[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Ben Laurie ben at links.org
Mon Jan 7 05:25:49 EST 2013


On Sun, Jan 6, 2013 at 11:20 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Ben Laurie <ben at links.org> with:
>
>>a) I don't believe your figures,
>
> Well I don't believe in the tooth fairy, but in this case you're going to have
> to provide a more convincing rebuttal than "I choose not to believe in this
> inconvenient information".

That was not my point - you start your rant by saying no-one has ever
been protected. When I point out that is untrue, you invent some very
small figures. I doubt they are quite as small as your invention, plus
you are selectively counting anyway.

>>I suspect you don't understand CT - perhaps you'd care to explain why it is
>>PKI-me-harder?
>
> Because it's a band-aid on a mechanism that doesn't really work in the first
> place.  The solution to the inability of PKI to protect users isn't to
> rearrange the PKI deckchairs, it's to adopt a layered risk-management strategy
> that actually helps protect them.  We have no real evidence of PKI addressing
> anything that attackers are doing,

This is a bizarre statement in the face of Diginotar.

Maybe they aren't the attackers that interest you, but they are
certainly attackers.

> so no matter how much you band-aid it it's
> not going to help protect users from harm.  "Fixing PKI" isn't the problem,
> PKI itself is the problem.  It doesn't work, and as long as browser vendors
> keep distracting themselves by fiddling with even more PKI, they'll never get
> around to addressing the actual problem.
>
>>In any case, its time you updated your out-of-date rant -
>
> I'll update it as soon as browser PKI starts working (meaning that we have
> real evidence that it's effectively preventing the sorts of things attackers
> are doing, phishing and so on).  Deal?

Phishing is not something that PKI is intended to address. Sorry about
that. My point is you make claims that may have been true some years
ago, but are no longer. Your rant should at least be truthful. I
realise that "not many people have been defended by cert warnings" is
less punchy than "no-one has, ever". Once more, sorry about that.

>>or, even better, explained your solution to the problem.
>
> I've been explaining it for years (and I'm pretty sure you're aware of at
> least some of it, since we discussed it when I visited Google a year or two
> back).  Here's a starter:
>
>   In the real world, risk is never binary but always comes in shades of grey.
>   When security systems treat risk as a purely boolean process, they're prone
>   to failure because the quantisation that's required in order to produce a
>   boolean result has to over- or under-estimate the actual risk. What's worse,
>   if an all-or-nothing system like this fails, it fails completely, with no
>   fallback position available to catch errors. Drawing on four decades of
>   experience with security design for the built environment (buildings and
>   houses) known as crime prevention through environmental design (CPTED), PKI
>   as Part of an Integrated Risk Management Strategy for Web Security,
>   presented at EuroPKI 2011, looks at how CPTED is applied in practice and,
>   using browser PKI as the best-known example of large-scale certificate use,
>   examines certificates as part of a CPTED-style risk-mitigation system that
>   isn't prone to all-or-nothing failures.
>
>   Link: http://www.cs.auckland.ac.nz/~pgut001/pubs/pki_risk.pdf

CT fits right into that framework, though - it is akin to "put ATMs
where everyone can see them" and the like.

I do not claim that CT is a complete solution to all the net's
problems, but I do claim it is a component along exactly the lines you
are pushing for. Do I think PKI is a great idea? No, but I _do_ think
we need _some_ way to encrypt traffic s.t. only the intended recipient
can decrypt it, and I don't see a quicker way to get there from here
than PKI + CT. Or even anything that is substantially better.

>   (That's a slightly updated version of the original talk).
>
> I have a much longer version, with references to research papers and actual
> effectiveness in practice from its use by commercial vendors, if anyone wants
> the full thing.

I don't doubt the effectiveness of the kind of thing you are talking
about, but what I would find helpful is something actionable - i.e.
"if you did X, then users would actually better protected, and it
won't break the 'net". My experience is that it is quite difficult to
bridge the gap between fluff that obviously works and concrete actions
that don't have large downsides.



More information about the cryptography mailing list