Nelson B wrote:
Ian G wrote:
:-) OK, so Banks told the Users. Who told the Banks
that 40 bits wasn't good enough for them?
Well, I think many banks had a better clue than most Limburger
(er, 40-bit crypto) users. Then there was the incident where a
college student broke a 40-bit key using unused CPU cycles of
campus computers, and then proceeded to read old SSL traffic with
it.
Yes, scary, but in the event a security threat of
much gravity. What's even more scary was that he
did it twice. Even his name is likely to make you
cringe ;-)
But, in security work, we make a distinction between
demonstrations of attacks and economics models of
viable attacks. What they/he did wasn't economic,
just scary.
Good point. So all ISPs can sniff on traffic. Now,
the question is, why have ISPs had a very low incidence
of snooping and eavesdropping?
Why do you think that there has been a low incidence?
Literally, it's because - I hypothesize - that techies
make poor and unlikely crooks. Mostly the culture is
one where such opportunity would be frowned upon, and
the people concerned are rewarded relatively well for
activity that would mentally oppose the notion of theft.
Being a techie or programmer requires some element of
slavishness to the truth, as computers laugh if you
lie to them, and they give you all sorts of puzzles
that are based on fundamental but obscured truths.
One thing is that for any active attack, look for any
evidence of passive eavesdropping. (And there is very
little evidence that ISPs have people that do that.)
Techies have no time to sit their reading data looking
for the needle in a haystack.
Eavesdropping over open channels is a leading
indicator of any active attack, such as crunching easy
crypto or doing an MITM. The eavesdropping attack is
the only sensible one, as it leaves no traces. An MITM
is orders of magnitudes more risky as it involves sending
packets over the network, ones that can be traced and
tracked back to source.
Finally, there is this factor - for every attack, you get
a low likelihood of success, and a high work effort. You
have to scan many sessions to get one lousy credit card.
So you have a high workload, for low quality results.
Perhaps you expect the ISPs to be dumb enough to go out and
use the CC numbers to buy TVs or drugs. Instead, some sell the
personal info they find to information brokers. Marketeers
really like to know who has big bank balances and who doesn't.
By keeping it inobvious to the victim, the eavesdroppers can keep
it up profitably for years. That's more valuable than a couple
of TVs. Many broadband users in the US have signed agreements
explicitly allowing this!
You'd think that by now there would have been dozens even
> hundreds of cases of such?
There have been, but as I said ...
I've heard of about one, maybe two if we push it. I
think the reason is that your average ISP is staffed
with the wrong sort of person to do insider attacks,
whereas banks, telcos, and other places have no such
good luck.
It's not the employee doing it against his boss's wishes.
It's the boss's wishes being carried out.
Well, that's another thing, that's called marketing,
or as you mentioned in the other example, national
policy. Are you suggesting that Mozilla Foundation
take a stance on these things?
Where it is in the agreement, it is a thing that can
be accepted by the user or rejected. We should be
careful not to confuse our threat models with what's
written in the contract and doesn't appeal to our
sensibilities, and what's an aggressive and unexpected
attack.
(And, even more use of 40-bit crypto with certs will
stop that activity if that's what you don't like. No
marketeer is going to spend big bucks on crunching
hardware, he wants all stuff to be open at the cert
level, and to do that there will be the "chinese
agreement" in which case, our efforts here have been
overridden at layers 8 or 9 of the stack.)
(By viable threat model - I didn't mean it was possible,
but that it was economically attractive.)
Very attractive to sell that data.
If it is risk free, yes. It isn't risk free if it is
uneconomic - that's my point. Security is about risks:
costs versus benefits must be calculated, and low risks
can be "absorbed" while high risks should be explicitly
addressed.
The distinctions are these:
* each CC is hard to get, a needle in a packet haystack
* techies aren't the type to do it
* crunching 40bits or doing MITMs is kind of obvious
over the long term.
In contrast, the people who work in the backoffice of
the merchants are often less well paid, less incentivised
to be honest, bored, and have an easy way to lift the entire
database with one SQL instruction. This is why almost
all theft of data happens at the backend, either as an
inside job, or as a crack from outside.
And there are proxies operating now that do real MITM attacks
against SSL that passes through them. To use these proxies,
you must agree to an end user agreement and download their
software that installs their root CA cert. The end user agreement
prevents the user from taking any action against them for their
snooping. The user even agrees to "hold them harmless" against
any legal action that might come against them as a result of the
user blowing the whistle. Recent reports say there are tens of
thousands of users of it.
Right, but we've excluded them, right?
I don't think so. How have we excluded them?
We have excluded them from the class of cert attackers
because they do it with the agreement of the users.
They are not attackers, they are participants, insiders.
The users install their root cert - that's what you said,
right?
Whatever Mozilla provides these users with, the ISP
says, we don't care, just let us read your encrypted
traffic. Right? They are excluded therefore from
our view of the threat model.
One of them has a WebTrust seal. Although they have not yet
approached mozilla to be admitted as a CA (AFAIK), if they did so,
on what basis in the present policy draft would they be denied?
Hint: think policy floor.
So, they are like another big CA that is in the root
list already - that has a stated objective that puts
it in conflict with the users of its certificates? I've
written elsewhere on who this might be.
Currently the view is tending towards:
a) MoFo should not be in the judgement business,
b) the CA process is clearly documented
c) some untested angle for kicking them out if they
do bad
so this hypothetical ISP/CA that has an agreement with
all users to listen to their traffic is no difficulty.
If it has the WebTrust it's in. If not, then it has to
follow the alternates that have been worked out by this
group.
Or, are you saying that MoFo should be in the judgement
business? And, who do you think gets to be the judge?
Judgement won't fly. We've clearly set our goals as the
average user, and if enough average users decide to take
up the kind offer of a benevolent ISP then ... the
average user has spoken! That's that!
( Go check out cryptorights.org.
But, just a slight upfront - even those guys are not in
the judgement business, they will supply their product
to the benevolent ISP as well as the user. It's just
that they've decided their target user is the one that
has something to hide and also has an aggressive attacker
who is trying to take it from them.
Unlike Mozilla. )
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
