 CAs: 0.99**100 = 37% reliability >>>> >>> >>> I realise that this is playing with numbers to some extent (i.e. we don't >>> know >>> what the true reliability figure actually is), but once you take it out >>> to what >>> we currently have in browsers: >>> >> >> We could have a stab at it. A = Integral of number of CAs in trusted >> root/number of years CAs have been around = ? (I'd guess 100?). >> > > This data could probably be collected quite accurately with some code > archeology. > > > B = Total failures/number of years = ? (1, maybe?) >> > > Difficult to know quantitatively, even about the present. > > Iran may have the dubious distinction of the first CA-issued MitM to have > failed. I don't believe it was the first to have occurred, but up until very > recently, some asserted that it had never happened. We can count the ones we know about. > > > So failure rate = A/B = 1% p.a. >> >> giving reliability of 99% p.a.. What do you know? >> > > It's got to be worse than that because we know that for several months in > 2011 there was an attacker with the who could mint himself whatever certs he > wanted from Comodo and DigiNotar (he claims to still have this capability > from several others). As far as I can tell, my Android phone is still > vulnerable to his *.*.com certificate. Given that SSL has only been around > about 16 years, the SSL-PKI cannot be more than 97% reliable. > > Anyone got better numbers? >> > > There are some complicating factors that make it difficult for this > reliability analysis to get better than a back-of-the-envelope upper bound. > A sufficiently low upper bound is convincing enough :-) > > * The actual number of organizations knowing private keys with the ability > to sign something the user's browser will trust is unknown. Yes, that's > right, CAs refuse to disclose how many and to whom sub-CAs have been issued. > We only get a lower bound from the SSL Observatory. > > * A 'failure' of a CA is probably often perceived by a small set, or only > one, user. Presumably some of these sub-CAs have been loaded into SSL > intercepting firewalls (e.g., BlueCoat devices) by corporations, this is one > of the arguments given for issuance. Whether or not you believe that that is > legitimate, it certainly seems plausible that a guest on the network could > be intercepted without prior informed consent. > > * The degree of independence between the trusted root CAs and their sub-CAs > is not well understood (the 150 vs 600 vs 1500 debate). > > * The issuance of a cert, a user's reliance on a cert, successful and > failed attacks on users, attacks on CAs, etc. are discrete events and may be > better modeled stochastically. Bayesian methods may be better at dealing > with the presence of the large unknowns. (Alas my own Bayes-fu and Markov-fu > are not presently up to the challenge). > > Whether you arrive at 37% or 99% reliable, any honest analysis will show > the current system is ineffective against a significant set of adversaries. > I agree, but it would be nice to arrive at a sufficiently scary number with some rigour. > > - Marsh >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
