In the wise words of Charles Miller: > Actually, the SSL vulnerability is a very predictable answer to an old > question. For a while now, one of the big "what ifs" of Internet > security has been "What if one day, the SSL infrastructure is completely > compromised?" The most common hypothetical example of this was the > compromise of a Verisign root signing key.
Right. And along the way we've already experienced the baby version of this (certs that appear to be from Microsoft, but aren't, etc.) and the sky didn't fall in then, either. > Predictions have ranged from the death of e-commerce, to the end of the > world as we know it. Sure, if you take the hard line Cypherpunk position that absolute security is mandatory for e-commerce, that "key escrow" wouldn't do, that 40 bits wasn't enough, etc. Of course what happened is that people realized that, with a modicum of protection offered by SSL, the network transport was no longer the weak link --- the problem becomes the fact that the endpoints aren't totally secure. Given moderately insecure endpoints, the average user just wants to stop the average cracker from skimming the credit-card info. It's assumed that the outstanding cracker will still be able to get the info. SSL, even with some attacks against the certificate chain, is the best example of "good enough" crypto out there. (I tackle this argument from a slightly different angle in my most recent SecurityFocus column, actually. I'm becoming a big fan of "good enough," especially coupled with insurance or an understanding of risk.) > Now, it's not hypothetical any more. Until this is patched and the > majority of users upgrade (in other words, give it two years), anyone > can forge site certificates that seem valid to 90% of Internet users. > The result? The news hasn't reached the "real world" at all. The story > has stayed on news-for-nerds websites and in the technical section of > mainstream press. E-commerce hasn't skipped a beat. That's in part because of the reasoning above, probably, and partly because the average consumer neither understands nor wishes to understand how SSL actually works. Without entering into a long discussion of certificate chains (not suitable for the nightly news, or the front page of USA Today) understanding the importance of the vulnerability is mighty tough. Yesterday a customer wanted to know why he couldn't specify a random (not-previously-created) account name and password and have his e-mail work. You see, his account was too full, he was at a remote site, and he didn't want to download all of his old mail... He's a smart fellow, in his domain of expertise, but he's not going to learn about certificate chains. > Certainly none of our[1] customers, who were so adamant when we were > speccing their web-applications that it _must_ be secured with SSL, have > come screaming to us wondering what to do now anyone can > man-in-the-middle them. SSL with a weakness in certificates is better than plaintext. You can't passively slurp all of the data; you need to be an active snooper for this to work, and be willing to change data. Among other things, this takes substantially more processing power than just slurping packets. It's still good enough. Heck, the PGP signature didn't catch the OpenSSH trojan; the MD5SUM did. Jon Lasser -- Jon Lasser Home: [EMAIL PROTECTED] | Work:[EMAIL PROTECTED] http://www.tux.org/~lasser/ | http://www.cluestickconsulting.com Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/
