Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
From: James A. Donald jam...@echeque.com Not only is their lower class law abiding, their bankers and bureaucrats, unlike ours are also law abiding. From which it is evident that the death penalty *does* deter, both for institutions and individuals. Sub-Saharan Africa is in general hotter than Canada. The best runners in the world are African, not Canadian. From which it is evident that higher average temperatures causes faster runners. Unless there's some other explanation? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? I'd have thought that some would have disclosed themselves to Mozilla after the communication of the past few weeks. Your mail makes it seem as if that was not the case, or not to a satisfying degree. Which makes me support Marsh Ray's one-strike proposal even more strongly: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. Ralph On 02/14/2012 03:31 AM, ianG wrote: Hi all, Kathleen at Mozilla has reported that she is having trouble dealing with Trustwave question because she doesn't know how many other CAs have issued sub-roots that do MITMs. Zero, one, a few or many? I've sent a private email out to those who might have had some direct exposure. If there are any others that might have some info, feel free to provide evidence to kwil...@mozilla.com or to me if you want it suitably anonymised. If possible, the name of the CA, and the approximate circumstance. Also how convinced you are that it was a cert issued without the knowledge of the owner. Or any information really... Obviously we all want to know who and how many ... but right now is not the time to repeat demands for full disclosure. Right now, vendors need to decide whether they are dropping CAs or not. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Well I am not sure how they can hope to go very far underground. Any and all users on their internal network could easily detect and anonymously report the mitm cert for some public web site with out any significant risk of it being tracked back to them. Game over. So removal of one CA from a major browser like mozilla would pretty much end this practice if it is true that any CAs other than trustwave actually did this... Adam On Tue, Feb 14, 2012 at 11:40:06AM +0100, Ralph Holz wrote: Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? I'd have thought that some would have disclosed themselves to Mozilla after the communication of the past few weeks. Your mail makes it seem as if that was not the case, or not to a satisfying degree. Which makes me support Marsh Ray's one-strike proposal even more strongly: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. Ralph On 02/14/2012 03:31 AM, ianG wrote: Hi all, Kathleen at Mozilla has reported that she is having trouble dealing with Trustwave question because she doesn't know how many other CAs have issued sub-roots that do MITMs. Zero, one, a few or many? I've sent a private email out to those who might have had some direct exposure. If there are any others that might have some info, feel free to provide evidence to kwil...@mozilla.com or to me if you want it suitably anonymised. If possible, the name of the CA, and the approximate circumstance. Also how convinced you are that it was a cert issued without the knowledge of the owner. Or any information really... Obviously we all want to know who and how many ... but right now is not the time to repeat demands for full disclosure. Right now, vendors need to decide whether they are dropping CAs or not. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, Well I am not sure how they can hope to go very far underground. Any and all users on their internal network could easily detect and anonymously report the mitm cert for some public web site with out any significant risk of it being tracked back to them. Game over. So removal of one CA from a major browser like mozilla would pretty much end this practice if it is true that any CAs other than trustwave actually did this... If all users used a tool like Crossbear that does automatic reporting, yes. But tools like that are a recent development (and so is Convergence, even though it was predated by Perspectives). More importantly, however, how capable do you judge users to be? How wide-spread do you expect such tools to become? Most users wouldn't know what to look for in the beginning, and they would much less care. Following your argument, in fact, we should have a large DB with Mitm certs and incidents already. We don't - but not because CAs would not have issued Mitm certs for Sub-CAs, surely? No, CAs would try to hide the fact that they have issued certs that are good for Mitm a corporate network. Some big CAs -- to big too fail even, maybe, and what about them? -- have not yet publicly stated that they have never issued such certs. I think giving them a chance at amnesty is a better strategy. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
