A healthy dose of paranoia is not a bad thing in a security type. If someone came out of the gate with your statement I'd normally not respond (even if I had plenty of time to do so). Since you seem generally open to reason I'll assume you haven't totally thought this through. My thoughts inline...
On 5/18/05, Duane <[EMAIL PROTECTED]> wrote: > With the intercept and gag laws in the US as they are, Verisign or any > other certificate authority can be compelled to issue duplicate > certificates, This may be true, I'm not sure that it is. I suppose that a court order is generally compelling so this doesn't sound impossible. On the other hand if there is an easier way to do it that is presumably a greater concern. How hard would be be to get a CA with an easier authentication process to issue a cert for any domain name that you wish that would be trusted by Firefox, IE, and Opera? In any case I think you would go along with any legitimate request made by a legitimate government authority; I would. > add on to this the fact that browsers don't warn about > fingerprints on certificates changing There is some truth / value here but there's a usability issue too - hopefully a balance can be found. Perhaps for a user who participates in high value or high sensitivty transactions this is worth doing; for someone spending $27 online, the intrusion anytime the site renews it's certificate or changes CA providers or website hosters (if they use that route) this is probably overkill and will result in further training the user to say OK to anything that pops up. The right approach here in my opinion is to understand that not every user has the same level of savvy nor the same level of needs. When installing a browser, OS, or any other app a brief interview of the user might be a very nice approach. In the case of a web browser the two obvious questions are: 1) Are you a software geek (how much techno babble do you want to see)? a: Are you kidding me? I routinely audit all software I use by capturing it in a debugger [toolbar with drop down of all forms on page with sub-list of all NVs per form, drop down of all IP and DNS names used in page with sub-list of URLs per] b: Kind of, show me the stuff you think I will find interesting but don't waste all my screen-estate [show the full URL not just the domain name] c: I don't know about this stuff, I know where to find F1 video clips and pictures of animals for my wife. [address bar shows only the domain name] 2) Are you a security expert? How concerned are you about security? a: What kind of question is this? I expect you to protect me - that's why I'm using your software! [require signed extensions, require revocation checking] b: I'm not paranoid but I'll take all the convenient help you'll give me. [warn on unsigned extensions, require revocation checking] c: The internet is safe, I attach a copy of my credit report and ATM pin to every email I write. [show scary dialog boxes for security concerns but make the OK button really big and don't show the CANCEL button] > and you have a security nightmare > waiting to happen. Then of course the little issue of Verisign > controlling/redirecting DNS via proxy servers, Ok here is where I think you haven't really thought it through. As you are probably aware VeriSign is scrutinized rather carefully. If CACert issues a bad cert - no offense - no one will notice - perhaps this will change in time. If VeriSign changes the root level domain-name-system zone files for a website that is used it will be noticed and it will be talked about broadly; even the smallest change gets noticed and discussed (lurk on NANOG the north american network operator group email list - the smallest squeak in anything VeriSign does shows up initially as a doomsday warning in that very broadly distributed list). A simpler approach for the governmenet (or a bad guy) would be to compromise a machine closer to the user than the root-DNS servers - something like an ISP DNS server or a device closer to the edge (user). This would be much harder to detect and is one of the good reasons to use SSL for server authentication and is also a good reason to deploy DNSSEC which VeriSign has been pushing *forever* and looks like it may finally happen in the 'near' future [near in this context is not Internet time but something much slower. Another easier attack would be to sneak evil-ware onto your machine - most people are using relatively vulnerable operating systems and relatively vulnerable client software - most of which do not require signing nor revocation checking. I can't remember the last time I saw a month go by without learning of an available attack vector. I think this is the target space that is being worked most aggresively today - I'll use SP2 as an example of that, it broke functionality but it made Windows users much better off. I'm hoping we'll see another improvement with IE7 but I'm not going to bet on it until I see it :) have fun ;) ram _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
