Alaric Dailey wrote:
SSL for identification is worthless without DNS being secured, and
no-one on any list wants to talk about that.
There's the first error. The security of SSL does *NOT* depend on DNS.
Never has. SSL detects DNS errors rather than being vulnerable to them.
Because SSL relies on DNS, SSL assertions about the identity of a
website are.... less than reliable, No matter how thorough the
identity check.
nonsense. Your assertion does not make it so.
If DNS were secure, then attempts to use a stolen cert would be
thwarted. If the certificate were revoked and If all CRLs were signed,
and EVERYONE had checking turned on then attempts to use the stolen cert
would be thwarted.
Second error. DNS and DNSSEC only do one job, with varying degrees of
accuracy and reliability. But their job is DONE and OVER before the
client contacts the server using the IP address received from DNS(sec).
They may authenticate the information they deliver, but they do NOT
authenticate the information received from the supposed server after
the client contacts the server. They provide *NO* server content
authentication. None whatsoever.
Once you have that authenticated server IP address, and you connect to it,
a router between you and the desired IP address can reroute your traffic
to another host using a host route. Or a router between you and that
server can actively rewrite traffic (a MITM attack).
IPSec does NOTHING to detect those attacks. SSL detects them all.
Gerv agreed with this when he wrote:
Yes, and actually, SSL goes much further than DNSsec. The latter is
good to prevent DNS spoofs and is much-needed, but it does nothing to
protect the content. Even if you're properly resolving to the right IP
address, nothing stops a MITM happening at your provider etc.. The
provider has full control over where the data streams go and can alter
every bit. With SSL, your browser will notice when content bits are
altered or coming from the wrong server. With DNSSec, only the
hostname -> IP resolution is secured, but not the actual IP path to
the server at all.
Again, I agree that DNSSec should have been rolled out 5 years ago.
But SSL does a lot more than DNSSec.
And you replied:
SSL and DNSSEC are 2 different things. Lets not say that they solve the
same problem, or insinuate that I made such an idiotic statement. SSL
is encryption,
SSL is first and foremost *content authentication*. Encryption is an
optional (but commonly used) feature of SSL.
DNS is a db that translates human meaningful names into IPs,
and nothing more.
SSL relies on DNS,
Wrong.
therefore if DNS is insecure, than SSL is made vulnerable.
Again, SSL detects DNS errors rather than being vulnerable to them.
DV CAs may rely on DNS and/or whois (both insecure), and that makes their
certificates not very worthwhile, IMO. Their weakness may be a
vulnerability to products that rely on them, but is not an inherent
weakness of the SSL protocol.
In fact, I have asserted many times that the ONLY way a CA can be sure of
domain validation is if the DNS for that domain is hosted by that CA.
I wouldn't say that is the only way, but it would be one very good way for
DV CAs to improve the worth of their certificates.
With that said, SSL can prevent an MITM, but is another problem
completely. Let me give a quick example using IM and get to my point.
Do you trust Skype Instant Messages to be secure?
No. What does that have to do with SSL?
My point....
Short of a complete overhaul of the internet, the are more problems with
SSL than EV can fix....
I know you won't be convinced otherwise, but someone needs to challenge
your statements, lest it appear that they are implicitly acknowledged
by silence.
Eddys proposal allows the users to see the info
and validate it themselves, and gives them more information than they
currently have, and therefore is a huge step in the right direction
without lining the pockets of Verisign and Microsoft.
People who argue against EV on the grounds that it enriches Verisign or
Microsoft discredit themselves. Neither is a monopoly. You can get an
EV cert today without either of them getting one dime.
Verisign is only one of MANY CAs who sell EV certs, and they're the most
expensive. They do one thing better than all the others (IMO): marketing
their product. That is why we see the otherwise-unusual behavior of such
a large percentage of the market buying from the most expensive seller,
rather than from the least expensive. That is no reason to hate them.
And IINM, their market share is eroding.
Microsoft gets no money from the use or sale of EV certs.
So, your dislike for those companies is no reason to oppose EV.
Even if EV certs
go in, we will fall into the same problems we have now, criminals will
get smarter and they will setup fake corporations, pay off people or
whatever. Without fixing the underlying problems, time is better spent
putting information into the users hands rather than money in the
pockets of the big corporations while simultaneously driving the small
companies out of business.
I suppose you're talking about reputation information. But tell me, of
what value is knowing that "good company" has a good reputation if I
cannot be sure that I'm actually communicating with them when I visit
http://www.goodcompany.com/ ?
Without SSL and CA, the number of sites that may be spoofed by the
criminals you describe would be enormous. With SSL it is (and has been)
much less than it would be without. You would apparently advocate that
we not use SSL if there is any attack at all that can succeed. Perhaps
you also advocate keeping all your house doors unlocked because a
burglar can always break in through a window. I doubt many others would
agree with that stance.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
