Ian G wrote:
Nelson B wrote:
Ian G wrote:
Good point. So all ISPs can sniff on traffic. Now,
the question is, why have ISPs had a very low incidence
of snooping and eavesdropping?
Why do you think that there has been a low incidence?
Literally, it's because - I hypothesize - that techies
make poor and unlikely crooks.
I wasn't asking "what do you think is the cause of a low
incidence of eavedropping", but rather "on what evidence do you
gather that there is not a high incidence of eavesdropping?"
I think (based on your repeated references to credit cards) that
it is due to an absence of widespread reports of stolen CC numbers
that are attributed to network snooping. But that's not the most
relevant indicator.
Finally, there is this factor - for every attack, you get
a low likelihood of success, and a high work effort. You
have to scan many sessions to get one lousy credit card.
That's easy for the bad guys to solve. Filter the traffic by IP
addreses of known banks and merchants. Traffic to/from banks
will contain LOTS of gold. They don't want just CC numbers.
Knowldge about what books you buy, who much you spend on clothes
at upscale merchants, ... it's all very sellable.
Well, that's another thing, that's called marketing,
or as you mentioned in the other example, national
policy. Are you suggesting that Mozilla Foundation
take a stance on these things?
In fact, today, mozilla empowers users with the tools to
detect and avoid these things. The SSH model doesn't.
Where it is in the agreement, it is a thing that can
be accepted by the user or rejected. We should be
careful not to confuse our threat models with what's
written in the contract and doesn't appeal to our
sensibilities, and what's an aggressive and unexpected
attack.
The contracts never specifically mention SSL MITM. They say
(paraphrased) "You give us the right to see all your traffic"
and "SSL will still work". The user reads those and concludes
that that means that SSL is still secure end-to-end between
himself and his bank, but it isn't. Today, mozilla's warnings
will still alert the user to this MITM. SSH-style cert
acceptance does not.
(By viable threat model - I didn't mean it was possible,
but that it was economically attractive.)
Very attractive to sell that data.
If it is risk free, yes. It isn't risk free if it is
uneconomic - that's my point.
Then it must be pretty economic, because lots of companies have
been in this business for years and years.
Buying merchandise paid for with stolen CC's is not a sustainable
long term business model, because the users detect the theft from
the bogus purchases that appear on their statements.
Selling info about consumers with large bank balances to merchants
who are not required under law to reveal their sources is a very
sustainable business plan.
The distinctions are these:
* each CC is hard to get, a needle in a packet haystack
Only petty thieves want mere CC numbers. The big money and
long term money is in selling info.
* techies aren't the type to do it
* crunching 40bits or doing MITMs is kind of obvious
over the long term.
Not really. It's been going on for years. Few have noticed, and
some in this newsgroup have even denied that it is going on.
And there are proxies operating now that do real MITM attacks
against SSL that passes through them. To use these proxies,
you must agree to an end user agreement and download their
software that installs their root CA cert. The end user agreement
prevents the user from taking any action against them for their
snooping. The user even agrees to "hold them harmless" against
any legal action that might come against them as a result of the
user blowing the whistle. Recent reports say there are tens of
thousands of users of it.
Right, but we've excluded them, right?
I don't think so. How have we excluded them?
We have excluded them from the class of cert attackers
because they do it with the agreement of the users.
The unwitting agreement of the users. Like I said, they don't come
out and say that they're MITMing SSL. They say "SSL will still work"
and leave the user to assume that that means that SSL will still
protect him from their snooping.
They are not attackers, they are participants, insiders.
The users install their root cert - that's what you said, right?
The users run an installer program to get the supplier's "software",
never realizing that they're installing a bogus root cert that
defeats SSL's MITM protections for them. (These schemes primarily
target IE users today, because Windows has an API by which any
little program can install root CA certs silently.)
People who are really interested in the security of the average
end user advise end users NOT to install ISPs' software.
Whatever Mozilla provides these users with, the ISP
says, we don't care, just let us read your encrypted
traffic. Right? They are excluded therefore from
our view of the threat model.
We exclude them because they demand to read encrypted traffic?
One of them has a WebTrust seal. Although they have not yet
approached mozilla to be admitted as a CA (AFAIK), if they did so,
on what basis in the present policy draft would they be denied?
Hint: think policy floor.
So, they are like another big CA that is in the root
list already - that has a stated objective that puts
it in conflict with the users of its certificates? I've
written elsewhere on who this might be.
Are you being sarcastic? or
Are you arguing that mozilla should let all issuers of certs into
the list because there's one with a policy that you find to be in
conflict with the users' interests?
Seems like letting in untrustworthy CAs suits the purposes of
advancing the SSH-style cert use proposal very well. Let in
untrustworthy CAs, wait for the inevitable disaster, then declare
that CA-based PKI is discredited and that SSH-style was the answer
all along.
Is that an example of "thinking several moves ahead"?
If it has the WebTrust it's in. If not, then it has to
follow the alternates that have been worked out by this
group.
I'm not sure if you're endorsing that view, or if you're
criticizing it, or merely saying you think that's what the
current policy says.
Or, are you saying that MoFo should be in the judgement business?
No, I'm saying there should be a well written policy that contains
specific provisions that keep phony CAs operated by MITMs out.
And it doesn't appear to me that WebTrust by itself suffices.
Judgement won't fly. We've clearly set our goals as the
average user, and if enough average users decide to take
up the kind offer of a benevolent ISP then ... the
average user has spoken! That's that!
I guess you're using sarcasm.
Surely you're not suggesting that we lower our ability to protect
users' information to levels where they no longer protect end users
against attacks that the common end user does not understand, just
because the ends users do not understand it!
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
