[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Jan 6 08:15:20 EST 2013


Ben Laurie <ben at links.org> writes:
>On Sat, Jan 5, 2013 at 1:26 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> In the light of yet another in an apparently neverending string of CA
>> failures, how long are browser vendors going to keep perpetuating this PKI
>> farce? [0].  Not only is there no recorded instance, anytime, anywhere, of a
>> browser certificate warning actually protecting users from harm [1],
>
>This is patently incorrect: Diginotar were caught by a browser warning.

Well, we think that at least one user was.  We definitely know that 300,000
others weren't.  That's hardly a triumph of browser PKI.

Let's look at the figures in more detail.  There are around a billion users of
the Internet.  Let's say that they go to two SSL-enabled sites a day, probably
a lower bound but it's just a back-of-the-envelope thing.  That's two billion
uses of browser PKI a day, let's call it roughly a trillion a year.  SSL has
been around in significant volume for, say, about 15 years, so that's 15
trillion uses.  The number of people who reported being warned about the
Diginotar cert was, say, a dozen or so, and of that we don't know how many
ignored the warning and clicked through anyway, as they've been conditioned to
do.  There are figures from an earlier invalid-cert case in which exactly one
user out of 300 was turned back by the warning, but let's be generous and say
it was two users who were turned away.  So out of 15 trillion uses of browser
PKI, two worked to protect users.  In other words it has an effectiveness rate
of one in seven trillion.

That pretty much makes browser PKI the homeopathy of security.

>Certificate Transparency is a real security measure that is a response by a
>browser vendor.

So the response to the repeated failure of browser PKI is PKI-me-harder.  
Yeah, that's really going to make users safer.

Peter.



More information about the cryptography mailing list