DoS is a concern but I'm not sure how big of a concern it really is. If I'm a miscreant I would not want to create a DoS situation because it probably won't help me meet my goals. Letting people realize I'm trying to trick them is counter-productive after all. If I'm a government agent trying to keep people from YouTube would this be a better way to stop them? I'm not sure.
If we're talking an accidental DoS...? Again I'm not sure how much concern is warranted. In some ways I think this is similar to what happens with expired certs, but I'm curious to get other people's insights on this. Original Message From: Daniel Micay Sent: Wednesday, April 23, 2014 10:02 PM To: [email protected]; [email protected] Subject: Re: Turn on hardfail? On 23/04/14 11:00 PM, [email protected] wrote: > I can't believe anyone actually worries about captive portals, but there are > lots of things I don't understand so.... > > Snark aside, there is a flaw in the reasoning that Adam (imperialviolet.org) > and the rest of the good folks at Google have put forth regarding OCSP. The > logic boils down to a perfect scenario in which OCSP fails perfectly, with > the conclusion being that OCSP request/response isn't very good and only OCSP > stapling makes sense to pursue. > > That argument may hold for certain MITM cases, but we have to look beyond > MITM. The much bigger problem Internet security faces is the pwnage of your > device and the theft of your personal information, your friends' information, > your credit card numbers, and the money sitting in your bank account. Or > maybe I just want to use your webcam? > > That, to say nothing about your employer's information. Why waste my time > trying to launch an MITM something-or-other when instead I might trick you > into installing my latest malware package? If that gets me access to the > credit card processing system.... > > Whatever the case may be, the attack is made easier if I can pretend to be a > site that you're likely to trust, and if I have a SSL certificate you'll > probably trust it that much more. And if the cert chain goes with a private > key that someone extracted using Heartbleed, so what? Who's going to stop me? > > > The problem we need to solve is how to keep criminals, thieves, and > governments from using other people's keys and cert chains for nefarious > purposes. OCSP stapling won't do it. CRLs are ancient history. Convergence > and other schemes are years away from being realized. Like it or not OCSP > responders are the only viable option at this point. > > Getting back to Phillip's original question: do we need to turn on hard-fail? > The short answer is yes. The long answer is we need to move in that direction > now so that turning it on won't break the Internet any more than it already > is. What about the very real DoS issue raised in the imperialviolet post? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
