[nSLUG] Chebucto Security

Jason Kenney jdkenney at gmail.com
Thu Jan 22 15:40:54 AST 2009


On Thu, Jan 22, 2009 at 2:38 AM, Daniel Morrison <draker at gmail.com> wrote:
> 2009/1/22 Jason Kenney <jdkenney at gmail.com>:
>>> Yay, it works. Congratulations if you read this far...
>
>> I did.  However you didn't address my basic point, which is that you
>> are still trusting the network not to mislead you about the true end
>> point(s) you are talking to.
>
> ...no, I don't trust the network.  I trust my browser to tell me if
> there is a certificate problem which indicates that the network _did_
> mislead me, and in the absence of this, assume that I am talking to
> who I think I am talking to.  (Same way I trust ssh to tell me if
> there is a host key problem with the sshd server I think I am talking
> to).
>
> Well, we really are getting beyond my day-to-day expertise, but a
> moment's research shows me that it really is just the same thing over
> again.  The Certificate Authority ("CA" from here on in) generates a
> public/private key pair, and arranges to have the public half
> distributed with the major browsers.  They use the their secret,
> private half of the key to demonstrate to you that they really are who
> you expected when your browser queries them, before they further
> guarantee that your https server's certificate belongs to who you
> think the https server is.

I was not aware that the CA system worked through a simple
public/private key pair (well not aware how it worked at all).
Actually your browser does not contact the CA at all during the setup
of the https session.  The verification is accomplished through use a
digital signature, supplied entirely from the bank's website or
whomever.

I agree in that case you don't need to worry about the integrity of
your endpoint, if you trust the ability of the CA to keep their
private key secret.  I am curious what protections they have in place
to detect that it's been accessed somehow - or what malicious efforts
might be out there to break the key(s)...  Breaking keys on a routine
basis is unfeasible, but if all you need is one key to get access to
large amounts of financial data, that might be worth the effort of
having 100,000 botnet computers under your control working on it?

> Last question: do I trust that end-point organization?
>
> If yes, then we're done.
>
> As I understand it, the whole shebang is intended to remove any
> question of trusting any computer or network at all, and by means of
> cryptography, elevate the position of trust to that in people and
> organizations.  You have to trust the folks at mozilla, verisign, and
> RBC, but not the manufacturers and coders of all the computer hardware
> and software that runs the huge network upon whose digital waves we
> happily surf.

Heh, elevating is an interesting choice of word.  Generally I think
it's accepted that computer and network security is already more
secure than people?  ;)


Jason



More information about the nSLUG mailing list