[cryptography] PKI - and the threat model is ...?

Marsh Ray marsh at extendedsubset.com
Mon Sep 12 20:09:10 EDT 2011

On 09/12/2011 02:50 PM, Ian G wrote:
> On 13/09/2011, at 5:12, Marsh Ray<marsh at extendedsubset.com>  wrote:
>> It never was, and yet, it is asked to do that routinely today.
>> This is where threat modeling falls flat.
>> The more generally useful a communications facility that you
>> develop, the less knowledge and control the engineer has about the
>> conditions under which it will be used.
>> SSL/TLS is very general and very useful. We can place very little
>> restriction on how it is deployed.
> To be fair, I think this part has been done very well by the
> designers.  I get the feeling that the original designers really
> didn't understand anything at the business and architecture side,

What I hear from the old-timers is that Netscape did, in fact, design it 
with the explicit goal of getting people to feel comfortable about using 
their CC#s online. It was certainly marketed that way, on television even.

On the other hand, give an engineer that requirement and you're likely 
to end up with a low level toolbox.

> so
> backed off and decided to secure a low level toolbox as best as
> possible. In this case TCP.
> I guess we've all been there, I know I have.
> If they had then said SSL (inc. PKI) secures TCP against a broad
> range of attacks, then all would have been consistent.

What part of "Secure Sockets Layer" is ambiguous?

Especially back in the 90's - active attacks and MitM were not always 
taken seriously in the threat model. Perhaps similar to how car 
manufacturers seem to regard the threat of targeted RF attacks via 
Bluetooth today.

For example, this Schneier-Mudge-Wagner paper from 1999 
completely ignores the active attack which allows authentication 
forwarding. I ran down Mudge at a conference and asked him about it, he 
said "yeah, we just weren't considering it".

SSL was developed several years before that. I doubt its designers had a 
good idea what the PKI it would be hung from would look like.

Even today we hear knowledgeable people still saying "MitM is so hard 
that the attacker will probably just do X instead".

> But, as soon as we get to business, these claims loose foundation.
> Can it be used to secure credit cards? Websites? Love-chat?
> Dissident planning?
> The answer is ... Dunno!  Seriously, we have no clue.

Well we know what it's not good for (in its current form).

This attack data has got to be dynamite for the Bayesian risk analysts 
in the industry.

- Marsh

More information about the cryptography mailing list