Hi Ian,
I wasn't asking "what do you think is the cause of a low incidence of eavedropping", but rather "on what evidence do you gather that there is not a high incidence of eavesdropping?"
Ah, the evidence of the busts. There is a continuous
series of bad guys getting caught,
(Disclaimer: I am not a lawyer. This is not binding legal advice.)
Here in the US, selling personal private information about people isn't illegal. You'll never hear about "busts" because it's legal. People who have info about you (in the US) can legally sell it in most cases. Some people (a few groups specifically targeted by US laws) who gather information about you are not free to sell it. That includes "health care providers". But most can. We don't hear about "busts" of information sellers because they aren't breaking the law.
There is almost NO press coverage about the industry of info-selling in the US. Most average folks have NO IDEA how much info about them is sold, and is known to marketing companies.
A rather recent US law requires info sellers and holders of personal
information to disclose when they've been robbed, when the info they sell
has been taken without paying for it. And that led to the big ChoicePoint revelation.
The shocking part to most people was not that some the info held by ChoicePoint was stolen, it was how much personal info ChoicePoint had available to be stolen! For many people, that revelation (that their personal info was being held by ChoicePoint, and had been stolen) was the first time they heard of ChoicePoint, or knew that this hitherto unknown company had SO MUCH of their personal information. Now many of them are calling on congress to protect them, not only from theives who steal from ChoicePoint, but also from companies who hold so much of their personal information without their knowledge or consent.
US Law also requires companies to disclose how they use the information they gather. So, many web sites now have pages that say "we never use information except for the purposes for which we gather it". They don't have to tell you what those purposes are. They can say things like "we share this information with our affiliates", which can include ANY COMPANY with whom they do business. They don't have to name the affiliates. They don't have to say what info they share. They only have to disclose that they share information. So they can sell your personal info to information brokers. All nice and legal.
Most US consumers don't know that the discount card they received from their grocery store enables their grocer to sell info about them to food makers. It's been reported in the press here and there, but isn't big news because it's all nice and legal. People who claim to want privacy exchange their privacy for 10 cents off the price of a can of beans every day.
So, one of the big jobs for SSL is to keep my private info private, not only from people who would buy TVs with my credit card numbers, but from parties (other than those with whom I'm directly doing business) who will sell it to marketing firms.
Unless the laws change, we'll NEVER hear of "busts" for collecting and selling info (except truly stolen info). As long as the marketing firms control themselves NOT to buy TVs with our credit card numbers, they'll continue to be able to gather our personal information. If they can use MITM to get it, they will (and do).
This isn't "conclusive" but it's pretty darn close;
reports of anyone eavesdropping stand out a mile,
Only when a law is being broken. Most eavesdropping in the US is legal (as long as the government isn't doing it), especially if the user has agreed, as part of signing up for some service, in some fine print they didn't read, to allowing it to be collected.
That's it. Just the laws of incredulity; if you never ever hear about it then it isn't happening, unless you also believe in UFOs, ESP and the return of Elvis.
I've never seen ChoicePoint. I've seen only one report about them. Should I not believe they exist, and many more like them?
Knowldge about what books you buy, who much you spend on clothes at upscale merchants, ... it's all very sellable.
Easy to *technically* solve, but they don't have access to that traffic, unless they are in an ISP, in which case ... a) they are probably not the right person, and b) running datamining on customers at the ISP is something that others in the ISP are likely to notice at some point.
Nearly every while-collar employee of nearly any high-tech company in the USA signs a non-disclosure agreement (NDA) with very draconian terms, including those wonderful words "hold harmless". This also is true for most marketing companies and info brokers. The NDAs include protecting the confidentiality of other companies that do business with the employer, so, e.g. the ISP employee who discovers that a "business partner" of his employer is gathering and selling subscriber information is bound by the NDA he signed not to reveal it.
If the discovered activity was AGAINST THE LAW, the employee might be able to reveal it to law enforcement and enjoy some legal protections for breaking his NDA. But as I said, selling info is quite legal.
Mind you ... I'm prepared to be persuaded - you say that all this information is readily sellable - can you offer any evidence, any anecdotes?
Let me describe a scenario to you. Someone signs up with a broadband Internet service provider, but doesn't install the software on the CD his ISP sends him. When he attempts to visit his bank's online banking website, he gets a warning about a cert from an untrusted issuer. He calls his ISP, and his ISP first suggests that he install that CD he got. When he refuses, the ISP helps him reconfigure his browser not to use the ISP's proxy. Problem solved. No "busts" in the paper. His browser's reliance on trusted CAs helped him detect and avoid the MITM.
