[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Jan 6 18:20:50 EST 2013

Ben Laurie <ben at links.org> with:

>a) I don't believe your figures,

Well I don't believe in the tooth fairy, but in this case you're going to have
to provide a more convincing rebuttal than "I choose not to believe in this
inconvenient information".

>I suspect you don't understand CT - perhaps you'd care to explain why it is

Because it's a band-aid on a mechanism that doesn't really work in the first
place.  The solution to the inability of PKI to protect users isn't to
rearrange the PKI deckchairs, it's to adopt a layered risk-management strategy
that actually helps protect them.  We have no real evidence of PKI addressing
anything that attackers are doing, so no matter how much you band-aid it it's
not going to help protect users from harm.  "Fixing PKI" isn't the problem,
PKI itself is the problem.  It doesn't work, and as long as browser vendors
keep distracting themselves by fiddling with even more PKI, they'll never get
around to addressing the actual problem.

>In any case, its time you updated your out-of-date rant -

I'll update it as soon as browser PKI starts working (meaning that we have
real evidence that it's effectively preventing the sorts of things attackers
are doing, phishing and so on).  Deal?

>or, even better, explained your solution to the problem.

I've been explaining it for years (and I'm pretty sure you're aware of at
least some of it, since we discussed it when I visited Google a year or two
back).  Here's a starter:

  In the real world, risk is never binary but always comes in shades of grey.
  When security systems treat risk as a purely boolean process, they're prone
  to failure because the quantisation that's required in order to produce a
  boolean result has to over- or under-estimate the actual risk. What's worse,
  if an all-or-nothing system like this fails, it fails completely, with no
  fallback position available to catch errors. Drawing on four decades of
  experience with security design for the built environment (buildings and
  houses) known as crime prevention through environmental design (CPTED), PKI
  as Part of an Integrated Risk Management Strategy for Web Security,
  presented at EuroPKI 2011, looks at how CPTED is applied in practice and,
  using browser PKI as the best-known example of large-scale certificate use,
  examines certificates as part of a CPTED-style risk-mitigation system that
  isn't prone to all-or-nothing failures.

  Link: http://www.cs.auckland.ac.nz/~pgut001/pubs/pki_risk.pdf

  (That's a slightly updated version of the original talk).

I have a much longer version, with references to research papers and actual
effectiveness in practice from its use by commercial vendors, if anyone wants
the full thing.


More information about the cryptography mailing list