Re: use case: TLS Man in the Middle (ACTION-73) from Chuck Wade on 2007-01-23 (public-wsc-wg@w3.org from January 2007)

From: Chuck Wade <Chuck@Interisle.net>
Date: Tue, 23 Jan 2007 08:45:38 -0500
To: George Staikos <staikos@kde.org>
CC: W3 Work Group <public-wsc-wg@w3.org>
Message-ID: <45B61182.8050805@Interisle.net>
George,

I agree with your sentiment, and that "this is not hard stuff." Perhaps 
what is needed is far less tolerance for sloppiness and the easy way out.

On the other hand, I think we are dealing with two distinct issues that 
do need to be addressed, and that are partially within this group's 
scope of work:

 (1) Lots of people responsible for managing online services, or 
providing technical support for online services (e.g., sysadmins), do 
believe that this security stuff is too hard to bother with. I know I've 
encountered this sentiment over and over again, even when people are 
presented with compelling demonstrations that off-the-shelf security 
measures are not overly hard to implement, nor a detriment to system 
performance.

 (2) In some respects, the off-the-shelf security solutions available 
today are unnecessarily hard to work with, or they are incompatible with 
business objectives of service providers or their partners/customers. If 
nothing else, security solutions of the type we're dealing with here 
introduce new operational burdens that are often not well understood, or 
adequately addressed by current offerings.

To make things better, we collectively need to address both sides of 
this coin: the perception that it's too hard, and the reality that it's 
harder than it needs to be. Education of the providers of online 
services and the vendors that supply technology to them is one way to 
resolve this dichotomy.

...Chuck
_____________________________
   Chuck Wade, Principal
   Interisle Consulting Group
   +1  508 435-3050  Office
   +1  508 277-6439  Mobile
   www.interisle.net


George Staikos wrote:
>
>
>  If it is, it's rather pathetic IMHO.  That's what sysadmins are for, 
> and really, this is not hard stuff.
>
> On 22-Jan-07, at 10:12 AM, Doyle, Bill wrote:
>
>> Cert problems and complexity - Is this why many sites are just using
>> http for the splash page and only encrypting credentials?
>>
>> We had a long list of sites using http with credentials that had a
>> padlock. Many of these sites were banking or other high value sites
>> that only used http noting that the credentials were secure. Hope that
>> this direction is not a trend.
>>
>> Bill D.
>> wdoyle@mitre.org
>>
>>
>> -----Original Message-----
>> From: public-wsc-wg-request@w3.org
>> [mailto:public-wsc-wg-request@w3.org] On Behalf Of George Staikos
>> Sent: Sunday, January 21, 2007 10:21 PM
>> To: W3 Work Group
>> Subject: Re: use case: TLS Man in the Middle (ACTION-73)
>>
>>
>>
>> www.usair.com was pushing out the certificate for www.usairways.com
>> this weekend.  If high-profile sites like this are screwing up this
>> badly, perhaps we need to take action on the UA side.  I really feel
>> comfortable with the idea of completely blocking access to sites with
>> misconfigured certificates like this.  Unfortunately it's another
>> case of "we have to break all the browsers simultaneously".
>>
>> On 9-Jan-07, at 11:50 AM, Thomas Roessler wrote:
>>
>>>
>>> Another in the "specific interactions" department.
>>>
>>> Alice tries to connect to a web site at <https://www.example.com/>.
>>> Her user agent's TLS implementation detects that the domain name
>>> present in the certificate differs from www.example.com.
>>>
>>> Regards,
>>> --Thomas Roessler, W3C  <tlr@w3.org>
>>>
>>
>> -- 
>> George Staikos
>> KDE Developer                http://www.kde.org/
>> Staikos Computing Services Inc.        http://www.staikos.net/
>>
>>
>>
>>
>
> -- 
> George Staikos
> KDE Developer                http://www.kde.org/
> Staikos Computing Services Inc.        http://www.staikos.net/
>
>
>
>
Received on Tuesday, 23 January 2007 13:46:04 UTC