What instead people *are* saying is that CAs aren't the only way to do security, and that SSH offers a successful example of another way. What is being proposed is not less CA certs, but more CA certs.
Yes, infinitely more. Everyone gets to be a CA. Opportunism!
Every web site and email would be saying "Trust me! Trust me!" Users would have no idea what or whom to trust. Let's not go there again.
I had a conversation today with a long-time open source developer about the proposals to change mozilla to use an "SSH model" for security. His eyes got very big in disbelief! I said "yes, people are proposing to read cert fingerprints over the phone to authenticate public keys." He burst out laughing!
He said "That's the theoretical SSH model! Let me tell you about the REAL SSH model". He went on to say that people visit an SSH server, it presents an RSA public key, and they just blindly trust it without any effort to check its authenticity first, because that's too inconventient.
In other words, people use SSH in a way that provides NO authentication whatsoever. They get encryption, and feel good about that, not realizing how easy MITM attacks with transparent proxies and routers really are. They get no more real security than without any encryption at all, especially not from any governments.
(*God help* any political dissidents who fall for that! The human tendency to skip over technical details that are not well understood is *exactly* the reason why non-Uber-Geeks should not use SSH!
A cert and public key should mean "you (the party relying on this cert) have MORE assurance of the authenticity of the source (or destination) of this connection (for SSL) or message (for SMIME) than you would have if you didn't use cryptographic security." If a cert/key doesn't better assure authenticity, then it is a sham, giving the (naive) user false security, baseless peace of mind.
Now, if you believe authentication is not needed for adequate security,
if you believe we really don't need more authentication than what we
get with present insecure protocols, then why not just drop encryption
alltogether? If mozilla really just wants to set people's minds at ease, without going to any of the bother of providing real authentication, then
there's a MUCH easier and cheaper way to do that than with encryption.
It's the HTML <LOCK> tag.
You just put a <LOCK> tag somewhere in the head or body of an html page or html email message, and it makes the lock icon appear locked! HTML engines silently ingore any tags they don't understand. The ones that do understand it show the lock/key/pen icon in the secure state. No costly crypto, no certs, no CAs, not even signatures are needed. Users get the peace of mind of seeing that icon in the secure state. It's amazingly easy, joyously cheap. It hasn't been implemented in mozilla yet, but it would be a LOT easier to implement that than adding any new CAs to the list. Same results, much less cost and effort.
Before proposing any more unauthenticated crypto, ask yourself, "how is the authentication this provides better than the <LOCK> tag proposal?" If the answer is "it isn't" then please champion the <LOCK> tag proposal instead.
This is why I keep my ear to the ground for any data about MITMs. There is very little. There is the one story I heard on this group, relating to a credit card on a student campus, and then there a few stories from other protocol areas (one email story, and one other, can't recall right now).
This allows me to claim - honestly - that MITM is
not the threat that you think it is. I can't prove
it because there is an absence of information.
Obviously, people who have successfully implemented MITM attacks do not find it in their own best interest to reveal what they've done. Victims may also wish to keep quiet. So, the information about MITM attacks is not very public.
If someone could show you a massive on-going MITM attack on http and https, affecting thousands of users, how would that influence your position? Please do answer that.
Phishing is addressed by the sort of measures we have proposed,
Everyone calls their bank (or ebay, or amazon) and asks for the fingerprint of their self-signed cert?
The only thing I recall that *might* help is the idea that the browser display more info from the cert to the user. This doesn't help if the user is trusting certs from an untrustworthy source. An MITM attacker will copy the entire subject name from the legitimate server's cert, and could just as easily copy the issuer name also (with some tiny modification, such as a seemingly harmless addition).
/Nelson
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
