Julien Pierre wrote:
As expected. You know, in the Linux community,
machines are hacked all the time, I guess we would
have heard of stolen certs by now.
Why do you guess that ?
What makes you think people would communicate with you that their certs
were compromised ?
General stuff. We've been in the SSL business
for 10 years now, as a community (I don't mean
me, as such). Billions or Trillions of events
have occurred. Once we get to a certain number,
we get enough stats to be able to say things
with a fair degree of certainty. We know that
the major threats are: spam, viruses, hacking,
and soon, phishing. We know that the "didn't
happen" threats are eavesdropping and MITM.
And what makes you think that the Linux community cares about trusted
X509 certs that they have to pay for, when they are perfectly happy to
exchange untrusted public keys, that are FREE. That's most important to
them, after all, not security.
About 10-30% of all web servers run on Linux
variants, and about 10-30% run on BSD variants.
Numbers vary depending on which survey you look
at. BSD is rarely hacked, according to the one
survey I've come across (admittedly, I wouldn't
trust these FUD merchants, but it's the only
numbers we've got):
[Linux] Globe and Mail (Technology) reports
statistics from a London security firm, mi2g:
"During August, 67 per cent of all successful
and verifiable digital attacks against on-line
servers targeted Linux, followed by Microsof
Windows at 23.2 per cent. A total of 12,892
Linux on-line servers running e-business and
information sites were successfully breached
in that month, followed by 4,626 Windows servers."
Whether mi2g are credible as reporters of
statistics is questioned by VMyths.
So we can eliminate BSD from the questioning
straight away. Now, that leaves a volume of
crackery going on. If over a year, that's
about 150,000 boxes ... so if someone was
scarfing up SSL certs, then we'd have heard
about it by now. And it's 4 times more likely
to happen in the Linux world, where they are
not as shy as in the Microsoft world about
revealing security issues.
(Instead, we hear about using Linux boxes as
platforms for DDOS, for leapfrogging, for
defacement, warez, .... Never have we heard
the story "oh, my cert was stolen and then
they did a DNS spoof and my customers were
ripped off." Instead, the credit card DB is
raided and that's the end of it.)
Right. In OpenPGP, one is supposed to create
a revocation certificate up front, and then
keep that in a safe place. I have never bothered.
If you, with the knowledge you have of the issuer, haven't bothered, I
wouldn't expect many other PGP users do either. Even if you created that
revocation cert, it's possible you didn't back it up, or the data was
lost, just like the private key data itself. It's a fundamentally broken
revocation model.
Correct, it's a sort of throwaway revocation
feature that is better than nothing. But, it
matches the rest of the system, and still, to
date, I've never ever heard of anyone moaning
that they got in trouble because they couldn't
revoke. PGP has been around since a few years
before SSL, and has only in the times of the
PGP Inc company had to deal with an institutional
mindset. If revocation by 3rd parties had been
a useful feature, it would have been added.
There's probably a piece missing in this
conversation. Frankly, revocation is considered
to be a highly dubious feature, and not one that
"makes or breaks the system." In this vein, with
self-signed certs, the nature of them not having
any revocation is either a bug or a feature,
depending on which side of the revocation debate
that one falls.
E.g., arguing that self-signed certs are bad
because they have no third party revocation is
like arguing that a bicycle is bad because it
doesn't have 4 wheels. There are places for
4 wheeled things and times for 2 wheeled things.
iang
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
