"Perry E. Metzger" wrote: > > Ian Grigg <[EMAIL PROTECTED]> writes: > > In threat analysis, you base your assessment on > > economics of what is reasonable to protect. It > > is perfectly valid to decline to protect against > > a possible threat, if the cost thereof is too high, > > as compared against the benefits. > > The cost of MITM protection is, in practice, zero.
Not true! The cost is from 10 million dollars to 100 million dollars per annum. Those certs cost money, Perry! All that sysadmin time costs money, too! And all that managerial time trying to figure out why the servers don't just "work". All those consultants that come in and look after all those secure servers and secure key storage and all that. In fact, it costs so much money that nobody bothers to do it *unless* they are forced to do it by people telling them that they are being irresponsibly vulnerable to the MITM! Whatever that means. Literally, nobody - 1% of everyone - runs an SSL server, and even only a quarter of those do it "properly." Which should be indisputable evidence that there is huge resistance to spending money on MITM. > Indeed, if you > wanted to produce an alternative to TLS without MITM protection, you > would have to spend lots of time and money crafting and evaluating a > new protocol that is still reasonably secure without that > protection. One might therefore call the cost of using TLS, which may > be used for free, to be substantially lower than that of an > alternative. I'm not sure how you come to that conclusion. Simply use TLS with self-signed certs. Save the cost of the cert, and save the cost of the re-evaluation. If we could do that on a widespread basis, then it would be worth going to the next step, which is caching the self-signed certs, and we'd get our MITM protection back! Albeit with a bootstrap weakness, but at real zero cost. Any merchant who wants more, well, there *will* be ten offers in his mailbox to upgrade the self-signed cert to a better one. Vendors of certs may not be the smartest cookies in the jar, but they aren't so dumb that they'll miss the financial benefit of self- signed certs once it's been explained to them. (If you mean, use TLS without certs - yes, I agree, that's a no-won.) > How low does the risk have to get before you will be willing not just > to pay NOT to protect against it? Because that is, in practice, what > you would have to do. You would actually have to burn money to get > lower protection. The cost burden is on doing less, not on doing > more. This is a well known metric. Half is a good rule of thumb. People will happily spend X to protect themselves from X/2. Not all the people all the time, but it's enough to make a business model out of. So if you were able to show that certs protected us from 5-50 million dollars of damage every year, then you'd be there. (Mind you, where you would be is, proposing that certs would be good to make available. Not compulsory for applications.) > There is, of course, also the cost of what happens when someone MITM's > you. So I should spend the money. Sure. My choice. > You keep claiming we have to do a cost benefit analysis, but what is > the actual measurable financial benefit of paying more for less > protection? Can you take that to the specific case? iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
