[cryptography] fyi: The weakest link in the chain: Vulnerabilities in the SSL certificate authority system and what should be done about them

ianG iang at iang.org
Wed Nov 23 04:42:27 EST 2011


On 23/11/11 11:11 AM, Peter Gutmann wrote:
> JeffH<Jeff.Hodges at KingsMountain.com>  writes:
>
>> Of possible interest:
>>
>> The weakest link in the chain: Vulnerabilities in the SSL certificate
>> authority system and what should be done about them
> It's not just NGOs that are seeing that browser PKI is "the weakest link in
> the chain".  I was recently told of someone at a law workshop in which the
> topic of browser PKI and DigiNotar came up.  In their words, "this was a
> roomful of people who couldn't tell you what SSL did, but they'd heard of
> DigiNotar".  That's a level, and type, of exposure that you really don't want
> to get to.

Yeah.  Up until now, PKI / secure browsing was tolerated.  This 
situation can be seen as an expectation or meme or myth in the market 
place, where the belief was stable because there was no dis-confirming 
information.  E.g., no bad news.

Now we have bad news that acts to disconfirm the expectation that secure 
browsing delivers some positive result.  And, the CAs/vendors have no 
good story to tell that would reverse the sense of the bad news.

So a plausible scenario now is that people who otherwise wouldn't care 
("tolerate") and don't otherwise know, will start actively bypassing the 
system.

Another way of putting it is that in the past, people would use SSL 
because secure browsing "is essential" without knowing why.  Now, people 
will avoid it, citing DigiNotar.  Again without knowing why.

This is the problem with a system that doesn't deliver a result that can 
be correlated to its claimed purpose.  C.f. Dan Geer's comment.

http://financialcryptography.com/mt/archives/001255.html

To live in interesting times!

iang



More information about the cryptography mailing list