[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)
iang at iang.org
Tue Jan 8 03:40:35 EST 2013
On 7/01/13 15:50 PM, Ben Laurie wrote:
> On Mon, Jan 7, 2013 at 11:33 AM, ianG <iang at iang.org> wrote:
>> OK, I agree that Peter is impatient and frustrated. So am I. Dealing with
>> responsible parties that say "phishing isn't our problem" is pretty tiring
>> when $100m a year goes down the tubes because of it.
> To be clear, I am not saying phishing is not our problem, I am saying
> that binding keys to sites, regardless of how you do it, is not the
> answer to phishing (regardless of early PKI marketing history).
Well, if we don't challenge the assumptions, sure, it'll never work.
This is what Peter calls PKI-me-harder. This is what the CABForum does
- it has now written about 4 big comprehensive well-thought-out
standards on how to PKI-me-harder. Their massively grand achievement is
to fully and comprehensively document the 1995 model of secure browsing
PKI. Everyone in CABForum is in vigorous agreement.
To address phishing, we have to challenge the assumptions of PKI. And
CAs will not let you do that. And once in a forum of those nice guys,
they won't want you doing it either.
E.g. It is a fact that Mozilla started experimenting with the security
model and did some good things - the yellow bar . They then got
caught up in CABForum. Mozilla then reversed their own experiment, and
signed up to the green program. They then went further and dumbed down
other parts, such as non-green HTTPS. Is now shown as white.
Conjecture: So HTTPS is even more vulnerable to phishing, and
green-HTTPS is on a pedestal ........ Which mitigated the whole sense
of SSL-everywhere. Which makes no sense from a user's perspective but
lots of sense from a CA's perspective.
This is why google experimenting alone is significantly important for users.
> IMO, the answer to phishing is to solve the password problem, and the
> solution to the password problem is really good password managers. But
> I haven't had much luck selling that solution. Probably because,
> rather like Peter's solution, it has a largish element of fluff.
Nod. Actually, using client certs gets you most of the way there .
But like passwords, we need to replace the bad password manager (aka the
human) with a better password manager, in software. So the solution is
 Point being that if one does the analysis, client certs dominate
passwords at many levels. Especially when we've got away from insisting
that a password be memorable, something I'm sure everyone here understands.
So why aren't client certs the focus of more attention? Well, I will
leave a conjecture on the table: because the CAs have a lot of trouble
selling them, and the vendor teams work closely with CAs and other
infrastructure sellers of PKI software. So, the vendor teams see no demand.
More information about the cryptography