On Sunday 19 June 2005 19:51, Heikki Toivonen wrote: > Ian G wrote: > > Coupled with the emphasis on "the search for the > > revenue stream" and a bunch of crypto venders who > > thought their time had come, the scene was set for a > > very big approach to this threat. They didn't adopt > > the original threat model, but picked up a military- > > inspired threat model - the MITM - which came from > > the best of crypto experience, going back through > > centuries of warmaking. > > As far as I know it was Netscape that invented SSL. They picked a scheme > that was provably secure (from math point of view), which was good.
Yes, it was Netscape. The first version was not so good, so I hear, and SSL v2 was pretty good and that stuck well enough to last until now. I have no idea what it means to be provably secure, maths wise, that's an idea that people played around with in the 90s, but these days it's fallen out of favour I hear, partly for reasons of security failures that we see here and now. It's hard to really state this without getting into a big long net argument, but here goes: we know a lot more about secure protocols than we did then. We also know a lot more about threats. If we sat down and re-did the whole lot, it wouldn't look anything like what you see now. > And comparing SSH and SSL is not totally fair - usage differs. It is > much more of an incentive for a criminal to intercept first SSH > connection to a bank (supposing SSL was not invented) than to random > hosts out there. And there are much more connections to a bank than > there are SSH login attempts to a host. You are absolutely correct that it is not totally fair. But, it's approximately fair. Yes there are differences, and yes there similarities, but the most important issue is that the two are much closer than other things, so we can learn some things from the experience. It's a bit of an art, one has to be very sensitive to the politics. > > It also made severe demands on the users and the > > browsers. Now, what the users discovered and the > > browser GUI people also discovered was that there > > was no threat. There was no-one listening to credit > > cards, at least. (Recall, online banking and thus a > > need to protect passwords did not turn up until later.) > > One of the reasons why there is (seemingly) no threat because SSL is so > pervasive, and it takes a lot of effort to break SSL. One of the reasons why we are safe from meteors is because roofs are so pervasive and so strong! That's why we have to look elsewhere to judge whether something is working or not. Hence, SSH. Also, the operative term is "was no threat." There is now a threat to users which is called phishing. That breaches the secure browsing security model. It does not breach the SSL protocol but it does breach the security model of which SSL is one component. (We need to be careful not to let the strength of the SSL protocol blind us from the weakness(es) of the secure browsing system in the browser. I.e., SSL may be provably secure, math wise, but secure browsing is provable insecure, money wise.) > > So users did the logical thing - they ignored the > > security. No threat, so no point in doing anything > > I wouldn't say so. People do think about security to some extent, but > many are checking the wrong things, or they ignore the warnings they > get. Ignoring warnings can be due to various reasons, only one of which > is people consciously ignoring security. Others include badly configured > websites that require users to ignore the warnings, or users really > wanting to use the service even though it may be against their best > interest, and not understanding the implications of the warnings. However you want to describe it. We wouldn't be having this conversation if users were doing the security model thing how we wanted them to, and it was worth doing and it worked. Or there was no threat... > > but the minimum necessary. What browser manufacturers > > did was the logical thing - they reduced the security > > component on the chrome over time until it had all > > but disappeared. No threat, so no point in it being > > there. > > Are you inventing history here? I don't remember what the early > browser's looked like, but was there really more security in the early days? Originally the lock was more prominent, and the CA was supposed to be named as the one who you could rely upon. I don't recall it myself, but Bob Relyea mentioned it. I must admit when he mentioned that on this group a year or so ago (in response to this same conversation!) it made me feel a whole lot happier about SSL and the original design. Leaving it out would have been a stunning failure of security design. iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security