[ale] https

Keith R. Watson keith.watson at gtri.gatech.edu
Thu Feb 14 12:17:39 EST 2002 

The issue is not that one is more "secure" than the other. It's really all 
about convenience.

There are two things that people need to know when using certificates.

1. You are who you say you are
2. The data being transmitted is secure.

Using opens source certificates you can encrypt the data (2) just as well 
as the commercial products. What they do not do is conveniently insure you 
are who you say you are (1).

The basis of security is mutual trust. We have to have some way of knowing 
that we are both who we say we are, or in the case of e-commerce that the 
vendor getting my VISA number is who they say the are.

Here's an example:

Fred knows Wilma
Barney knows Fred

so when Fred introduces Wilma to Barney, Barney has some assurance (based 
on how much he trusts Fred) that Wilma is Wilma.

So what?

What if Fake-Wilma walks up to Barney and says, "hey I'm the same Wilma 
that Fred knows". How does Barney know she is telling the truth? Simple, go 
ask Fred, who will immediately point out that she is a fake.

Lets look at it from a net perspective, I go to what I think is 
Fred-the-Web-Guy's site and am presented with a self singed certificate 
saying he is Fred-the-Web-Guy. How do I know it was really signed by Fred? 
I don't unless I'm already in possession of a properly authenticated key 
that I got from a trusted source that proves Fred's key was used to sign 
the certificate.

That's where VeriSign and their competitors come in. Their authenticated 
key came with the browser I'm using (which I supposedly got from a trusted 
source) and they verified that Fred-the-Web-Guy is who he says he is and 
sign his certificate. Hence, VeriSign (who I supposedly trust) essentially 
introduced me to Fred-the-Web-Guy.

Without a third party that is known and trusted in advance by the two 
parties that want to be introduced there is no way of knowing you are who 
you say you are. Given that, I can hijack your site and claim I'm you.

That is the basic weakness of public key systems, there isn't a convenient 
way to insure that I have an authenticated key from a trusted source for 
everyone in advance, on the off chance I want to verify some random person 
is who they say they are.

With VeriSign and their competitors I would theoretically only have to 
trust them, and then I'm ready to safely talk to anyone they introduce me 
to. That is unless I can't trust VeriSign and their competitors to verify 
your identity in advance, hence the magnitude of the calamity caused by the 
bogus Verisign
certificates that got loose. Are there any other bogus ones out there we 
don't know about?

In the mean time you can self sign a certificate, just be aware that you 
will have to provide in advance, an authenticated key through a trusted 
method to everyone you want to use your site. Clearly not impossible, just 
not convenient.

I know it sounds like I'm saying VeriSign and their competitors are the 
best answer. I'm not. For the moment they seem to be the most convenient, 
but only until an open source solution is engineered that solves the 
problem. I'm hoping that will happen, but I'm also aware that it's just not 
that easy to do. If it were we would already be doing it. (although absence 
of something is not generally accepted as a fact of difficulty)

That's why I like the ALE list. We can define the problem and then 
thousands of minds run off to fix it. Sort of a human based distributed 
computing system.

keith




At 03:02 PM 2/13/2002 -0500, Greg wrote:
>I think that the certificate businesses (Verisign and Thwate) do some
>research into the certificate holder to make sure that it is a "real"
>business and not some 3l33t hax0r.... but I came across someone's
>investigation where they basically had their pet dog as the head of a
>fictional company that got a certificate.... (hmmm could this work so that I
>can I claim my 2 dogs and the SO's 2 cat's as dependents on taxes?.. JUST
>KIDDING ! ).  I also think that it is supposed to be set up something like
>the public/private key authentication mechanism and also with browsers and
>their "OK'ing" stuff when the cert is from Verisign/Thwate.  However, let us
>not forget that a black hat got 9 certificate #'s that belonged to our dear
>friends from Redmond.  Of course when it made the news MS made a patch that
>would fix IE to not trust the 9 numbers (and what else it did I don't know).
>
>It depends on what degree of security you want and how much you are willing
>to do/pay for.  My last job just used a self generated certificate, but we
>were not dealing with any e-commerce.
>
>Basically you are correct in your summation concerning the cert pimps and
>"joe the web guy".
>
>Greg the web guy (not to be confused w/ joe the web guy)
>
> > -----Original Message-----
> > From: Geoffrey [mailto:esoteric at 3times25.net]
> > Sent: Wednesday, February 13, 2002 2:18 PM
> > To: ale at ale.org
> > Subject: Re: [ale] https
> >
> >
> > Denny Chambers wrote:
> > > Here is a link to the modssl userguide, which talks about creating your
> > > own self sign certificates. This will work on your ssl server, although
> > > this method is not as secure as having a real certificate from a CA. On
> > > the other hand this is a lot cheaper.
> >
> > Correct me if I'm wrong, but the security of a self signed certificate
> > is no less then the security of a purchased one.  The only difference is
> > that folks visiting your site might feel more comfortable finding the
> > certificate is signed by one of the well known certificate rapists,
> > rather then being signed by 'joe the web guy.'
> >
> > --
> > Until later: Geoffrey         esoteric at 3times25.net
> >
> > "...the system (Microsoft passport) carries significant risks to
> > users that
> > are not made adequately clear in the technical documentation available."
> > - David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
> > - http://www.avirubin.com/passport.html
> >
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info.
> > Problems should be
> > sent to listmaster at ale dot org.
> >
> >
> >
>
>
>---
>This message has been sent through the ALE general discussion list.
>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
>sent to listmaster at ale dot org.

-------------

Keith R. Watson                        GTRI/AIST
Systems Support Specialist III         Georgia Tech Research Institute
keith.watson at gtri.gatech.edu           Atlanta, GA  30332-0816
404-894-0836

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list