> Actually, David, the truth is that your really not getting these > guarentees that > your looking for.
Correct. In a technical sense, *you* do not get the guarantees, your end of the HTTPS connection does. Whether you choose to trust your end or not is a separate issue. > The problem is that the entire https authentication scheme's > guarentee that > site A is really site A is completely dependent on site A using a root > CA certificate that is present in the web browser. It's all a matter of perspective. What HTTPS actually guarantees is that only source of and listener to my conversation is the owner of the presented certificate, and the certificate actually was issued by the organization it claims to be of. What I (by which I mean my computer/browser) choose to do with that assurance is my business. It is, of course, possible to reach a false conclusion from that information. However, the information is always sufficient to reach a true conclusion, and that's all HTTPS can provide. > In other words, your placing your trust that site A is really site A > entirely > in the hands of the person or organization or group that is releasing > the web browser. That assumes you do not modify the list of root CAs in any way. But you also get to choose what web browser you use. HTTPS provides guarantees to your computer/endpoint. What your software chooses to do with that is your business. Nothing about HTTPS requires you to use a browser that comes with certificates, and not everyone does that. (A lot of HTTPS connections have the client endpoint implemented by software whose sole purpose is to obtain some type of information not intended for direct human viewing.) > While I might be convinced that the Firefox developers really have > placed the real live root CA's into Firefox, and that when I download and > install Firefox the root CA's that are in Firefox are really and truly the > real root CA's for those roots, I just do not have the same trust in > Microsoft. > > Perhaps you do. I think that's kind of a crazy thing to say. For what possible reason would Microsoft want my credit card information to leak to a cracker? For what possible reason would Microsoft want my computer to be hijacked? > Think of it another way. I'm a cracker. I want to spoof Amazon. So > what I do is I make up a fake VeriSign/RSA Secure Server CA certificate. > I then put this into a program that I use a social engineering crack to > get the user to install. (ie: download and run a free game, > etc.) Windows > XP runs regular users as Administrator so when my game install program > runs it can wack out the existing root CA store that Microsoft uses under > Windows and replace it with my own modified one. My installer also > adds in www.amazon..com to the local hosts file pointing to my fake > website. > > All I now have to do is sign the certificate that I'm running on my fake > website > with my fake VeriSign CA certificate and I'm in like flynn. What is even > better is that if the user somehow manages to access the REAL amazon > website, thye will get a certificate error!!! I think that has nothing to do with anything. Why even bother? Why not just trap my keystrokes and wait for me to enter my credit card info into any program at all? If you can take over my computer, why limit yourself to just what passes over HTTPS? > I will point out that Microsoft recognized this which is why Windows Vista > no longer runs IE 7 under the administrator privilege. > > Let's look at another scenario. > > I'm an ISP. I want to use cheap self-signed > certificates on all my webmail and other servers without paying Verisign. > So all I have to do is create my root CA, and take a copy of Microsoft > Internet Explorer, make up a custom install of it that includes my root > CA, using the developer tools that Microsoft has available for ISP's to > use to create "branded" installs of Internet Explorer, then when my new > customers are "signing up" for my service and > installing my dialer program, they also install my copy of MS IE which has > my root CA in it. Since I sign all my certificates with my root CA, I am > in effect creating self-signed certificates without a 3rd party, and my > users are not getting complaints when they hit my sites. Once again > defeating this much vaunted 3-way-party https security model you are > so fond of. That does not defeat the security model at all. That causes the model to do exactly what its implementers want it to do. To call that defeating the security model is arguing that me not being able to withdraw a million dollars I don't have from my bank account defeats the bank's security model just because *I* want to withdraw a million dollars I don't have and the security model won't let me. A security model is defeated if it doesn't do what its implementers want it to do. If it does precisely what its implementers want, then the security model has done all it can do. It can't make the implementation what you might want and it's absurd to expect it to. > David, one of these days you will wake up and understand that the only > real way to have workable security is to have an educated user behind the > wheel. I think that's backwards. The user can *always* screw himself a billion ways. So long as the user can *only* screw himself, the security is workable. Security protects a smart user from a smarter adversary. Nothing protects a dumb user from themself. > The https model was designed with a flawed premise - that is, > that it's possible to have high security with completely uneducated, stone > dumb, moron users running the web browser. We will just make the > ecommerce sites pay some extra money and <bling> the Net Faries > will make it all secure. The user can always screw himself by posting his credit card info to USENET. > You can no more have safe web browsers by ignorant web browser users > than you can have good drivers who don't know how their vehicle operates. > > This is one of the big flaws in our society today, is this idea > that life is > way > too complex for the average person to understand how anything > really works. > So we gotta make all the devices so that an ignoramus can operate them. There once was a time when you pretty much had to be a mechanic to operate a car. Technology enabled cars to be more complex inside and yet simpler to use. I think that's a good thing. I think it's unfortunate that computers require so much expertise just to do tasks that really should become part of the ordinary things we do in life. > This leads to school systems that graduate kids who know how to work > advanced Algebra formulas that they will never use as an adult, yet do not > understand the principles of how an internal combustion engine operates, > or how a petroleum refinery operates, yet are given voting power over the > foreign oil policy of the country. I think it's unfortunate that you seem to equate ease of use with dumbing down. Perhaps we should make people put their own computer together out of parts before they are allowed to run a word processor. Can they buy a CPU or should they lay it out on rubylith themself? While it's true that you do need to be pretty smart these days to use a computer safely, I think that's unfortunate. It's sad that people have stopped using computers to connect with other people and learn about their world because they can't deal with the sophisticate assaults on them. Things really can be easy to use without being dumbed down for those who want to get into the nitty gritty. It's just *hard* to get that right. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
