>In public key cryptography, it is the *keys*, not the digital >certificate that encrypt/decrypt the communication.
Okay. I break into his co-lo, I walk off with his computer, and I break into his office, I walk off with his computers, I kill the guy, and I kidnap his wife. I have everything. I have his Certs, his keys, his server, his domain, *EVERYTHING*. This is not *IMPOSSIBLE*, no matter how "unlikely" it is painted. But let me paint a more-likely scenario. Some guy sets up a tiny on-line retail shop on his $20/month ISP. Whoo-Hooo! He gets hacked, never even notices, and his Certs and keys are all stolen. Meanwhile, the guy good enough to do that is also good enough to routinely hijack his domain name for short periods of time. Game Over. How about another, even *easier* scenario. I set up a nice little retail shop that specializes in hard-to-find items. I scour the 'net for things people can't seem to find anywhere else, not even eBay. Nothing big or really expensive, just odd parts and pieces of things. I build a nice big web-site catalog shopping cart. I buy a Cert for a whopping $119. I collect the credit cards for a day or two, I charge them nine ways to Sunday, and I take off. Game Over. How about an even *easier* scenario: I find a web-site that is storing the credit-card numbers in their database, and rip them off. Game Over. >that issued his certificate, he may as well let you run your rogue site >off of his server; it's the same difference. Exactly! Or, he may as well be the criminal and *GET* a C&A signed certificate for his criminal web-site. I do not trust that a C&A Signed Cert is worth the bits its stored in. If you trust Microsoft with Security, shop away. >Think of it this way. Let's use https://www.amazon.com/ as an example. >Do you trust doing business with them? I sure do; at least I trust 100% >that my HTTP requests are going to get to the www.amazon.com server >safely. If someone stole their SSL certificate: Forget amazon.com. Real-world example from *MY* personal life: Stick with unknowncompany.com -- a site you do *NOT* know, you do *NOT* trust, but they are the only ones that have the power-supply you need to run your laptop. You can: A) Throw away your laptop. B) Risk the fact that an unknown site with a "C&A Signed Certificate" (Ooooooh I'm impressed (not)) is the only one who can sell you the part you need to power the laptop. C) Try (and fail miserably) to find the part in "real" stores, and go back to A or B. Yes, this really happened to me. Yes, I really bought the thing on-line. No, I had no trust that they weren't crooks or at least incompetents. Yes, that's why the current system is insufficient. Yes, that's why I think it is ridiculous that people have essentially been trained to trust that little lock icon in the browser, no matter how naive that is, and how untrustworthy it is. >Now, on to "stealing" their domain name. All of a sudden, Amazon is >getting no traffic. Think they won't notice? Again, forget Amazon. There *ARE* on-line retailers who don't get any traffic, whose ISP's are so crappy their site is down all the time. Think they would notice? How quickly? What's their response? Call up the ISP and complain, and the ISP says "Hmmm, it's working okay now. Probably just a network outage" >Think it matters since the >HTTP requests you'll be receiving can't be decrypted by you anyway? Assume I've also stolen their Cert and keys and whatever else it takes to steal your credit card number. Yes, there are fewer sites where that's possible, but is it 0? No. Is it growing, as more and more mom-n-pop on-line stores are built on $20/month hosts with crappy Security? Are you telling me you've never walked in to an eCommerce site to find major, huge, gaping holes in their security? Are you telling me those sites don't exist? Actually, assume the other way around -- I've hacked his server, stolen his Certs and private keys, and now... Can I *sometimes* hijack his domain name, for brief periods of time? Say, a few minutes? Just long enough to steal a few CC numbers, and then "blip!" un-steal it? Okay, *I* can't do it, but aren't there a fair number of hackers "out there" that can? Who's gonna notice that? Some orders go missing? The site is mysteriously "down" or "off" the net for a few minutes, or maybe even *less* than a minute. A couple customer complaints. Maybe even a customer swears up and down that we must have "lost" his CC # because it's the only place he used it. *MAYBE* a good company will catch on. I bet against. But let's even assume our site-owner *NOTICES* his stolen domain name, and maybe even knows he got hacked and the Certs and keys all got stolen. Let's even give them the benefit of the doubt and assume they reported the hack within, oh 24 hours, to their C&A and they get a shiny new Certificate. I, Richard Lynch, do *NOT* trust the C&A Signers (Microsoft, et al) to correctly respond to a security problem. I know that's shocking, that somebody on this planet doesn't trust Microsoft to respond to security matters in a timely fashion, but there it is. Therefore, it is a foregone conclusion, that I simply have no more faith in that little locked icon than in an unlocked icon where it complains about an unsigned cert. There are *equally* untrusted to me. Call me paranoid. >>If I *really* trust the person who owns a domain name, they are going to >>take care of any hijack/theft just as quickly with an unsigned cert as they >>are with a signed cert. I don't trust the C&A people to facilitate that >>process any faster or better than somebody I actually *DO* trust in the >>first place -- The person I personally know who owns that domain name who is >>going to make damn sure they catch and rectify any hijacking with or without >>a signed Cert as fast as possible. I trust that person because I know them, >>not the C&A people I don't know personally, and who have *PROVEN* themselves >>untrustworthy. I trust people, not corporations, not technology, and >>*CERTAINLY* not the C&A Signers. >> > >This is the other major misunderstanding. How is your friend supposed to >"take care of any hijack/theft" exactly? If someone "hijacks" all of his >traffic, sure, he might notice a lack of traffic. However, what if only >a small audience is targetted? A few people mistakenly go to the wrong >www.friend.org site and do business. If there was no SSL warning letting >them know that something was wrong, they would happily do business. If there was no SSL warning, they *STILL* don't know it's right. And, in contrast, how do the C&A Signed Certs take care of it? Yes, I know the answer. Yes, I understand how it is *SUPPOSED* to work. No, I won't spend three paragraphs explaining it to prove it to you -- which you seem to require for everything. I don't trust in that system working. I don't trust Microsoft to get the right Cert when they revoke it. I don't trust them to revoke anything at all. I don't trust them period. If I don't trust them, *WHY* *WHY* *WHY* do you think I should trust their little signing-scheme. Just pretend I actually understood it, which I do, but you refuse to believe -- If I don't trust the signers of the signature, why trust the signature? >Your friend may be the best Web surfer in the world, but I doubt he can >keep up with every Web site on the Web at all times to make sure that no >one else is impersonating him. He has to rely on the technology, and >that technology is SSL. *NOBODY* can be 100% certain that *RIGHT* *NOW* even Amazon.com hasn't been hacked *SOOOO* badly that they're being impersonated, complete with Certs, keys, and their entire database of stored credit card numbers on that second computer with only a land-line in a "secure" room hasn't been physically stolen. Might be "Mission Impossible" for that last bit, but you don't *know* it. And you for sure don't know that joesbotique.com hasn't been stolen -- That's a no-brainer. >That's all for me. I'm going to start charging you for more information >about SSL. :) When you tell me something about SSL and HTTPS that I don't know, I'll pay. Meanwhile, just because I don't spend 50 pages explaining how it works in glorious detail, don't assume I *don't* know how it works. I know how it's supposed to work. I don't trust it will really be done right. >I still strongly suggest you read a book. I even suggested >a single 50 page chapter that will probably clarify everything for you. >You seem to think you have a grasp about what is going on, but I can >assure you that you don't. You have not said a single thing that is "new" to me. I've already *READ* that chapter, and many others. You are still assuming I don't know things that I do know. Maybe I even know more than you (Not likely). I know enough to know this: I do not trust the C&A Signers. Therefore, I do not trust the system which allegedly makes that little icon more secure for a signed Cert. They are equally untrusted. >I don't know how much clearer I can get. I've got other work to do. Same here. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
