Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
Earlier in the discussion there were questions about why a service provider would want to MITM their customers. This has now been answered by a service provider: It's to protect the children. From http://patrick.seurre.com/?p=42 Three's policy with regards to filtering is intended to ensure that children are protected from inappropriate content when using the internet on their phones [...] This is not about intercepting customer communications but is about the safety of children who use our network. Note that while they're using Bluecoat hardware to do it, there's no mention of SSL MITM'ing. Another interesting point in the post: In addition I asked Three why they were wasting money on Bluecoat's services when any webmaster worth his salt knows how to tailor the webpage provided based on the IP address of the PC making the request. They could produce a page full of innocent images for Bluecoat when they come calling, but save all the unsavoury material for the .real. visitor. This is already standard practice for malware-laden sites, to the extent that it's severely affecting things like Google Safe Browsing and Facebook's link scanner, because Google and Facebook always get to see benign content and only the end user gets the malware. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Auditable CAs
* Ben Laurie: Given the recent discussion on Sovereign Keys I thought people might be interested in a related, but less ambitious, idea Adam Langley and I have been kicking around: http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf. Why wouldn't the problem we have with CAs now resurface again with the entity which maintains the log? And why is a new protocol needed? Couldn't you just treat certificates from existing browser CAs as signing requests for an uber-CA which issues traditional X.509 certificates? Viewed from another perspective, The CA must publish a list of certificates it has issued is a perfectly auditable requirement (in particular if you specify availability and format), so if this is what we want, browser vendors could just make it a requirement for being on the root list. However, this seems rather unrealistic at this point. Therefore, I have written a proposal for TLS extension which adds some additional transparency regarding the certificates which are floating around, without mandatory publication by the CAs or a third party. It relies on the phenomenon that nowadays, we have a fair number of mobile devices which migrate between networks with and without a clear path, and sufficient local storage capacity to keep track of the certificates they see. http://tools.ietf.org/html/draft-weimer-tls-previous-certificate-00 I still think the concept is sound, and some discussion in this thread (on TLS-intercepting proxies) makes it clear why the complexity of sending the entire certificate chain is necessary. (Quite deliberately, this proposal matches my first rule for evaluating improvements to the browser PKI: if more cryptography is proposed, it unlikely to work.) -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
* Adam Back: Are there really any CAs which issue sub-CA for deep packet inspection aka doing MitM and issue certs on the fly for everything going through them: gmail, hotmail, online banking etc. Such CAs do exist, but to my knowledge, they are enterprise-internal CAs which are installed on corporate devices, presumably along with other security software. Even from a vendor point of view, this additional installation step is desirable because it fits well with a per-client licensing scheme, so I'm not sure what the benefit would be to get a certificate leading to one of the public roots. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
On 6/12/11 21:52 PM, Florian Weimer wrote: * Adam Back: Are there really any CAs which issue sub-CA for deep packet inspection aka doing MitM and issue certs on the fly for everything going through them: gmail, hotmail, online banking etc. Such CAs do exist, but to my knowledge, they are enterprise-internal CAs which are installed on corporate devices, presumably along with other security software. Even from a vendor point of view, this additional installation step is desirable because it fits well with a per-client licensing scheme, so I'm not sure what the benefit would be to get a certificate leading to one of the public roots. The promise of PKI in secure browsing is that it addresses the MITM. That's it, in a nutshell. If that promise is not true, then we might as well use something else. If the reality is that it simply makes the MITM a sellable feature, that's a breach of the promise. If the situation is we'll protect you from some MITMs and we'll sell other MITMs over you ... it's a breach of the original terms that were foisted on browsing in the first place... Now, this doesn't necessarily mean that some MITMs can't be justified. It's more that the original promise is what the users believe. And exceptions like this aren't really tolerated in the beliefs of users. So, we need that debate: what's an exception? what's tolerable? what's the point? We need to see those MITM certs. So we can understand what the nature of the breach is. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
Yes, Peter said the same, BUT do you think they have a valid cert chain? Or is it signed by a self-signed company internal CA, and the company internal CA added to the corporate install that you mentioned... Thats the cut off of acceptability for me - full public valid cert chain on other peoples domains for MitM thats very bad. Internal cert chain via adding cert to browser - corporate can go for it, its their network, their equipment to install software on! (Bearing in mind its the corporate intention to keep other people off their network with firewalls, network auth etc). One claim by Lucky if I recall is that the new trend in bring your own device (iphone, android, ipad etc) starts to cause a conflict - becomes complicated for the corporate to expect to install certs into all those browsers. They no longer control the OS/app install. I think thats true - but in effect if your environment is that security conscious, you probably should not be allowing BYOD anyway - who knows what malware is on it, bypassing your egress is completely _trivial_ with software, or even just config of software. And anyway since when does your minor inconvenience of installing certs authorize you or CAs to subverting the SSL guarantee and other people's security. Even people who have internal CAs for certification SHOULD NOT be abusing them for MitM. Adam On Tue, Dec 06, 2011 at 10:52:43AM +, Florian Weimer wrote: * Adam Back: Are there really any CAs which issue sub-CA for deep packet inspection aka doing MitM and issue certs on the fly for everything going through them: gmail, hotmail, online banking etc. Such CAs do exist, but to my knowledge, they are enterprise-internal CAs which are installed on corporate devices, presumably along with other security software. Even from a vendor point of view, this additional installation step is desirable because it fits well with a per-client licensing scheme, so I'm not sure what the benefit would be to get a certificate leading to one of the public roots. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
On 6 Dec, 2011, at 3:43 AM, ianG wrote: The promise of PKI in secure browsing is that it addresses the MITM. That's it, in a nutshell. If that promise is not true, then we might as well use something else. Is it? I thought that the purpose of a certificate was to authenticate the server to the client. This is a small, but important difference. If you properly authenticate the server, then (one hopes) that we've tacitly eliminated both an impersonation attack and a MiTM (an MiTM is merely a real-time, two-way impersonation). The problem is that we're authenticating the server by naming, and there are many entities with a reason to lie about names. There are legitimate and illegitimate reasons to lie about names, and while we know that it's going on, we don't have a characterization of what reality even *is*. We're seeing this in this very discussion. I also want to see proof that this is going on. I know it is, but I want to see it. These bogus certs are a lot like dark matter -- we know they're there, but we have little direct observation of them. Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] DTLS implementation attack?
Anyone have any more info on this? Even just a CVE or 'fixed in' version would be helpful. http://www.isoc.org/isoc/conferences/ndss/12/program.shtml#1a Plaintext-Recovery Attacks Against Datagram TLS Kenneth Paterson and Nadhem Alfardan We describe an efficient and full plaintext recovery attack against the OpenSSL implementation of DTLS, and an efficient, partial plaintext recovery attack against the GnuTLS implementation of DTLS. We discuss the reasons why these implementations are insecure, drawing lessons for secure protocol design and implementation in general. Thanks, - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
This is already standard practice for malware-laden sites, to the extent that it's severely affecting things like Google Safe Browsing and Facebook's link scanner, because Google and Facebook always get to see benign content and only the end user gets the malware. This is the single greatest side effect of a personalized web -- what you see depends on who you are. Like that is good or something. --dan ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
d...@geer.org writes: This is already standard practice for malware-laden sites, to the extent that it's severely affecting things like Google Safe Browsing and Facebook's link scanner, because Google and Facebook always get to see benign content and only the end user gets the malware. This is the single greatest side effect of a personalized web -- what you see depends on who you are. Like that is good or something. It's always interesting to see how the bad guys adopt some technologies much faster than the good guys. Another example beyond this one is intelligent agents for interacting with online services, which exist mostly as research papers and projects. And banking trojans. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
On Tue, 6 Dec 2011 12:34:37 +0100 Adam Back a...@cypherspace.org wrote: Kids figure this stuff out getting through site restrictions on school wifi also. Some schools try to block popular web games.. eg runescape. Let us not discourage either the children or the schools! This sounds like an excellent way for children to pick up some technical skills and to learn about computer security. If we must condition our children to think that censorship is the norm, at least we can also provide them with some decent education in the process. -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography