> On Wednesday, 14 August 2013 12:21:15 UTC+3, Kevin Chadwick wrote: > > > This is because the cheapest CAs do so bad work that the > > > security is very close to self signed cert. > > > > Please show me evidence of startssl being less secure than some of the > > big CAs that have had major incidents. You only need to send them a csr > > too. > > Where did I claim that startssl is a problem? My point was that a cert issued > by cheapest CA is technically equally valid to one issued by CA with highest > prices and standards. The cheapest CAs simply *cannot do real validation* for > the money they get and as result, the value of *all* CA issued certs are > lowered because browsers do not make any difference between cheap CA and high > quality CA (assuming one does exists). The EV cert stuff is an attempt to fix > this, but that's only a political change. Technically an EV cert only has one > extra extension flag which is always marked as "Not Critical". *Any* CA can > sign such a cert if they want. >
I see but still there is no such thing as real validation. Either you trust the network, dns?! and the domain and it's admins ideology or you have a false sense of security that is really just part of the CA money game. Company verification by a trusted person and matching it to a domain is actually less secure than domain verification without any promises. > > If someone can MITM they can almost certainly defeat your browser or > > flash or vlc plugin and then your ssl means nothing, even more so after > > a bank login and so you have one time passwords and alerts. > > If an attacker can successfully implement MitM attack while you're entering > your bank's one time password, that one time password provides no additional > safety. The MitM attacker will simply show form requesting the one time > password, and after the correct one time password has been entered, the > attacker will use given password to initiate his own session. For extra > points, attacker can return "incorrect password" message to the real user and > request additional one time passwords as required. > I believe the OTP challenge verifies the on screen transfer to account number etc.. which it asks you to check but I could be wrong. Scratch that probably I am wrong considering the faith I have in banks due to the constant blunders such as the wireless bank cards saga. > > To me you just sound like a profiteer for CAs? > > English is not my native language, so I'm not sure what you mean with word > "profiteer" in this context. > I don't think that words part of the native language, sorry. To me it profiteer means making extra money where it is not deserved or right to do so or profiteering without question or consideration. > Are you asking if I consider current CA system good? Not by a long shot. I > believe projects such as http://perspectives-project.org/ and > http://convergence.io/ are the future. > I'll have to find the time to look into those, thanks. > I'm trying to argue that current non-EV certification process is no good and > self-signed certificates can be used to provide equal security in practice. > Then we can discuss if browsers should display some kind of "secure" > indicators for HTTPS connections with non-EV certs/self-signed certificates. > I believe that the answer should be "no" and this is the "neutral HTTPS" > which has been discussed in this thread. > Self-signed certs would be even more secure than any other if the right mechanism (real question we hoped dnssec would answer, perhaps dnscurve and dnssec combined would be good enough if the DDOS question can be sorted too) to acquire the fingerprint from the source server or serve it to mozilla based on the submitters ability to edit the servers ssl pages under that key was confirmed perhaps automatically. I know one site that refuses to use CA's and tells users his fingerprint on the site and says you should check them from now on if you care. That's way too impractical for all and open to a first time attack (like gpg/pgp) but I understand his point. > I believe that the current EV certificates have roughly equal value to late > 1990s / early 2000s normal SSL certificates; not very good but still better > than a self-signed certificate. Absolutely nothing compared to verifying the > key fingerprint by yourself. > > > In fact there is far more evidence that the GREEN EV crts pose more of > > a false sense of security than 'normal' domain validating certs! > > Hence my wish that even EV certs displayed indicators for "encrypted > connection" instead of "secure site". I'm not good enough interface designer > to suggest a good method for that difference. However, if we want to really > improve security of services the users need to understand this difference. > Good point -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
