----- Original Message ----- From: "David Schwartz" <[EMAIL PROTECTED]> To: <openssl-users@openssl.org> Sent: Thursday, December 07, 2006 6:49 PM Subject: RE: HTTPS security model
> > > OK, I'm going to take a humourous punch at what you just said; if > > authentication and authorization are the same thing, why are both > > required? Isn't one enough? Please make up your mind... > > If A and B are the same thing, either neither is required or both are > required. Everything true about one must be true about the other. > > But what I'm really trying to say is that to get any of the guarantees HTTPS > is intended to provide, you need both. So they are the same thing in the > sense that one without the other is no better than neither. > Actually, David, the truth is that your really not getting these guarentees that your looking for. The problem is that the entire https authentication scheme's guarentee that site A is really site A is completely dependent on site A using a root CA certificate that is present in the web browser. This would NOT be a problem if all web browsers were distributed WITHOUT existing root CA certificatess and the users were required to use an out-of-band method to install root CA certificates's. Like for example having Verisign mail them a disk directly with it's root CA. But this isn't the case, instead browsers are distributed with root CA certificates already in them. In other words, your placing your trust that site A is really site A entirely in the hands of the person or organization or group that is releasing the web browser. While I might be convinced that the Firefox developers really have placed the real live root CA's into Firefox, and that when I download and install Firefox the root CA's that are in Firefox are really and truly the real root CA's for those roots, I just do not have the same trust in Microsoft. Perhaps you do. Think of it another way. I'm a cracker. I want to spoof Amazon. So what I do is I make up a fake VeriSign/RSA Secure Server CA certificate. I then put this into a program that I use a social engineering crack to get the user to install. (ie: download and run a free game, etc.) Windows XP runs regular users as Administrator so when my game install program runs it can wack out the existing root CA store that Microsoft uses under Windows and replace it with my own modified one. My installer also adds in www.amazon..com to the local hosts file pointing to my fake website. All I now have to do is sign the certificate that I'm running on my fake website with my fake VeriSign CA certificate and I'm in like flynn. What is even better is that if the user somehow manages to access the REAL amazon website, thye will get a certificate error!!! I will point out that Microsoft recognized this which is why Windows Vista no longer runs IE 7 under the administrator privilege. Let's look at another scenario. I'm an ISP. I want to use cheap self-signed certificates on all my webmail and other servers without paying Verisign. So all I have to do is create my root CA, and take a copy of Microsoft Internet Explorer, make up a custom install of it that includes my root CA, using the developer tools that Microsoft has available for ISP's to use to create "branded" installs of Internet Explorer, then when my new customers are "signing up" for my service and installing my dialer program, they also install my copy of MS IE which has my root CA in it. Since I sign all my certificates with my root CA, I am in effect creating self-signed certificates without a 3rd party, and my users are not getting complaints when they hit my sites. Once again defeating this much vaunted 3-way-party https security model you are so fond of. David, one of these days you will wake up and understand that the only real way to have workable security is to have an educated user behind the wheel. The https model was designed with a flawed premise - that is, that it's possible to have high security with completely uneducated, stone dumb, moron users running the web browser. We will just make the ecommerce sites pay some extra money and <bling> the Net Faries will make it all secure. You can no more have safe web browsers by ignorant web browser users than you can have good drivers who don't know how their vehicle operates. This is one of the big flaws in our society today, is this idea that life is way too complex for the average person to understand how anything really works. So we gotta make all the devices so that an ignoramus can operate them. This leads to school systems that graduate kids who know how to work advanced Algebra formulas that they will never use as an adult, yet do not understand the principles of how an internal combustion engine operates, or how a petroleum refinery operates, yet are given voting power over the foreign oil policy of the country. Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]