[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

ianG iang at iang.org
Tue Jan 8 03:40:35 EST 2013

On 7/01/13 15:50 PM, Ben Laurie wrote:
> On Mon, Jan 7, 2013 at 11:33 AM, ianG <iang at iang.org> wrote:
>> OK, I agree that Peter is impatient and frustrated.  So am I.  Dealing with
>> responsible parties that say "phishing isn't our problem" is pretty tiring
>> when $100m a year goes down the tubes because of it.
> To be clear, I am not saying phishing is not our problem, I am saying
> that binding keys to sites, regardless of how you do it, is not the
> answer to phishing (regardless of early PKI marketing history).

Well, if we don't challenge the assumptions, sure, it'll never work.

This is what Peter calls PKI-me-harder.  This is what the CABForum does 
- it has now written about 4 big comprehensive well-thought-out 
standards on how to PKI-me-harder.  Their massively grand achievement is 
to fully and comprehensively document the 1995 model of secure browsing 
PKI.  Everyone in CABForum is in vigorous agreement.

To address phishing, we have to challenge the assumptions of PKI.  And 
CAs will not let you do that.  And once in a forum of those nice guys, 
they won't want you doing it either.

E.g.  It is a fact that Mozilla started experimenting with the security 
model and did some good things - the yellow bar [0].  They then got 
caught up in CABForum.  Mozilla then reversed their own experiment, and 
signed up to the green program.  They then went further and dumbed down 
other parts, such as non-green HTTPS.  Is now shown as white.

Conjecture:  So HTTPS is even more vulnerable to phishing, and 
green-HTTPS is on a pedestal ........  Which mitigated the whole sense 
of SSL-everywhere.  Which makes no sense from a user's perspective but 
lots of sense from a CA's perspective.

Go figure...

This is why google experimenting alone is significantly important for users.

> IMO, the answer to phishing is to solve the password problem, and the
> solution to the password problem is really good password managers. But
> I haven't had much luck selling that solution. Probably because,
> rather like Peter's solution, it has a largish element of fluff.

Nod.  Actually, using client certs gets you most of the way there [0]. 
But like passwords, we need to replace the bad password manager (aka the 
human) with a better password manager, in software.  So the solution is 
the same.


[0] Point being that if one does the analysis, client certs dominate 
passwords at many levels.  Especially when we've got away from insisting 
that a password be memorable, something I'm sure everyone here understands.

So why aren't client certs the focus of more attention?  Well, I will 
leave a conjecture on the table:  because the CAs have a lot of trouble 
selling them, and the vendor teams work closely with CAs and other 
infrastructure sellers of PKI software.  So, the vendor teams see no demand.

More information about the cryptography mailing list