W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: [OT] How secure is HTTPS today?

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 08 Nov 2011 09:16:00 -0500
Message-ID: <4EB939A0.7010609@openlinksw.com>
To: public-xg-webid@w3.org
On 11/8/11 7:29 AM, Sergio Fernández wrote:
> I guest this article by EFF would be relevant for the people working
> on this group: https://www.eff.org/deeplinks/2011/10/how-secure-https-today
> Otherwise, sorry for the off topic.

Quite relevant, esp., as the following points ultimately help people 
understand the virtues of WebID based watermarks that drive the WebID 
verification protocol:

  * Break into any Certificate Authority (or compromise the web
    applications that feed into it). As we learned from the SSL
    Observatory project, there are 600+ Certificate Authorities that
    your browser will trust; the attacker only needs to find one of
    those 600 that she is capable of breaking into. This has been
    happening with catastrophic results.
  * Compromise a router near any Certificate Authority, so that you can
    read the CA's outgoing email or alter incoming DNS packets, breaking
    domain validation. Or similarly, compromise a router near the victim
    site to read incoming email or outgoing DNS responses. Note that
    SMTPS email encryption does not help because STARTTLS is vulnerable
    to downgrade attacks.
  * Compromise a recursive DNS server that is used by a Certificate
    Authority, or forge a DNS entry for a victim domain (which has
    sometimes been quite easy). Again, this defeats domain validation.
  * Attack some other network protocol, such as TCP or BGP, in a way
    that grants access to emails to the victim domain.
  * A government could order a Certificate Authority to produce a
    malicious certificate for any domain. There is circumstantial
    evidence that this may happen. And because CAs are located in 52+
    countries, there are lots of governments that can do this, including
    some deeply authoritarian ones. Also, governments could easily
    perform any of the above network attacks against CAs in other countries.

In a world where the following hold true, we have a real constructive 
tweak of the InterWeb:

1. self signed certificates are easy to generate and distribute -- 
basically one click and a .p12 email or save to local keychain/keystore 
or disk
2. self signed certificates carry WebID watermarks
3. WebID watermarks facilitate a distributed mode of certificate subject 
identity verification via the WebID protocol.

I can already do the above from Windows, Mac OS X, Linux, iOS5, or 
Android devices. 100% painless :-)

We just need to get the world to understand how we've made good on an 
powerful standard previously held captive by implementation myopia.



Kingsley Idehen	
President&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Received on Tuesday, 8 November 2011 14:16:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:48 UTC