[nSLUG] Chebucto Security

Daniel Morrison draker at gmail.com
Thu Jan 22 02:38:01 AST 2009


2009/1/22 Jason Kenney <jdkenney at gmail.com>:
>> Yay, it works. Congratulations if you read this far...

> I did.  However you didn't address my basic point, which is that you
> are still trusting the network not to mislead you about the true end
> point(s) you are talking to.

...no, I don't trust the network.  I trust my browser to tell me if
there is a certificate problem which indicates that the network _did_
mislead me, and in the absence of this, assume that I am talking to
who I think I am talking to.  (Same way I trust ssh to tell me if
there is a host key problem with the sshd server I think I am talking
to).

> The bank website is one, but the
> certificate authority itself is another.  If the brower and its
> SSL/TLS implementation can correctly flag a site as malicious when you
> are talking to both a forged site, and a fake certificate authority,
> then I will concede my point.

Well, we really are getting beyond my day-to-day expertise, but a
moment's research shows me that it really is just the same thing over
again.  The Certificate Authority ("CA" from here on in) generates a
public/private key pair, and arranges to have the public half
distributed with the major browsers.  They use the their secret,
private half of the key to demonstrate to you that they really are who
you expected when your browser queries them, before they further
guarantee that your https server's certificate belongs to who you
think the https server is.

http://en.wikipedia.org/wiki/Certificate_authority#Issuing_a_certificate

Note that this is very different question from: do I trust the CA?
Establishing that someone really is who their ID says they are does
not automatically make them trustworthy.

BTW, the list of authorities included with Firefox is available here:

http://www.mozilla.org/projects/security/certs/included/

So now I know that "TURKTRUST" is real, and not an authority added to
my personal copy of firefox when my back was turned.

So, the questions are:
- Do I trust the companies that act as CAs? (e.g. Verisign & TURKTRUST, etc.)
- Do I trust mozilla to have placed genuine public keys belonging to
certificate authorities in my firefox?  (Note: certificate authorities
sign each other's keys to validate each other, so I only have to trust
one key in order to determine that the others are valid,
simplistically)
- Do I trust mozilla to have coded firefox & the firefox https
protocol correctly?  (This is one of the toughest ones!)
- Do I trust that the computer/web browser I am using has not had
bogus CAs added since firefox was downloaded from mozilla and
installed?

If the answers are all yes, then I can be quite certain that I am
talking to a certificate authority that I trust, and it has confirmed
that I am really talking to the organization (in my examples,
royalbank.com) that I believe I am talking to.

Last question: do I trust that end-point organization?

If yes, then we're done.

As I understand it, the whole shebang is intended to remove any
question of trusting any computer or network at all, and by means of
cryptography, elevate the position of trust to that in people and
organizations.  You have to trust the folks at mozilla, verisign, and
RBC, but not the manufacturers and coders of all the computer hardware
and software that runs the huge network upon whose digital waves we
happily surf.

In this way, the technology does not change the age-old measure we use
to determine to whom we entrust our money: the magnitude, age and
general impressiveness of the marble columns on display at the
company's head office!

-D.



More information about the nSLUG mailing list