W3C home > Mailing lists > Public > public-xg-webid@w3.org > September 2011

Re: TLS 1.0 vulnerability found

From: Peter <home_pw@msn.com>
Date: Wed, 21 Sep 2011 09:29:03 -0700
Message-ID: <BLU0-SMTP17530BD4EDAC6D163CC87EF920D0@phx.gbl>
CC: WebID XG <public-xg-webid@w3.org>
To: Henry Story <henry.story@bblfish.net>
More us fud, trying to seed no confidence in the status quo world of https (that - outside the browser vendor angle - is not controlled by us interests).

I counter by saying: why would you trust a us browser vendor to fix what you trusted them last round not to do?

Mozilla failed to run a root registration authority, comptently.

Early on, the program was just corrupt - with netscape executives taking stock options in (pre ipo) ca firms in return for access to the root store. A sham policy authority covered over what was just crypto-corrupt.

Very us tactics, and captain Kirk would be proud (at how he won out ... by just cheating the starfleet exam).

Don't take too literally. It's a metaphor for the cryptpolitics at the heart of ssl. It's been going on for 20 years, and the browser vendors are the (inherently) untrustworthy players. But, under crypto export law for commodity crypto, they have limited options except to act as a distributor for crypto compromised at (per vendor) birth.

On Sep 21, 2011, at 6:25 AM, Henry Story <henry.story@bblfish.net> wrote:

> 
> On 21 Sep 2011, at 11:51, Henry Story wrote:
> 
>> 
>> On 21 Sep 2011, at 10:22, Nathan wrote:
>> 
>>> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
>> 
>> It looks like the pressure is growing to get all browsers to support TLS 1.2. Clearly until they do switching is difficult for web sites.  
> 
> A non Verified Account of a user called Ben Laurie, who has the same name as a person interested in security at Google said on g+ to support an argument that the above issue was a non-problem and that there are easier solutions than moving to TLS 1.2 [1]:
> 
> <quote>
> • I am not at liberty to discuss details until Duong and Rizzo give their talk, but I have looked into this for OpenSSL. So, more soon! However, unless they have something they're not telling me, they don't have much.
> • OpenSSL 1.0.1 supports TLS 1.1 and 1.2.
> • It isn't clear that all the churn in 1.2 is actually desirable.
> </quote>
> 
> So for what that is worth, a piece of a puzzle that might raise a few questions.
> 
> Henry
> 
> [1] https://plus.google.com/109693896432057207496/posts/D4JN2NmQzjj
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
> 
Received on Wednesday, 21 September 2011 16:29:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 21 September 2011 16:29:44 GMT