But some ISPs' services cannot be used without installing their software.
We are as a security community desparate for some data points on this... I occasionally grill people who should know and they can't come up with any.
Maybe their NDAs keep their mouths closed.
In fact, today, mozilla empowers users with the tools to detect and avoid these things. The SSH model doesn't.
I'm sorry, I can't keep up. I looked up this quote, and it seems we are talking about the Chinese ISP scenario, where the user has to download the ISP's software and install that, and/or root keys.
Yeah, but let's call it the American Broadband ISP scenario. And installing the root CAs is usually optional. It's never done by itself. The user is never made aware that he's installing root CAs. He's only installing the ISP's software CD, which the ISP encourages him to do (and the broadband installer will do to his system unless he is adamant against it) and what that software does is never quite clear.
Let's revisit the scenario I described above as an example.
The user is new to his ISP. He starts browsing, and every time he visits an https site FOR THE FIRST TIME, in the SSH model his browser says "hey, here's a new cert. Do you want to use it?" No warning about unknown issuer, this is SSH-style. It protects you against CHANGES in public keys, but not the first visit.
(You may recall that I once thought that SSH users tended to attempt to verify public keys by some out-of-band means on first contact. But you set me straight about that, revealing that users always just say "yes" on first contact. Since then, I've gotten involved with a lot more SSH users and have found that you were 100% right about that.)
So the SSH-style user says "Sure!" because that's what he and all other SSH users always say when they encounter a server's public key or cert for the first time. And after that, he's happy, his ISP is happy, his ISP's information broker is happy. Everybody's happy. SSH really came through for him. Right?
Where it is in the agreement, it is a thing that can be accepted by the user or rejected. We should be careful not to confuse our threat models with what's written in the contract and doesn't appeal to our sensibilities, and what's an aggressive and unexpected attack.
The contracts never specifically mention SSL MITM. They say (paraphrased) "You give us the right to see all your traffic" and "SSL will still work". The user reads those and concludes that that means that SSL is still secure end-to-end between himself and his bank, but it isn't. Today, mozilla's warnings will still alert the user to this MITM. SSH-style cert acceptance does not.
This is a distinct example to the Chinese scenario? So this is a marketing company that somehow got the user to sign up to a proxy service?
Yes, and the American BroadBand ISP user, too.
You said above that mozilla avoids those things
Today, mozilla's root list does a pretty good job of protecting the user in this case. (I don't know of any MITM who attacks mozilla's trusted list in the way they attack IE's list.)
and now you say that the SSL isn't secure?
I say that people who let ISPs or marketing companies install CAs in their trusted CA lists will have little or no SSL security, yes.
Also, in that scenario if the proxy returns a CA signed certificate and does an MITM, this would result in a popup and a status bar display of the proxy domain name, right?
Not AFAIK.
SSH - you might have the wrong idea about
what is being suggested there. In discussions
of SSH style acceptance, the notion is to
augment or add the caching of history to the
existing regime.
That's news to me. That's not what I recall reading in numerous recent posts. In fact, I recall reading about dividing certs into groups, with one group being certs from unknown issuers, including self-signed certs, handled by SSH-like techniques alone. A user only has to slip once, and accept that self-signed cert that claims to be for his bank once.
I guess I'd ask the question: if we trust the CA list for the first time, why don't we trust it for the second? Could it be that you don't trust CAs in the trust list?
Then there's my bank's server farm, where each server has its own HSM and its own cert. SSH doesn't work too well with that.
Buying merchandise paid for with stolen CC's is not a sustainable long term business model, because the users detect the theft from the bogus purchases that appear on their statements.
! Credit card fraud has been runnning at around 0.1 to 1% since ... forever. I'm not sure how much more sustainable that can get. Any credit card whizzes here who can give us some figures?
But that's not a single thief doing it over and over, over the course of years, AFAIK. That's lots of teenagers who frequent "L33T" (elite) underground bulletin boards, and doing it a couple times before getting busted. Any evidence to the contrary?
Selling info about consumers with large bank balances to merchants who are not required under law to reveal their sources is a very sustainable business plan.
Ah. Sure, but mostly they acquire the information using legal methods. Their existence doesn't mean that they use illegal methods.
