[cryptography] After the dust settles -- what happens next? (v. Long)

Paul Hoffman paul.hoffman at vpnc.org
Mon Sep 12 00:24:31 EDT 2011

On Sep 11, 2011, at 6:40 PM, Marsh Ray wrote:

> On 09/11/2011 07:26 PM, Paul Hoffman wrote:
>> Some of us observe a third, more likely
>> approach: nothing significant happens due to this event. The
>> "collapse of faith" is only among the security folks whose faith was
>> never there in the first place. A week after the event, who was
>> talking about it other than folks on these lists and lists like
>> them?
> The 300,00+ Iranians who were actively attacked and now have to change their password and are wondering if they'd said anything in Gmail to get them arrested and interrogated.

Do you have any evidence that improving crypto is being talked about by those affected in Iran? I haven't seen it yet.

> The unknown numbers of Chinese (and people in other countries) who were hoping a US product like Gmail could provide a censorship-free email service.

Same question. However, I have first-hand evidence that people in China are not talking about that, but instead are talking about how to make *Chinese* services work outside of government censorship. And those people aren't talking about PKIX.

> The Dutch IT people who have to replace the ~58,000 certs issued by DigiNotar PKIoverheid CA.
>> http://www.techworld.com.au/article/400068/dutch_government_struggles_deal_diginotar_hack/

Look what you just wrote. Those folks aren't looking for us to fix PKIX: they are looking for different CAs. That's not a "collapse of faith", just a desire for a quick fix.

> The management at Google who are likely scared as hell that the webmasters and security auditors of the 50% of major sites that source Javascript from https://google-analytics.com/ will realize that they would have been pwned too (and possibly been obligated to report it) had the attacker issued a cert for that.

Could be, but neither you nor I work at Google so that's pure speculation. (There are likely some Googlers on this list who can speak authoritatively on whether their management are "scared as hell" or even noticing.)

> Who else thinks he probably will next time?
> The people responsible for security at Amazon, PayPal, every other big retailer and the financial services companies that handle high-value accounts.

Again: where is your evidence that they (other than Andy) care enough? I have seen zero in the serious business press (Forbes, BusWeek, etc.) after the first few days. If there was much interest on the part of their readers (as in "every other big retailer and the financial services companies"), they would likely be milking it, but they are not.

> The governments and government contractors who depend on SSL VPNs with an in-band second factor of auth (like hardware token codes) to secure their remote access.

I have first-hand evidence that they are not discussing the topic.

> The attacker himself: https://twitter.com/#!/ichsunx2

Why do you think he's not on this list? :-)

> The people who've generated the 367,772 views (so far) of Comodohacker's Pastebin texts:
> http://pastebin.com/u/ComodoHacker

Pageviews != concern.

> Slashdot and their bazillion subscribers are still talking about it as of yesterday:
> http://it.slashdot.org/story/11/09/10/2129239/GlobalSign-Web-Server-Hacked-But-Not-CA

Yes, true.

> Who isn't talking about it really?

See above. Many of the people who you and I *want* to be concerned are not as concerned as you say.

> The full damage is not even out yet. This thing is just getting started.

If there is more significant damage in the future, of course people will talk about it more. But that's just guessing about the future.

> Despite rumors to the contrary, there are, in fact, a great many influential people who do give a shit about the actual effective security delivered by SSL/TLS (beyond its ability to add an air of confidence to consumers' $50-liability-limit credit card transactions).

Slashdot commenter are, by and large, not "influential people". Please show evidence of the other groups you list above. 

> This time is not like the previous "SSL is broken again ho hum" bugs.

True. The fact that Mozilla is doing a review that might cause them to delist the worst CAs is more than we have seen in the past. However, if they delist only a few, the result will be that people will think that the rest of the CAs are just fine. If they delist a significant proportion, *that* will cause more discussion and concern among the non-security-geek populace than the current news because it will hit businesspeople in their pocketbooks.

--Paul Hoffman

More information about the cryptography mailing list