Re: [cryptography] Nirvana
And further, you should have a client app on your computer for dealing with shared secrets, which is only capable of attempting a visa payment with an entity trusted by Visa. On 2011-09-24 4:06 AM, John Levine wrote: I don't see how to do that in a useful way without non-programmable hardware. We've seen PC-based malware do pretty much any MITM attack you can imagine. Most PC malware succeeds in controlling an application [0]. These days, more OS support attention is going into stopping a breached app from allowing a hop. This is Android's sandboxing for example. Hence, the current advice for phishing is use another browser, as an analagous situation. So, people use Firefox for their general work, and reserve Safari for online banking, only [1]. I have actually succeeded in teaching this to my mother, who at 70 or so is quite incapable of dealing with computers at any geek level, but she does follow a script written out on 4 pages to review her bank account. What's more, she has succeeded in teaching the grandchildren that they can use her laptop but they are banned from using Safari. On 24/09/11 11:45 AM, James A. Donald wrote: Most computers are not controlled by malware, and the malware argument is as much an argument against existing ssl/https/pki as it is against any alternative to ssl/https/pki Right, exactly! It's pretty easy to counter any argument by throwing in some theoretical grenade. But wait, all trusted hardware is controlled by the state who perverts the chip makers But wait, China manufactures all the chips now, so our state is perverted by their state... but wait... Experimentation cuts this Gordian Knot. In this sense, the google CA pinning hack is just what the doctor ordered. That technique was obviously easily destroyed in argumentation by any number of theoretical grenades. But, code rebuilds what committees destroy. Which points to a further problem. As the lifecycle of a crypto system matures, the security apparatus takes on a less fluid form. In the extreme, as all security decisions require approval from external committees [2], the security model becomes concrete, allowing attackers to easily walk around it, on top of it, or through it where the door was nicely left. The way to understand why this doesn't work is to look up OODA loops. The consequences of this will destroy a number of myths about security and the Internet... iang [0] Dealing with phishing is all about risks, not about theoretical binary security thinking. For most part that's because the vendors have really not dealt with it, so the users have increased risks, and have had to learn to deal with it using ad hoc methods. [1] Or, IE, v.v. I've taken to using Chrome a lot lately but only for a specific purpose. It's great for gmail, but horribly sugary for news.google.com. I don't know how anyone can put up with that sort of casino look. [3] The specific construction in concrete here is that browser vendors look to PKIX for security guidance, and the latter focus on arcane bugs in SSL which have never been exploited in the wild, but really tease the cryptominds in the committees. So, the blind leading the blind. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
On Fri, Sep 23, 2011 at 1:46 AM, James A. Donald jam...@echeque.com wrote: On 2011-09-23 8:33 AM, Nico Williams wrote: In your view then, is the alternative at all a public key based crypto system? If yes, is it SSH (or SSH-like) trust on first contact or something else? In order to shop, one needs a third party mediating transactions *THEY* should issue certificates. The Visa certificate should signify This merchant is trusted by Visa to accept Visa. And further, you should have a client app on your computer for dealing with shared secrets, which is only capable of attempting a visa payment with an entity trusted by Visa. Wasn't that what SET did? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
On 23/09/11 08:33 AM, Nico Williams wrote: On Sun, Sep 18, 2011 at 11:22 AM, M.R.makro...@gmail.com wrote: In your view then, is the alternative at all a public key based crypto system? If yes, is it SSH (or SSH-like) trust on first contact or something else? It could vary. For low-security applications, like blog comments, yes, leap-of-faith will do. For a medium-security application, like shopping (where systems like credit card fraud protection render the risk to the user low), security bootstrapped from leap-of-faith + trust-building or trusted third parties will probably do. I would go TOFU -- trust-on-first-use -- here alone, but replaceable by certs signed by other parties, in a compatible fashion. I don't understand the leap-of-faith metaphor. It seems to me that trusting a CA is a leap of faith given that we have to trust all of them, and we know next to nothing about them. Bad risk analysis there, because we've outsourced it to unknown parties, via other unknown parties. Whereas when we are doing the TOFU mechanism, we can incorporate all of our local knowledge and decide whether there is any risk in dealing with this merchant. Good risk analysis. For high-security applications (like banking) you'll generally want to bootstrap security via something else, either an off-line interaction, or a trusted third party that can authenticate relatively few peers to you (and thus is probably more trustworthy w.r.t. verification of your peer's credentials). There is another level of security above that which I guess we'll have to call ultra-security [0]. This is for real time transactions (payment systems or trading) and/or high values, and/or natsec things. In ultra-sec, we'd download a client securely the supplier, and put it on to a single purpose machine. iang [0] Which I call high security. Banking I generally call medium security ... anything using web browsers isn't really serious IMHO. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
Ben Laurie b...@links.org writes: Wasn't that what SET did? No. Or at least buried way, way down in a hidden corner there was something that was a bit like that, sort of like painting one of the toenails on an elephant, but the vast mass of the rest overwhelmed that one bit. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
And further, you should have a client app on your computer for dealing with shared secrets, which is only capable of attempting a visa payment with an entity trusted by Visa. I don't see how to do that in a useful way without non-programmable hardware. We've seen PC-based malware do pretty much any MITM attack you can imagine. R's, John PS: I was impressed by the malware that redrew images in which the bank had put a text representation of the transaction to be approved. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
And further, you should have a client app on your computer for dealing with shared secrets, which is only capable of attempting a visa payment with an entity trusted by Visa. On 2011-09-24 4:06 AM, John Levine wrote: I don't see how to do that in a useful way without non-programmable hardware. We've seen PC-based malware do pretty much any MITM attack you can imagine. Most computers are not controlled by malware, and the malware argument is as much an argument against existing ssl/https/pki as it is against any alternative to ssl/https/pki ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
Also, what if we had real cryptographic money, with anonymity? In other words: the payments system cannot be the trusted third party for everything. On 2011-09-24 4:08 AM, John Levine wrote: Then malware would steal the crypto wallets. See Bitcoin. Yet Bitcoin, nonetheless, works. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
On Sun, Sep 18, 2011 at 11:22 AM, M.R. makro...@gmail.com wrote: On 18/09/11 10:31, Ian G wrote: On the other hand, a perfectly adequate low-level retail transaction security system can best be achieved by using a trusted-third-party, SSL-like system. That's a marketing claim. Best ignored in any scientific discussion. Yes, I agree, let's ignore it! In your view then, is the alternative at all a public key based crypto system? If yes, is it SSH (or SSH-like) trust on first contact or something else? It could vary. For low-security applications, like blog comments, yes, leap-of-faith will do. For a medium-security application, like shopping (where systems like credit card fraud protection render the risk to the user low), security bootstrapped from leap-of-faith + trust-building or trusted third parties will probably do. For high-security applications (like banking) you'll generally want to bootstrap security via something else, either an off-line interaction, or a trusted third party that can authenticate relatively few peers to you (and thus is probably more trustworthy w.r.t. verification of your peer's credentials). Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Nirvana
On 18/09/11 10:31, Ian G wrote: On the other hand, a perfectly adequate low-level retail transaction security system can best be achieved by using a trusted-third-party, SSL-like system. That's a marketing claim. Best ignored in any scientific discussion. Yes, I agree, let's ignore it! In your view then, is the alternative at all a public key based crypto system? If yes, is it SSH (or SSH-like) trust on first contact or something else? ~I~ have a dream: one nice morning, in a year or two, when we download the new release of our favorite browser, it all of a sudden tells us if the server we are connecting to employs SSL-nouveau (with a series of trusted third parties, and who exactly they are) or SSH-nouveau (trusting the continuation of server's public key in our possession). In that brave new world, the server operator might even give the client a choice: if there was a previous contact, it is SSH-nouveau, otherwise it is SSL-nouveau. And the users who are about to order a $34.95 book from Amazon just click through, and those that are about to overthrow, by blood and iron, the oppressive, dictatorial government of Greater Horribilia actually know what the hell is going on, and act with prudence commensurate to their calling... Absolute nirvana! Mark R. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography