[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

ianG iang at iang.org
Mon Jan 7 02:31:21 EST 2013

There are two long-term trends that might inform this argument.

1.  Vendors have typically refused to improve the model of browser 
security if it has involved changes to the model.  There is a long 
history of people providing suggestions, papers and code, and the 
vendors have ignored them.  It is one of the more compelling evidences 
that vendors do not have users' interest in mind, taking their guidance 
from the supply side.

1.a the current rebel from the trend is google.  The reason for this can 
be seen in its business makeup.  google unlike the rest is both a vendor 
*and a user*.  As it has come under attack for its second role, it has 
sought to defend.  CAs have not been of any use.  As an 
engineering-heavy company, it has seen engineering improvements that 
could be made.  For this reason, google can be seen to be experimenting 
with changes, and continuing to do so.

We should welcome these early experiments, wherever they come from. 
This is regardless of whether they are good, bad, up or down.  The only 
way to fix the mess is to change internal architectural assumptions of 
the browsing PKI (e.g., including as people have pointed out the 
brittleness of one-for-all and all-for-one aspect, perhaps we should 
refer to at as the 3 Musketeers weakness).  The point here being that 
you might get to consider the really serious problems of the model once 
you have gained some confidence fiddling around at the edges.

2.  The basic flaws of the model and the business structure are forcing 
the vendors to take on a role that might be considered to be a meta-CA, 
sometimes jokingly referred to as the über-CA.  You can see this in the 
quasi-auditing procedure conducted by Mozilla known as their policy, and 
the recent addition of root revocation capabilities in the last 3 years. 
  In the nick of time it might seem, but every action has consequences.

Which is to say, now that vendors have taken on the role, and become the 
über-CAs, they are more likely to PKI-us-harder than lesser.  E.g., 
google's current trend with pinning, CT, and dropping self-signed certs 
are obviously that, as they do more with PKI not less.  It's going to 
take a while before they get frustrated at this.

Point being, it is nice to see someone doing something.  But we aren't 
going to get the direction needed for some time.

On 6/01/13 16:53 PM, Ben Laurie wrote:
> On Sun, Jan 6, 2013 at 1:15 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> Ben Laurie <ben at links.org> writes:
>>> On Sat, Jan 5, 2013 at 1:26 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>>>> In the light of yet another in an apparently neverending string of CA
>>>> failures, how long are browser vendors going to keep perpetuating this PKI
>>>> farce? [0].  Not only is there no recorded instance, anytime, anywhere, of a
>>>> browser certificate warning actually protecting users from harm [1],
>>> This is patently incorrect: Diginotar were caught by a browser warning.
>> Well, we think that at least one user was.  We definitely know that 300,000
>> others weren't.  That's hardly a triumph of browser PKI.
>> Let's look at the figures in more detail.  There are around a billion users of
>> the Internet.  Let's say that they go to two SSL-enabled sites a day, probably
>> a lower bound but it's just a back-of-the-envelope thing.  That's two billion
>> uses of browser PKI a day, let's call it roughly a trillion a year.  SSL has
>> been around in significant volume for, say, about 15 years, so that's 15
>> trillion uses.  The number of people who reported being warned about the
>> Diginotar cert was, say, a dozen or so, and of that we don't know how many
>> ignored the warning and clicked through anyway, as they've been conditioned to
>> do.
> My understanding is you can't click through a pinning warning.
>> There are figures from an earlier invalid-cert case in which exactly one
>> user out of 300 was turned back by the warning, but let's be generous and say
>> it was two users who were turned away.  So out of 15 trillion uses of browser
>> PKI, two worked to protect users.  In other words it has an effectiveness rate
>> of one in seven trillion.
> a) I don't believe your figures, and
> b) You are not counting all the people who were protected by the early
> detection of Diginotar.
>> That pretty much makes browser PKI the homeopathy of security.
>>> Certificate Transparency is a real security measure that is a response by a
>>> browser vendor.
>> So the response to the repeated failure of browser PKI is PKI-me-harder.
>> Yeah, that's really going to make users safer.
> I suspect you don't understand CT - perhaps you'd care to explain why
> it is PKI-me-harder?
> In any case, its time you updated your out-of-date rant - or, even
> better, explained your solution to the problem.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list