W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 28 Mar 2012 09:53:35 +0200
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <725D7A38-D94C-4C16-A4A1-0987DE710EB0@bblfish.net>
To: Willy Tarreau <w@1wt.eu>

On 28 Mar 2012, at 08:40, Willy Tarreau wrote:

> Hi,
> On Wed, Mar 28, 2012 at 08:06:35AM +0200, Henry Story wrote:
>> For example if I  am reading a  blog from an author I trust and he writes 
>> a review of his good experience shopping in some small company, a story I heard 
>> perhaps through other channels and have every reason to trust, and I 
>> click on the link to go to that site, but a man in the middle attacker
>> has replace the link to the site he was writing about with a link to his 
>> proxy (in order to take the money sent to the payment links he controls), 
>> then it will be very easy to fool me.
> I'm totally amazed by the fact that :
>  a) people consider that the web is only *web pages* risking of being
>     mangled by man-in-the-middle attacks, but don't consider all the
>     other components that represent zero value but neet to be quickly
>     delivered. Eg: off-site components such as visitor counters which
>     nobody cares about but which should be very fast, or ads for which the
>     ads providers don't necessarily want to inflate their infrastructure
>     costs.
>  b) we're keeping focused on the risk of having a blog page modified by
>     an MITM while the *only* real issue right now (I mean what makes people
>     *lose money* in the real world) is malware running in browsers and
>     taking away all of their information or even acting as themselves on
>     secure web sites. What's the point of securing blogs when connecting
>     to banks over TLS is already unsafe ?

That is the equivalent of the famous skeptical argument against the possibility 
of any knowledge in philosophy. The skeptic argues: given that you cannot 
distinguish your current situation from the way the world would seem to be had
you been kidnapped at night by aliens from Alpha Centauri, who had connected
your brain to highly evolved computer designed to feed you the sense impressions
you are having as you walk to a shop, which you would be falsely thinking you were
walking to, where you would in fact just be dreaming you were - given that you 
can never distinguish your situation from that one, it follows that you cannot know
at all. So argues the skeptic.

The parallel with your argument is clear. Substitute computer for brain, and malware
for alpha centaurians, and the argument becomes since the bank can never distinguish
between someone who is malware infested from someone who is not, why should they 
bother with security at all?

The answer in knowledge that Robert Nozick put forward is that knowledge is a modal 
concept, and that it does not follow from the statement that you don't know you 
are not a brain in the vat, that you don't know everyday statements. Knowledg is tracking
the truth in the closest possible worlds, not in the most far fetched ones. Of course if
alpha centaurions became a reality, then things would start getting hairy.

So your argument is stronger, since you argue that a lot of computers are malware
infested. Of course there the thing to do is for banks to add other methods of 
verification or notification, not to reduce security in connection and other places.
Ie, the solution is not to give up on knowledge in the traditional skeptical case,
or in your case on TLS, but to work on methods for reducing malware infested 
computers. And it could be that having TLS connections that mean that when I read
my friends blog his links don't get changed to point me to a malware infested site
will help me avoid the malware too. 

Security is a enterprise where one has to push back on many fronts simultaneously:
better connection security, better operating systems, better education of users, 
reduction of the need for password usage (since people mostly use the same), use 
of platforms like Java correctly so that they limit  access to resources on the 
OS, and limit connections, more attention in browser technologies to security, 
better warning systems, neighbourhood watch, avoidance of porn sites, ...

> We'll just lower the overall security by applying the same security
> enforcement to all sites. Connecting to your bank or to you WiFi
> router's admin page will look equally safe.

Ah it is the "look" of security that is worrying you? Going to a bank should
"look" more secure that your router's admin page? But your router admin page
should be just as secure as the bank if possible, since that is another vector
of attack. 

> I don't think this is the
> intent of this move, really.
> Willy

Social Web Architect
Received on Wednesday, 28 March 2012 07:54:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:01 UTC