Re: [OT] How secure is HTTPS today?

On 11/8/11 10:20 AM, Henry Story wrote:
>
> On 8 Nov 2011, at 15:16, Kingsley Idehen wrote:
>
>> On 11/8/11 7:29 AM, Sergio Fernández wrote:
>>> I guest this article by EFF would be relevant for the people working
>>> on this group:https://www.eff.org/deeplinks/2011/10/how-secure-https-today
>>> Otherwise, sorry for the off topic.
>>>
>> Sergio,
>>
>> Quite relevant, esp., as the following points ultimately help people 
>> understand the virtues of WebID based watermarks that drive the WebID 
>> verification protocol:
>>
>>   * Break into any Certificate Authority (or compromise the web
>>     applications that feed into it). As we learned from the SSL
>>     Observatory project, there are 600+ Certificate Authorities that
>>     your browser will trust; the attacker only needs to find one of
>>     those 600 that she is capable of breaking into. This has been
>>     happening with catastrophic results.
>>   * Compromise a router near any Certificate Authority, so that you
>>     can read the CA's outgoing email or alter incoming DNS packets,
>>     breaking domain validation. Or similarly, compromise a router
>>     near the victim site to read incoming email or outgoing DNS
>>     responses. Note that SMTPS email encryption does not help because
>>     STARTTLS is vulnerable to downgrade attacks.
>>   * Compromise a recursive DNS server that is used by a Certificate
>>     Authority, or forge a DNS entry for a victim domain (which has
>>     sometimes been quite easy). Again, this defeats domain validation.
>>   * Attack some other network protocol, such as TCP or BGP, in a way
>>     that grants access to emails to the victim domain.
>>   * A government could order a Certificate Authority to produce a
>>     malicious certificate for any domain. There is circumstantial
>>     evidence that this may happen. And because CAs are located in 52+
>>     countries, there are lots of governments that can do this,
>>     including some deeply authoritarian ones. Also, governments could
>>     easily perform any of the above network attacks against CAs in
>>     other countries.
>>
>> In a world where the following hold true, we have a real constructive 
>> tweak of the InterWeb:
>>
>> 1. self signed certificates are easy to generate and distribute -- 
>> basically one click and a .p12 email or save to local 
>> keychain/keystore or disk
>> 2. self signed certificates carry WebID watermarks
>> 3. WebID watermarks facilitate a distributed mode of certificate 
>> subject identity verification via the WebID protocol.
>
> yes, and you could put the self signed certificate into DNSsec, which 
> would reduce a lot the vulnerability to weak CAs.

Yes!

> Then some people are setting up mechanisms to verify that those DNSses 
> are secure in a more p2p way. There is some urgency in getting these 
> things to evolve, but people tend to scream only when all their 
> possessions have been taken away, and are sadly not very concerned 
> about future issues as one can see with climate problems and others.

We humans learn from pain, sadly :-(
>
>> I can already do the above from Windows, Mac OS X, Linux, iOS5, or 
>> Android devices. 100% painless :-)
>
> Yes, WebID can be very helpful in deploying all of this. The DNSsec 
> dane group is really doing WebID for server certs where the 
> Alternative Names are not URIs but services i.e.: domain:port pairs. 
> Those could be enriched with https URLs for more information too....
>

Yes.

>>
>> We just need to get the world to understand how we've made good on an 
>> powerful standard previously held captive by implementation myopia.

We need to accentuate (in WebID narrative) the fact that SANs are slots 
for decentralizing PKI :-)

Kingsley
>>
>> -- 
>>
>> Regards,
>>
>> Kingsley Idehen	
>> President&  CEO
>> OpenLink Software
>> Company Web:http://www.openlinksw.com
>> Personal Weblog:http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca handle: @kidehen
>> Google+ Profile:https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile:http://www.linkedin.com/in/kidehen
>>
>>
>>
>>
>
> Social Web Architect
> http://bblfish.net/
>


-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen