Re: Code makers and breakers of WWII era

2008-06-05 Thread Ali, Saqib
Actually the correct URL is:
http://www.sscnet.ucla.edu/geog/gessler/collections/cryptology.htm

On Wed, Jun 4, 2008 at 1:59 PM, Ali, Saqib [EMAIL PROTECTED] wrote:
 Here is another site that has a lot more details and photographs:
 http://www.sscnet.ucla.edu/geog/gessler/collections/crypto-hebern.htm

 saqib
 http://doctrina.wordpress.com/


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: the joy of enhanced certs

2008-06-05 Thread Leichter, Jerry
On Wed, 4 Jun 2008, Perry E. Metzger wrote:
| As some of you know, one can now buy Enhanced Security certificates,
| and Firefox and other browsers will show the URL box at the top with a
| special distinctive color when such a cert is in use.
| 
| Many of us have long contended that such things are worthless and
| prove only that you can pay more money, not that you're somehow more
| trustworthy.
| 
| An object lesson in this just fell in my lap -- I just got my first
| email from a spammer that links to a web site that uses such a cert,
| certified by a CA I've never heard of (Starfield Technologies, Inc.)
| Doubtless they sell discount Enhanced Security certs so you don't
| have to worry about paying more money either. I haven't checked the
| website for drive by malware, but I wouldn't be shocked if it was
| there.
| 
| I'm thinking of starting a CA that sells super duper enhanced
| security certs, where we make the company being certified sign a
| document in which they promise that they're absolutely trustworthy.
| To be really sure, we'll make them fax said document in on genuine
| company letterhead, since no one can forge letterhead.
This message, shortly after our discussion of trust, makes me think of
the applicability of an aspect liguistic theory, namely speech acts.
Speech acts are expressions that go beyond simply communication to
actually produce real-world effects.  The classic example:  If I say
John and Sarah are married, that's a bit of communication; I've passed
along to listeners my belief in the state of the world.  When a
minister, in the right circumstances, says John and Sarah are married,
those words actually create the reality:  They *are* now married.

There are many more subtle examples.  A standard example is that of
a promise:  To be effective as a speech act, the promise must be
made in a way that makes it clear that the promiser is undertaking
some obligation, and the promiser must indeed take on that obligation.
There's a whole cultural context involved here in what is needed for
an obligation to exist and what it actually means to be obligated.
(Ultimately, the theory gets pushed to the point where it breaks;
but we don't have to go that far.)

In human-to-human communication, we naturally understand and apply the
distinction between speech acts and purely communicative speech.  It's
not that we can't be fooled - a person who speaks with authority is
often taken to have it, which may allow him to create speech acts he
should not be able to - but this is relatively rare.

When exchanging data with a machine, the line between communication and
speech acts gets very blurry.  (You can think of this as the blurry line
between data and program.)  When I go into a store and ask for
information, I see myself and the salesman as engaging in pure
communication.  There are definite, well-understood ways - socially and
even legally defined steps - that identify when I've crossed over into
speech acts and have, for example, taken on an obligation to pay for
something.  When, on the other hand, I look at a Web site, things are
not at all clear.  From my point of view, the data coming to my screen
is purely communication to me.  From the computer's point of view, the
HTML is all speech acts, causing the computer to take some actions.
My clicks are all speech acts to the server.  Problems arise when what
I see as pure communication is somehow transformed, without my consent
or even knowledge, into speech acts that implicate *me*, rather than my
computer.  This happens all too easily, exactly because the boundary
between me and my computer is so permeable, in a Web world.

Receiving an SSL cert, in the proper context (corresponds to the URL
I typed, signed by a trusted CA), is supposed to be a speech act to
me as a human being:  It's supposed to cause me to believe that I've
reached the site I meant to reach.  (My machine, of course, doesn't
care - it has no beliefs and has nothing at risk.)  The reason the model
is so appealing is that it maps to normal human discourse.  If my friend
tells me I'll bring dinner, I don't cook something while waiting for
him to arrive.

Unfortunately, as we've discussed here many times, the analogy is
deeply, fundamentally flawed.  SSL certs don't really work like trusted
referals from friends, and the very familiarity of the transactions is
what makes them so dangerous:  It makes it too easy for us to treat
something as a speech act when we really shouldn't.