My point is this - say you are the CEO of a CA. Do you want to bet your entire company on no one ever detecting nor reporting the MITM sub-CA that you issued? I wouldnt do it. All it takes is one savy or curious guy in a 10,000 person company. Consequently if there are any other CAs that have done this, they now know mozilla and presumably other browsers are on to them and they need to revoke any mitm sub-CA certs and stop doing it or they risk their CA going bankrupt like with diginotar. Adam On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote: If all users used a tool like Crossbear that does automatic reporting, yes. But tools like that are a recent development (and so is Convergence, even though it was predated by Perspectives). More importantly, however, how capable do you judge users to be? How wide-spread do you expect such tools to become? Most users wouldn't know what to look for in the beginning, and they would much less care. Following your argument, in fact, we should have a large DB with Mitm certs and incidents already. We don't - but not because CAs would not have issued Mitm certs for Sub-CAs, surely? No, CAs would try to hide the fact that they have issued certs that are good for Mitm a corporate network. Some big CAs -- to big too fail even, maybe, and what about them? -- have not yet publicly stated that they have never issued such certs. I think giving them a chance at amnesty is a better strategy. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, On 02/14/2012 04:20 PM, Adam Back wrote: My point is this - say you are the CEO of a CA. Do you want to bet your entire company on no one ever detecting nor reporting the MITM sub-CA that you issued? I wouldnt do it. All it takes is one savy or curious guy in a 10,000 person company. Consequently if there are any other CAs that have done this, they now know mozilla and presumably other browsers are on to them and they need to revoke any mitm sub-CA certs and stop doing it or they risk their CA going bankrupt like with diginotar. Yes, I got that. I just think it's not how a normal CEO would react if TrustWave had been kicked out *after* confessing what they'd done. If that confession had been met with punishment, CAs would have had only an incentive to hide, but not to make further confessions. That's why I said I like Marsh's proposal: incentives are now to make up for past mistakes, *and* take precautions they are not repeated. That's a net gain in security for everyone, and that's why I was against kicking out TrustWave. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 14/02/12 21:40 PM, Ralph Holz wrote: Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? It appears their thoughts were none. Of course there have been many claims in the past. But the Mozilla CA desk is frequently surrounded by buzzing small black helicopters so it all becomes noise. I'd have thought that some would have disclosed themselves to Mozilla after the communication of the past few weeks. Your mail makes it seem as if that was not the case, or not to a satisfying degree. Sigh. One of the things that went very wrong with Mozilla is that the CAs started private non-disclosable discussions. Of course, this led to a lot of manipulation, and basically we have no idea what things have happened behind the covers. It's now the case that the open forum has very little influence and CAs in private confidential conversations have most or practically all of the influence. So even if they have disclosed it in the last few weeks, we are likely never to know. Which means that Mozilla's decision will be announced in a vacuum. Nobody will be happy. Which makes me support Marsh Ray's one-strike proposal even more strongly: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. The only real power Mozilla has is to strike them off the root list. It's only been done when the decision was easy for other reasons. I agree that this is the most interesting and challenging thing to hit Mozilla in a while. Coz of the whole trust and reliance thing; users put a lot of their trust in Mozilla. iang Ralph On 02/14/2012 03:31 AM, ianG wrote: Hi all, Kathleen at Mozilla has reported that she is having trouble dealing with Trustwave question because she doesn't know how many other CAs have issued sub-roots that do MITMs. Zero, one, a few or many? I've sent a private email out to those who might have had some direct exposure. If there are any others that might have some info, feel free to provide evidence to kwil...@mozilla.com or to me if you want it suitably anonymised. If possible, the name of the CA, and the approximate circumstance. Also how convinced you are that it was a cert issued without the knowledge of the owner. Or any information really... Obviously we all want to know who and how many ... but right now is not the time to repeat demands for full disclosure. Right now, vendors need to decide whether they are dropping CAs or not. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Feb 14, 2012, at 7:42 AM, ianG wrote: On 14/02/12 21:40 PM, Ralph Holz wrote: Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? It appears their thoughts were none. Of course there have been many claims in the past. But the Mozilla CA desk is frequently surrounded by buzzing small black helicopters so it all becomes noise. I've asked about this, too, and the *documented* evidence of this happening is exactly that -- zero. I believe it happens. People I trust have told me, whispered in my ear, and assured me that someone they know has told them about it, but there's documented evidence of it zero times. I'd accept a screen shot of a cert display or other things as evidence, myself, despite those being quite forgeable, at this point. Their thoughts of it being none are reasonably agnostic on it. Those who have evidence need to start sharing. Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 2/14/12 9:51 AM, Ralph Holz wrote: If all users used a tool like Crossbear that does automatic reporting, yes. But tools like that are a recent development (and so is Convergence, even though it was predated by Perspectives). Pardon my ignorance. Just tried to Google these, and cannot find them. Could you give links? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Feb 14, 2012, at 1:16 23PM, Jon Callas wrote: On Feb 14, 2012, at 7:42 AM, ianG wrote: On 14/02/12 21:40 PM, Ralph Holz wrote: Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? It appears their thoughts were none. Of course there have been many claims in the past. But the Mozilla CA desk is frequently surrounded by buzzing small black helicopters so it all becomes noise. I've asked about this, too, and the *documented* evidence of this happening is exactly that -- zero. I believe it happens. People I trust have told me, whispered in my ear, and assured me that someone they know has told them about it, but there's documented evidence of it zero times. I'd accept a screen shot of a cert display or other things as evidence, myself, despite those being quite forgeable, at this point. Their thoughts of it being none are reasonably agnostic on it. Those who have evidence need to start sharing. A related question... Sub-CAs for a single company are obviously not a problem. Thus, if a major CA were to issue WhizzBangWidgets a CA cert capable of issuing certificates for anything in *.WhizzBangWidgets.com, it would be seen as entirely proper. The issue is whether or not that sub-CA can issue certificates for, say, google.com. The restriction is enforced by the Name Constraints field in the CA's cert. However, this is seldom-enough seen that I have no idea if it's actually usable. So -- do major cert-accepting programs examine and honor this field, and do it correctly? I know that OpenSSL has some code to support it; does it work? What about Firefox's? The certificate-handling code in various versions of Windows? Of MacOS? --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote: Hi, Well I am not sure how they can hope to go very far underground. Any and all users on their internal network could easily detect and anonymously report the mitm cert for some public web site with out any significant risk of it being tracked back to them. Game over. So removal of one CA from a major browser like mozilla would pretty much end this practice if it is true that any CAs other than trustwave actually did this... If all users used a tool like Crossbear that does automatic reporting, yes. Not really -- and this I think goes to the root of why what was done here is so evil. It is common practice on many networks in certain industries to deploy SSL MITM devices which terminate, decrypt, examine, and reencrypt all traffic. However, the usual way to do this is to generate a new CA certificate for the MITM device and load it into all the systems expected to be connected to the network in question as a trusted root. In this case, the owner of the network has chosen, by policy, to not allow devices to perform SSL unless they trust the network's own CA, and that CA has an effective policy which expressly allows it to facilitate MITM of SSL traffic. I do not find this unreasonable for certain environments, and if users choose to bring their private devices onto those networks, they have to take a positive step to facilitate this examination of their traffic -- they have to install the MITM CA's certificate as a trusted root. But what Trustwave did is very, very different. They sold a sub-root that seems almost tailor-made to deceive users into thinking that MITM was *not* taking place. After all, if the intent were not to deceive the network's users, the usual solution (where the client node's administrator must accept the MITM device's CA) would have sufficed. If the intent was not (primarily) to deceive but rather to allow MITM device deployment with less administrative hassle, I can say only these things: A) It might be easier for me to get petty cash for my legitimate business purposes by mugging people in the street than by filling out corporate paperwork but that does not make it OK to mug people in the street. B) If we are to believe Trustwave's claims about how they secured and audited the device on which this CA's keys were stored, is it really plausible that this was done for ease of administration, compared to the standard solution? It is not so hard really to see the conceptual difference between the two cases. But to tools like Crossbear, they basically look the same. Bad, bad, bad. Thor P.S. If one really wanted to know what CAs were in the business of selling these, one might try using any leverage one had handy to press the manufacturers of the MITM devices, who very likely know because their support or engineering personnel will have seen it in the field. I can think of some pretty simple ways Mozilla could seek to obtain this information from the device manufacturers, if Mozilla wanted to play hardball. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, If all users used a tool like Crossbear that does automatic reporting, yes. Not really -- and this I think goes to the root of why what was done here is so evil. [... many correct things omitted, sorry ...] It is not so hard really to see the conceptual difference between the two cases. But to tools like Crossbear, they basically look the same. Why? Crossbear sends the full certificate chain it sees to the CB server, where it is compared with the full chain that the CB server sees (plus a few more servers, too, actually, that it can ask). Convergence, AFAICT, does the same. If you're inside the corporate network, the certificate chain in the SSL handshake cannot be the same, and both systems will detect them. Where Crossbear goes further is that it will now start requesting traceroutes from participating systems to find out where in the network the Mitm is. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Tue, Feb 14, 2012 at 09:13:11PM +0100, Ralph Holz wrote: It is not so hard really to see the conceptual difference between the two cases. But to tools like Crossbear, they basically look the same. Why? Crossbear sends the full certificate chain it sees to the CB server, where it is compared with the full chain that the CB server sees (plus a few more servers, too, actually, that it can ask). Convergence, AFAICT, does the same. If you're inside the corporate network, the certificate chain in the SSL handshake cannot be the same, and both systems will detect them. In both cases, Crossbear will detect a MITM device, yes? But in one case, the device is authorized to sign for the entities it's signing certificates for, and in the other, it's not. This does not in any way diminish the usefulness of Crossbear as a tool for detecting MITM devices. But what's interesting about what happens in these two cases is that it's _whether the user is being deceived_ that differs. Crossbear can't know that -- the user has to supply the knowledge of whether there is, in fact, an authorized MITM in place. And that is precisely what is wrong with what Trustwave did: they tried to make it look like there was no MITM in place instead of an unauthorized one, where in this case authorized means the administrator of the client node positively agreed to have that node's traffic MITMed. Thor ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, In both cases, Crossbear will detect a MITM device, yes? But in one case, the device is authorized to sign for the entities it's signing certificates for, and in the other, it's not. This does not in any way diminish the usefulness of Crossbear as a tool for detecting MITM devices. But what's interesting about what happens in these two cases is that it's _whether the user is being deceived_ that differs. Crossbear can't know that -- the user has to supply the knowledge of whether there is, in fact, an authorized MITM in place. Ah, I see where you're going with this. Crossbear signals its findings to the client browser, via a separate SSL connection (the CB server cert is hard-coded into the Crossbear client). The assessment comes complete with a view of what others are seeing, including a view we obtain by asking Convergence. The suspicious chain is sent to our database for human analysis. As Crossbear's assessment is not something everyday users will understand, we ourselves view Crossbear as the tool that, e.g., a travelling security afficionado/hacker/interested person might want to use, but not your average guy. Our goal is to find out how many Mitm actually happen, and how, and where. That's why Crossbear has this second component, the hunting tasks. BTW: Crossbear's assessment still leaves some potential for false positives: there are plenty of server farms out there that use more than one (valid) chain. If a new but valid one pops up, no system can know it at first. That's where all these notary-based systems get in trouble when they cache (and they have to, at least on the global scale, like Convergence). And that is precisely what is wrong with what Trustwave did: they tried to make it look like there was no MITM in place instead of an unauthorized one, where in this case authorized means the administrator of the client node positively agreed to have that node's traffic MITMed. Yes, fully agreed. But I still think pulling their root would have given the wrong incentive to CAs. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Tue, Feb 14, 2012 at 09:35:45PM +0100, Ralph Holz wrote: As Crossbear's assessment is not something everyday users will understand, we ourselves view Crossbear as the tool that, e.g., a travelling security afficionado/hacker/interested person might want to use, but not your average guy. Our goal is to find out how many Mitm actually happen, and how, and where. That's why Crossbear has this second component, the hunting tasks. Interesting -- will this work, in the case of authorized MITM of the network the client's on? The second SSL connection will always fail, since the MITM device will MITM it. Perhaps there should be an option to retrieve results separately and later? Thor ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, As Crossbear's assessment is not something everyday users will understand, we ourselves view Crossbear as the tool that, e.g., a travelling security afficionado/hacker/interested person might want to use, but not your average guy. Our goal is to find out how many Mitm actually happen, and how, and where. That's why Crossbear has this second component, the hunting tasks. Interesting -- will this work, in the case of authorized MITM of the network the client's on? The second SSL connection will always fail, since the MITM device will MITM it. Perhaps there should be an option to retrieve results separately and later? Yes, things start to become difficult when the middle-box goes and actively meddles with the messages the client sends to the server. That sure is a dedicated attacker now that is also built to defeat Crossbear. We have the CB server's cert hard-coded in the client, so we can encrypt to the server and check its signatures, too, and be sure who's talking to the client. If the attacker starts to drop CB server messages, our first reaction is to warn the user that there might be foul play and that he's now unprotected. Unfortunately, there's no way to distinguish deleted messages from network outage or similar faults. So, yes, we have thought about extending Crossbear to a) store the results and try to send them later (should work for mobile devices) or b) try and switch to other channels. We're not quite sure about the latter as the question is really how much power your attacker has. Use the user's mail client and create a mail, anonymous FTP, WebDAV - OK. Maybe a Tor hidden service for the extreme cases? None of these is built-in so far. BTW, what we do not address is an attacker sending us many forged chains and/or traces. We don't want clients have to register with our server and obtain an identity. That's a sore point. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 02/14/2012 02:56 PM, Ralph Holz wrote: BTW, what we do not address is an attacker sending us many forged chains and/or traces. We don't want clients have to register with our server and obtain an identity. That's a sore point. Aren't the certs of interest those that chain to a well-known root? So they could be validated, and those that don't could be efficiently discarded. At that point, the attacker is reduced to effectively doing an SSL DoS on you which is likely to grow old quickly. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, BTW, what we do not address is an attacker sending us many forged chains and/or traces. We don't want clients have to register with our server and obtain an identity. That's a sore point. Aren't the certs of interest those that chain to a well-known root? So they could be validated, and those that don't could be efficiently discarded. At that point, the attacker is reduced to effectively doing an SSL DoS on you which is likely to grow old quickly. Yes, the certs are the lesser problem. The problem is that hunting tasks can be pulled by anyone from the server and results sent back. This is still not too bad DoS-wise, but it allows to send forged traceroute results. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 2012-02-14 8:40 PM, Ralph Holz wrote: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. Singapore has approximately one hundredth to one thousandth the crime rate of western democracies - near zero rapes, and dramatically fewer murders. Not only is their lower class law abiding, their bankers and bureaucrats, unlike ours are also law abiding. From which it is evident that the death penalty *does* deter, both for institutions and individuals. In the lead up to the great financial crisis, the Singaporean government told financial institutions that they should refrain from excessive maturity transformation, that institutions that were broke would not be bailed out, (the death penalty for institutions) and that people who misrepresented their institutions exposure would be punished. (Imprisonment and possibly flogging for people mismanaging financial institutions, or corruptly regulating them) Guess how Singapore did when the crisis broke. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. Singapore has approximately one hundredth to one thousandth the crime rate of western democracies - near zero rapes, and dramatically fewer murders. Not only is their lower class law abiding, their bankers and bureaucrats, unlike ours are also law abiding. From which it is evident that the death penalty *does* deter, both for institutions and individuals. May I, just for reasons of comparison, have the same numbers for the US, especially the states with a death penalty, and the UK and/or DE? Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 2012-02-15 7:57 AM, Ralph Holz wrote: You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. James A. Donald: Singapore has approximately one hundredth to one thousandth the crime rate of western democracies - near zero rapes, and dramatically fewer murders. Not only is their lower class law abiding, their bankers and bureaucrats, unlike ours are also law abiding. From which it is evident that the death penalty *does* deter, both for institutions and individuals. Ralph Holz May I, just for reasons of comparison, have the same numbers for the US, especially the states with a death penalty, and the UK and/or DE? Although several US states theoretically have the death penalty pro forma, no US states have the death penalty in actual practice, nor have they had the death penalty to any extent likely to deter anyone throughout most of the twentieth century. Even prisoners that get sick of jail and demand execution are apt to be old men before they get it. For a valid comparison, need to compare the US today with the US in 1910, or the US today with Singapore today, or Saudi Arabia today, or China today. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
If this conversation on the death penalty gets taken offline, take me along for the ride but it just doesn't seem germane to crypto so I'm holding my tongue. --dan ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi all, Kathleen at Mozilla has reported that she is having trouble dealing with Trustwave question because she doesn't know how many other CAs have issued sub-roots that do MITMs. Zero, one, a few or many? I've sent a private email out to those who might have had some direct exposure. If there are any others that might have some info, feel free to provide evidence to kwil...@mozilla.com or to me if you want it suitably anonymised. If possible, the name of the CA, and the approximate circumstance. Also how convinced you are that it was a cert issued without the knowledge of the owner. Or any information really... Obviously we all want to know who and how many ... but right now is not the time to repeat demands for full disclosure. Right now, vendors need to decide whether they are dropping CAs or not. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography