This is probably my last response in this thread, since I'm about to stop
reading it altogether (as so many others already have, I should note), but I do
have to respond to this, because there's hope that a reasoned response would
have effect, unlike in some of the other subthreads.
Alaric Dailey wrote:
If DNS were secure, then attempts to use a stolen cert would be
thwarted.
Not particularly. As someone pointed out, anyone who steals a cert and can
affect the routing of your packets can screw you.
Furthermore, anyone who steals a signing cert can just impersonate another
entity altogether (see signed jars).
There are probably other attack vectors available once you steal a cert.
So once a cert has been stolen, you're screwed until it's revoked.
If the certificate were revoked and If all CRLs were signed,
and EVERYONE had checking turned on then attempts to use the stolen cert
would be thwarted.
This is what should be happening, imo. This does raise the issue of "how do you
know it's been revoked?" As you point out with insecure DNS this is hard to
impossible. So secure DNS would indeed help here; without it once a cert has
been stolen you're screwed period.
Short of a complete overhaul of the internet, the are more problems with
SSL than EV can fix
I have yet to see any of the people who would actually be implementing EV-like
stuff in Mozilla disagree with this in this thread. Of course you might have
missed it, since they said what they had to say a while back and there's been
lots of chatter by random others since then.
Eddys proposal allows the users to see the info and validate it themselves
It's good to give the user this option. It's bad security to rely on it. Users
don't want to have to validate this stuff themselves, really. Heck, _I_ don't,
particularly, and I'm a lot more aware of the issues involved than most users.
Throwing info at the users and expecting them to do "the right thing" with it is
the same problem that security warning dialogs have. I'm sure you're aware of
how well those work (or rather don't work).
Without fixing the underlying problems, time is better spent
putting information into the users hands rather than money in the
pockets of the big corporations while simultaneously driving the small
companies out of business.
Please see beltzner's posts from way back at the beginning of this spam-fest.
EV is not a cure-all; it's part of the information input that needs to be
presented to the user in some way. How is the hard part. Just dumping a
serialization of all the certs involved and the list of IP addresses involved on
the user is not really helpful, even though theoretically it would provide them
with maximal information based on which they could make a reliable security
decision (e.g. reverse-resolving the addresses, etc).
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
