W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: [OT] How secure is HTTPS today?

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 8 Nov 2011 16:20:12 +0100
Cc: public-xg-webid@w3.org
Message-Id: <257C6717-01C6-49F2-B913-7AD1563FEE5D@bblfish.net>
To: Kingsley Idehen <kidehen@openlinksw.com>

On 8 Nov 2011, at 15:16, Kingsley Idehen wrote:

> On 11/8/11 7:29 AM, Sergio Fernández wrote:
>> 
>> I guest this article by EFF would be relevant for the people working
>> on this group: https://www.eff.org/deeplinks/2011/10/how-secure-https-today
>> Otherwise, sorry for the off topic.
>> 
> Sergio,
> 
> Quite relevant, esp., as the following points ultimately help people understand the virtues of WebID based watermarks that drive the WebID verification protocol: 
> 
> Break into any Certificate Authority (or compromise the web applications that feed into it). As we learned from the SSL Observatory project, there are 600+ Certificate Authorities that your browser will trust; the attacker only needs to find one of those 600 that she is capable of breaking into. This has been happening with catastrophic results.
> Compromise a router near any Certificate Authority, so that you can read the CA's outgoing email or alter incoming DNS packets, breaking domain validation. Or similarly, compromise a router near the victim site to read incoming email or outgoing DNS responses. Note that SMTPS email encryption does not help because STARTTLS is vulnerable to downgrade attacks.
> Compromise a recursive DNS server that is used by a Certificate Authority, or forge a DNS entry for a victim domain (which has sometimes been quite easy). Again, this defeats domain validation.
> Attack some other network protocol, such as TCP or BGP, in a way that grants access to emails to the victim domain.
> A government could order a Certificate Authority to produce a malicious certificate for any domain. There is circumstantial evidence that this may happen. And because CAs are located in 52+ countries, there are lots of governments that can do this, including some deeply authoritarian ones. Also, governments could easily perform any of the above network attacks against CAs in other countries.
> In a world where the following hold true, we have a real constructive tweak of the InterWeb:
> 
> 1. self signed certificates are easy to generate and distribute -- basically one click and a .p12 email or save to local keychain/keystore or disk
> 2. self signed certificates carry WebID watermarks
> 3. WebID watermarks facilitate a distributed mode of certificate subject identity verification via the WebID protocol.

yes, and you could put the self signed certificate into DNSsec, which would reduce a lot the vulnerability to weak CAs.
Then some people are setting up mechanisms to verify that those DNSses are secure in a more p2p way. There is some urgency in getting these things to evolve, but people tend to scream only when all their possessions have been taken away, and are sadly not very concerned about future issues as one can see with climate problems and others.

> I can already do the above from Windows, Mac OS X, Linux, iOS5, or Android devices. 100% painless :-)

Yes, WebID can be very helpful in deploying all of this. The DNSsec dane group is really doing WebID for server certs where the Alternative Names are not URIs but services i.e.: domain:port pairs. Those could be enriched with https URLs for more information too....

> 
> We just need to get the world to understand how we've made good on an powerful standard previously held captive by implementation myopia.
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	      
> President & CEO 
> OpenLink Software     
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Tuesday, 8 November 2011 15:20:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 November 2011 15:20:45 GMT