On 23/04/14 11:00 PM, [email protected] wrote: > I can't believe anyone actually worries about captive portals, but there are > lots of things I don't understand so.... > > Snark aside, there is a flaw in the reasoning that Adam (imperialviolet.org) > and the rest of the good folks at Google have put forth regarding OCSP. The > logic boils down to a perfect scenario in which OCSP fails perfectly, with > the conclusion being that OCSP request/response isn't very good and only OCSP > stapling makes sense to pursue. > > That argument may hold for certain MITM cases, but we have to look beyond > MITM. The much bigger problem Internet security faces is the pwnage of your > device and the theft of your personal information, your friends' information, > your credit card numbers, and the money sitting in your bank account. Or > maybe I just want to use your webcam? > > That, to say nothing about your employer's information. Why waste my time > trying to launch an MITM something-or-other when instead I might trick you > into installing my latest malware package? If that gets me access to the > credit card processing system.... > > Whatever the case may be, the attack is made easier if I can pretend to be a > site that you're likely to trust, and if I have a SSL certificate you'll > probably trust it that much more. And if the cert chain goes with a private > key that someone extracted using Heartbleed, so what? Who's going to stop me? > > > The problem we need to solve is how to keep criminals, thieves, and > governments from using other people's keys and cert chains for nefarious > purposes. OCSP stapling won't do it. CRLs are ancient history. Convergence > and other schemes are years away from being realized. Like it or not OCSP > responders are the only viable option at this point. > > Getting back to Phillip's original question: do we need to turn on hard-fail? > The short answer is yes. The long answer is we need to move in that direction > now so that turning it on won't break the Internet any more than it already > is.
What about the very real DoS issue raised in the imperialviolet post?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
