[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))

Ian G iang at iang.org
Sat Sep 10 09:28:26 EDT 2011


Hi Adam,

On 10/09/2011, at 20:16, Adam Back <adam at cypherspace.org> wrote:

> So I hear CA pinning mentioned a bit as a probable way forward, but I didnt
> see anyone define it on this list,

Adam described it in this list. The specific mechanism is less important than what it achieves: the browser knows that the website is constrained to use the certs of only one CA.

The rest is implementation detail.

> so from web search what I can find is
> that certificate holder can define the CAs that are allowed to issue certs
> for its domain.

Where the info comes from is less relevant. Yes, the subscriber could it. So could the user (TrustBar, Petnames) or the vendor (google).

> But what about Bob - he first goes to example.com, there is some form of
> tcp hijack/DNS poison/ARP poison etc depending on the context and he first
> sees example.com issued by diginotar.  Worse the diginotar hacker can pin
> the example.com to diginotar, which might take some shaking.

Right, but this is a far smaller use case than the first one you mentioned. We're on risk management territory, not cryptoland; solve for the greater benefit.

> And just while I am here there was a paper that proposed a firefox plugin
> that would cache certs and warn if one changed unexpectedly.  Savy users
> would then notice the warning before clicking through, and post the evidence
> on relevant security lists.  ...

There were several. TrustBar and Petnames were the two I tried out, they did the job well, but in different ways. They both would have spotted the DigiNotar case.

They were both teatbeds, really. The idea was to develop the ideas and details, then migrate them onto the browser. I'd expect their ideas to be incorporated into google's designs for the future.

There were also others, indeed, there are clear lines of influence through to today's proposals.


> ....  the banks would be keen to
> close the window [of splicing] but apparently they barely care!

They don't care, and nor should they. They should care about what loses them money, not what geeks lose sleep over.

The thing is, the security model is aligned to the sophistication of the threats, not to their likelihood, risk, costs, etc. Phishing is routine but gets little attention. Splicing is relatively harder to conduct in the wild in a successful hoist, but gets massive and fascinating attention from PKIX community. Certificate-based MITM is somewhere in between, hence the current interest, the exploit, and the collapse of at least one CA.

Iang


More information about the cryptography mailing list