Right. SSL MITM is not inherently illegal, at least not in the USA.
I know of active MITM proxies operating right now that I dare not accuse of wrong doing because (a) according to US law, what they're doing is legal, and (b) I might have to hold them harmless. But that doesn't mean that mozilla shouldn't protect its users from them.
I knew a guy who did this; it was all totally legal, and it was very very legal deliberately, because he had a lot of enemies who wanted to shut him down. Only by being very careful was he able to keep going.
Yeah, In the USA, he'd probably be a succesful information broker.
The distinctions are these:
* each CC is hard to get, a needle in a packet haystack
Only petty thieves want mere CC numbers. The big money and long term money is in selling info.
Stolen info?
Would you call the info collected in my above scenario stolen? Doesn't the word "stolen" imply law breaking? wrong doing?
Can you offer any anecdotes? How much is it worth, for example?
Peter Gutmann reported in some recent slides that
CC infor was down below a dollar per.
Yeah, on the underground teenage thief market. That's not the market I'm talking about.
So maybe you are right in that credit cards are so open that they aren't worth anything.
Doesn't that tell you something?
That teenagers aren't who I'm concerned with. They haven't got the smarts to get their victims to agree in advance to let them off.
Not really. It's been going on for years. Few have noticed, and some in this newsgroup have even denied that it is going on.
Show us some evidence. I'm very keen to hear it.
Of course you are. I'd say it if I could. I'd have told you a year ago if I could have.
Literally, if there's never been a bust then I
doubt it is going on.
It's Not illegal. People doing legal things don't get busted. Accusing people who are not law breakers of being law breakers is a good way to get sued out of your house and life's savings.
We are talking about a billion users of the net, and millions of merchants ...
Yes, indeed we are. All the more reason for mozilla to be VERY careful about those trusted CAs.
The unwitting agreement of the users. Like I said, they don't come out and say that they're MITMing SSL. They say "SSL will still work" and leave the user to assume that that means that SSL will still protect him from their snooping.
OK. So up in layer 7-9, they lied to the customer.
No, in the US courts, that's not a lie. SSL still "works". The user logs into his bank, and sees his balance. For most users, that's the definition of working. They said "you give us the right to read all your traffic", and they meant ALL traffic including SSL encrypted traffic. They didn't spell it out, but in the US that "All traffic" means "all traffic", and they don't have to spell out each of the 39 flavors.
(I'm deliberately paraphrasing them here, because otherwise you could find them with google.)
I'll bet they've thought about this...
Oh, I'm very sure they have.
The users run an installer program to get the supplier's "software", never realizing that they're installing a bogus root cert that defeats SSL's MITM protections for them. (These schemes primarily target IE users today, because Windows has an API by which any little program can install root CA certs silently.)
So ... you're saying that Mozilla should not allow changes to the root list?
... not allow additions to be made in the field on a running browser. I think most users would be best served by that policy, yes. Most users will never in their lives need to add a new CA, or know what a CA is. Therefore the ability to add a CA is for them mostly risk, mostly a chance to do the wrong thing.
In any case, mozilla's root CA list should never be changed without the user being actively informed of what's going on and actively agreeing to it. I believe that's the browser's policy now for additions being made to the list on the user's running browser.
People who are really interested in the security of the average end user advise end users NOT to install ISPs' software.
It would help if you'd just come out and say who's
It Sure would! Alas. :(
doing this stuff. It's really difficult to follow when we only hear half the picture. I'm still not clear whether Mozilla defeats this attack or not.
Today, the MITM site's CA is not in mozilla's CA list, and the site does not offer software to "enhance" mozilla (as they do for IE). While that remains true, mozilla users are protected. Mozilla users who use this company's proxy will see a lot of SSL server certs from unknown issuers. In that way, mozilla protects them. It is exactly the way that mozilla protects all users from MITM attacks.
Of course, if mozilla users become conditioned (as SSH users are) to accept and trust new certs on first encounter (which mozilla DOES let them do, if they want, though I wish it didn't), then they aren't protected.
And if this company approaches mozilla and says "look, we have a webtrust seal, so add our CA cert to your browser", looks to me like a slam dunk. And the credibility of PKI in mozilla would promptly go to zero. (I'm not sure that all participants in this discussion think that's an undesirable outcome).
> But fundamentally, if the
user *knows* what is going on, and agrees to carry
on anyway, that's no longer a threat.
If the user KNOWS. I have to agree with that.
No, I'm saying these are difficult questions. If the CA has indicated to its users what it is up to, then that covers the policy. If it has hidden this from the users, then that's another issue - that's like lying, or in legal terms it is a material non-disclosure.
In the US, companies lie to their customers all the time. They get their customers to sign agreements (contracts) that give them full power to lie at will. For example, in the agreement, the customer agrees to give up the right to sue the company, the company disclaims every advertised promise, feature or capability, and the user agrees not to hold the company to its word about any of those advertised claims.
Result, no truth-in-advertising suits, despite ongoing false advertising.
For many users, the choices are (a) agree to this, or (b) get no broadband service from their region's monopoly BB service provider.
Now part of this issue gets at the definition of a CA. Is every company that issues certs and has a root CA cert a CA? Even if the owners of the servers whose DNS names appear in its certs have never heard of it, and have never asked it to issue them a cert? If they approach mozilla to have their CA cert added to the root list, what in mozilla policy excludes it? Let's see ... apparently not webtrust, perhaps not ETSI, hmmm.
It seems to me that a reasonable CA policy would CLEARLY and UNAMBIGUOUSLY keep such issuers of certs, whose existence is unknown to the servers that their certs appear to represent, out of the root CA list. Today Draft 11 does not.
SSH style caching is being being proposed in *addition* to the existing cert based regime. At no time has anyone on this list said "oh, golly, let's rip out the certificate stuff and replace it with SSH." That's a complete non- starter.
(Although, on some other lists out there, people have said exactly that. Good for them, I say!)
Yeah, they must have that sixth sense that will protect them in scenarios like the one I described above. I'm sure that other mozilla user who wrote that he doesn't trust ANY of mozilla's CAs must have God-like powers to sniff-out MITMs. Too bad most users don't have that. That power would sure simplify things!
Then, the phisher has to fight a) the fact the cert will force him to enter into the business loop, and b) the only easy certs come from some other CA, so the brand changes on the user's chrome, and c) if it is a valuable relationship, she may well have named it specially and locally.
Legit sites who buy certs had better pick wisely on the first try, because with this scheme, they're never going to be able to change their CA after their first purchase.
No, I'm saying there should be a well written policy that contains specific provisions that keep phony CAs operated by MITMs out. And it doesn't appear to me that WebTrust by itself suffices.
Well, hoorah! as the marines say. That's a very big admission by you - that WebTrust by itself may not suffice.
I've been saying that since draft 10 or 11 came out. It's in several of my posts. Perhaps this post sheds some light on why I think that. Any "attester" who attests to nothing more than "they do what they say they do" regardless of how little or bad that is, isn't enough in my book for me (or mozilla) to trust the results. And given the appearance of the webtrust seals on my favorite MITM's web site, I think that's self evident.
Right, exactly. That's what the policy was aiming at all along - WebTrust or even its equivalents is not sufficient to conquer this beast; we need some other stuff.
We need policy that sets a floor on acceptable behavior. If mozilla doesn't know what is an acceptable floor, what chance do Mom and Dad mozilla user have of correctly determining what certs to trust?
And, while that other stuff is coming along, there isn't much point in holding back the policy in the vein hope that some silver bullet will come along.
There have been numerous suggestions.
We've batted this around for the last two weeks,
and I haven't seen any objective way of tying user
security to policy.
Forbidding CAs that issue certs without the knowledge of the parties identified in the certs. Objective. Policy protects user security.
Surely you're not suggesting that we lower our ability to protect users' information to levels where they no longer protect end users against attacks that the common end user does not understand, just because the ends users do not understand it!
Unfortunately, it is not up to Mozilla Foundation
to provide protection where the user has signed on
to an unprotected regime.
The contractual arrangement doesn't say the user has no right to keep anything private. It merely says that the other party has the right to do what it can to intercept. A mozilla user with a reasonable root CA list is still protected. I want to ensure that continues and that mozilla root list doesn't become an avenue of attack.
Now I must add one important disclaimer here. Many folks know that for years I was employed by a software company that was bought by an ISP. None of what I've written here is a veiled reference to that ISP. I am not aware of any MITM that they operate, and I have no knowledge of any MITM that is operated by any affiliate of theirs. My references in this email to ISPs and other MITMs have not been references to my past employer, or any of its parent companies, nor to my present employer (who isn't an ISP, AFAIK). Just wanna make that clear.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