Enhanced security certs simply follow the same line of reasoning.  They
will ultimately prove just as hazardous.

Going back to promises as speech acts:  When a politician promises to
improve the economy, we've all come to recognize that, although that's
in the *from* of a promise, it doesn't actually create any obligation.
Improving the economy isn't something anyone can actually do - even if
we could agree on what it means.  Such a promise is simply a way of
saying I think the economy should be 

Re: the joy of enhanced certs

2008-06-05 Thread Chris Kuethe
On Wed, Jun 4, 2008 at 12:51 PM, Perry E. Metzger [EMAIL PROTECTED] wrote:
 An object lesson in this just fell in my lap -- I just got my first
 email from a spammer that links to a web site that uses such a cert,
 certified by a CA I've never heard of (Starfield Technologies, Inc.)

starfield = godaddy.

see https://www.godaddy.com/gdshop/ssl/ssl.asp?app_hdr=ci=12421 and
click on the fluffy little webtrust icons to get the reports.
https://cert.webtrust.org/ViewSeal?id=355

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: the joy of enhanced certs

2008-06-05 Thread Stefan Kelm
There's a nice short paper by Swiss Company keyon entitled
Faking EV SSL in IE7:

http://www.keyon.ch/de/News/Faking%20Extended%20Validation%20SSL%20Certificates%20in%20Internet%20Explorer%207%20V1.1b.pdf

Cheers,

Stefan.

-
Security Awareness Symposium 17.-18.06.2008 KA/Ettlingen
http://www.security-awareness-symposium.de/
-
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code makers and breakers of WWII era

2008-06-05 Thread Ali, Saqib
Here is another site that has a lot more details and photographs:
http://www.sscnet.ucla.edu/geog/gessler/collections/crypto-hebern.htm

saqib
http://doctrina.wordpress.com/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: the joy of enhanced certs

2008-06-05 Thread Peter Gutmann
Perry E. Metzger [EMAIL PROTECTED] writes:

An object lesson in this just fell in my lap -- I just got my first email
from a spammer that links to a web site that uses such a cert, certified by a
CA I've never heard of (Starfield Technologies, Inc.) Doubtless they sell
discount Enhanced Security certs so you don't have to worry about paying
more money either. I haven't checked the website for drive by malware, but I
wouldn't be shocked if it was there.

There's another data source that's examined the effect of EV certs and browser
blacklists on a much larger scale, namely the APWG statistics.  They show an
essentially flat distribution for phishing from January 2007 to January 2008,
the period of phase-in of EV certs and the browser anti-phishing filters.  In
other words the attack stats show that the effect of EV certs was exactly as
expected.

(Hat tip to an APWG member who made this point during a conference talk
recently).

I'm thinking of starting a CA that sells super duper enhanced security
certs

So you could have EV certs, EEV certs, EEEV certs, V certs, a PKI
equivalent of the 'aptitude -v[v[v[v[v[v...] moo' trick.  Every couple of
years when people realise that the current level of (E^n)V certs work no
better than the (E^n-1)V certs that preceded them did, you add another 'E' and
everyone gets to pay again for a new set of certs.  The only potential problem
is that all the CAs would have to agree to add more E's in lock-step,
otherwise you'd get a tragedy-of-the-commons effect where the CA who adds the
most E's the quickest wins.

Peeeter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


ADMIN: quick note about the list

2008-06-05 Thread Perry E. Metzger

A quick note from your moderator:

A few people have asked about this recently so I thought I'd explain.

The list server blocks posts from people who are not list subscribers.
This is done at the incoming SMTP server, during the SMTP dialog,
based on envelope sender.

I do things this way because the list gets about one spam attempt
every two minutes (though on bad days it can be much more). Many of
those would be blocked by other means, but a few hundred hundred a day
would still get through. I could not possibly process this many
postings by hand.

Every once in a while, someone asks do you have a way to let me post
from an email address that is not subscribed, and the answer is yes,
I do. The code that checks who is allowed to send to the list checks
both the normal subscribers and a special post only list. If it is
important for you to be able to post from an address you are not
subscribed on, contact me privately and appropriate arrangements will
be made.


Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]