begin quoting [EMAIL PROTECTED] as of Thu, Nov 30, 2006 at 11:42:51AM -0800: > Now that we have a handful of major certificate authorities > like VeriSign and now that broswers come with a bunch of public keys > it looks like we have a viable working universal PKI system for > SSL and other real work. Say good bye to "Man-in-middle-attacks"! yay!
This is not new... there have been a TON of "major certificate authorities" pre-trusted shipping with browsers for many years now. The ease with which you can find or modify the list of certificate authorities varies from browser to browser, but the list is typically long enough to be tedious. And there's no good way for the average user to make an informed decsion as to whether or not they should trust these authorities. The list is long and information about most of 'em is scarce. I wonder how many people out there who are unhappy with China's handling of the internet are trusting CAs based in China, where they are under the potential control of the Chinese government? (Lather, rinse, and repeat for other 'oppressive' governments.) > Seriously, I'm curious what people think about this PKi system and what the > attack vectors are to be concerned about. In theory, it's good. In practice, it's clunky. Which means it's now down to an engineering and user-interface problem. > Please tell me if these two attack > vectors I've heard of are worrisome.... > > * You can attack web browser packages in Linux distrubutions. If you can put > a > fake VeriSign public key in Firefox package you just killed the PKI system > right? Many-eyes-make-shallow-bugs mitigates this somewhat, one would hope. Harder than detecting a trojan, I think. > * You can somehow "fool" a cert authority to give you a public key they should > not. (I'm not sure this is much of a threat anymore after bad press about > someone getting a Verisign'ed M$ cert IIRC. Why not? I don't see how getting a little bad press that had zero effect would mitigate any threat. How many people went into their browser and unchecked the little trust boxes next to all of the Verisign CAs? Hell, I didn't even do that, and I'm considered paranoid by some. So it's supposedly bad publicity that had no significant effect, which makes it free advertising. . . so long as it doesn't happen too often, it's *good*. > Perhaps someone thought of > clever ways to protect against this?) Yeah, hold CAs accountable for their errors. A CA that issues a certificate to a bogus entity should revoke all of its certificates, and reissue them from scratch. If they don't do this, then vendors, users, and other CAs should consider 'em untrustworthy. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
