Re: Low security SSL sites
Peter 128 128 128 128 128 128 128 128 128 128. [Snip] Ignore the numbers, concentrate on the security. iang 128 ^ 128 (my 128 is better than your 128) Actually you should have used 128+1, because real cryptographers' keys go to 129. LOL... For those who do not understand the reference, check out the cult classic film _Spinal Tap_. Quite apt. iang ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Heikki Toivonen [EMAIL PROTECTED] writes: Ian G wrote: Peter Gutmann wrote: 1. Disable SSLv2 in your browser (i.e. take it to the state that it should have been shipped in in the first place). Right. Perhaps we should file a bug? Something like?: https://bugzilla.mozilla.org/show_bug.cgi?id=106604 https://bugzilla.mozilla.org/show_bug.cgi?id=247830 https://bugzilla.mozilla.org/show_bug.cgi?id=247969 But look at the timeline on some of those things. 6532 (another disable- SSLv2) was filed in 1999, and it's still marked as New. Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ka-Ping Yee wrote: I believe the problem is that right now a lot of people are expecting or led to expect CAs to do job (b), but they don't do that. Some do, some don't. Work is in progress to differentiate between the two in the browser UI. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: They have no incentive to do so, and even if they did, they'd be ignored. People widely ignore the fact that when Verisign says trusted it means one thing, and when Comodo says trusted it means another thing. Until this is fixed, there is no point in (b) so we see what we see - a race to be the one who sells the most control-of-domain certs. This is rational behaviour on the part of CAs, and is totally the browser's doing. Indeed. But the CAs mostly don't like it, and I hope we're going to be able to fix the browser to remove the incentive for this behaviour. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: Peter Gutmann wrote: 1. Disable SSLv2 in your browser (i.e. take it to the state that it should have been shipped in in the first place). Right. Perhaps we should file a bug? Something like?: https://bugzilla.mozilla.org/show_bug.cgi?id=106604 https://bugzilla.mozilla.org/show_bug.cgi?id=247830 https://bugzilla.mozilla.org/show_bug.cgi?id=247969 -- Heikki Toivonen ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: Nelson explained this a while ago ... until the browsers go to SSL3 / TLS 1.0 they cannot handle virtual hosts. Ian, If you're going to attribute explanations to me, please be sure you get them right. Today the browsers support all 3: SSL2 SSL3 TLS1 The new TLS extensions are incompatible with SSL2. So until support for SSL2 is dropped, browsers will not use the TLS extensions. However, in your case, that's probably not really such a big deal. SSL has had the ability to support multiple domain names in a single cert for years. Numerous CAs now offer certs with multiple domain names. You can serve the multiple domain names you want to serve with a single cert. The browser will send the intended domain name in the http header, as in non-secured browsing. So my suggestion at the time was to simply set a time schedule and state in a PR that Firefox switches over to TLS 1.0 at a certain date, and sites using SSL2 would suffer. Any time mozilla disables a feature that works in IE, it only costs mozilla marketshare. People who cannot reach a popular site with mozilla cite this as another reason to go back to IE. (name them and shame them, I say. Take no prisoners!) Try looking through the bug database for SSL2 bugs. There is a bug whose only purpose is to track SSL2-only sites. The other browsers would no doubt follow suit. See the explanation above. If IE dropped it, the other browsers with less market share would probably also immediately do so. But none of them want to lose market share to the others. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Julien Pierre wrote: You still have the ability to use alternate ports for your 2 extra SSL servers, using your single IP. If you must use the same port, all may not be lost. You might be able get a single cert with all 3 hostnames in it, for example. If you want to use different certs or cipher suites, only have one IP address, and must use the same port, then you are indeed stuck today. One tiny problem, although I'm not sure how many would be effected, however some proxies and firewalls prevent access to ports other then 443/80 etc... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Jaqui Greenlees wrote: Peter Gutmann wrote: You can see where the magic-numbers problem has lead with the magic number 128. Provided that you mention this magic number somewhere in your marketing literature, your product will be regarded as secure no matter how bad it is in practice. ~snip~ Peter 128 128 128 128 128 128 128 128 128 128. You know why they think that about 128 don't you? after all if it had not been classified as munitions, and export of the 128 bit encryption controlled, then people wouldn't think it was as good as they do. yup, the 128 bit being controlled for export to other countries, made quite the impression. From what I recall, there is still an import restriction on anything bigger than 128 bits into France. All a bit weird. I actually think the IETF policy of totally ignoring any number policies is the smartest thing they've ever done. Discussing numbers causes more wheel spinning than any other things, it seems. Ignore the numbers, concentrate on the security. iang 128 ^ 128 (my 128 is better than your 128) -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: And ... my point is that the difficulty of numbers that you refer to is equally applicable to any other metric we might come up with. Literally, your commerce v. non-commerce differentiation is equally fraught. The two are not equivalent. If the distinction is made by, say, an icon then you can change the internal definition of what produces that icon in future builds without requiring user retraining. It's like Michelin stars. You probably have to cook better food these days to get 3 stars for your restaurant than you did in the 30s, but three stars still means the best available. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: Nelson B wrote: Ian G wrote: (OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping people elsewhere using crypto. What are you talking about? This one: [here I have snipped an old message of mine that says that SSL2 servers are hindering the rollout of new optional TLS extensions. ] Ian, how is that stopping people from using encryption? -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Gervase Markham wrote: It's like Michelin stars. You probably have to cook better food these days to get 3 stars for your restaurant than you did in the 30s, but three stars still means the best available. Michelen stars would be a perfect example. The users would see the michelin man, and the three stars, and know that the michelin man says three stars. Good solid brand and solid system. If michelin were to much it up, their brand is at risk, and users would start following other brands. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
On Mon, 18 Apr 2005, Ian G wrote: Gervase Markham wrote: It's like Michelin stars. You probably have to cook better food these days to get 3 stars for your restaurant than you did in the 30s, but three stars still means the best available. Michelen stars would be a perfect example. [...] If michelin were to much it up, their brand is at risk, and users would start following other brands. It seems to me that the browser's job should be to provide the infrastructure that makes it possible for people to establish such rating brands, rather than to be held responsible for the ratings themselves. The two purposes are separable -- (a) consistent identification and (b) trustworthiness ratings. I believe the problem is that right now a lot of people are expecting or led to expect CAs to do job (b), but they don't do that. They only really try to do job (a), and do even that quite poorly. Since the browser can take care of (a), CAs in their current function are unnecessary. If CAs want to go ahead and do (b), fine, but then they better start acting like it. -- ?!ng ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Nelson B wrote: [here I have snipped an old message of mine that says that SSL2 servers are hindering the rollout of new optional TLS extensions. ] Ian, how is that stopping people from using encryption? Correct me if I am wrong, but it means that the virtual hosts capability in newer versions of SSL v3/TLS v1 are not available. As many people (me, for example) have limited access to single IPs, this means I can only have one SSL site. Or, more practically, the half dozen of us sharing one server are limited to one SSL site. Luckily I got there first on my server! But it still means that 2 other sites that I want run over SSL cannot be so done. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ka-Ping Yee wrote: On Mon, 18 Apr 2005, Ian G wrote: Gervase Markham wrote: It's like Michelin stars. You probably have to cook better food these days to get 3 stars for your restaurant than you did in the 30s, but three stars still means the best available. Michelen stars would be a perfect example. [...] If michelin were to much it up, their brand is at risk, and users would start following other brands. It seems to me that the browser's job should be to provide the infrastructure that makes it possible for people to establish such rating brands, rather than to be held responsible for the ratings themselves. The two purposes are separable -- (a) consistent identification and (b) trustworthiness ratings. Yes, indeed. I believe the problem is that right now a lot of people are expecting or led to expect CAs to do job (b), but they don't do that. They only really try to do job (a), and do even that quite poorly. Since the browser can take care of (a), CAs in their current function are unnecessary. The way the browsers are currently built, they expect that a CA provides a cert and it at least has something like a control-of-domain capability. Now, it seems that given that, the CAs must play their part in (a) too. I'm going to ignore the alternate, because there is no support for it. If CAs want to go ahead and do (b), fine, but then they better start acting like it. They have no incentive to do so, and even if they did, they'd be ignored. People widely ignore the fact that when Verisign says trusted it means one thing, and when Comodo says trusted it means another thing. Until this is fixed, there is no point in (b) so we see what we see - a race to be the one who sells the most control-of-domain certs. This is rational behaviour on the part of CAs, and is totally the browser's doing. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian, Ian G wrote: Nelson B wrote: [here I have snipped an old message of mine that says that SSL2 servers are hindering the rollout of new optional TLS extensions. ] Ian, how is that stopping people from using encryption? Correct me if I am wrong, but it means that the virtual hosts capability in newer versions of SSL v3/TLS v1 are not available. As many people (me, for example) have limited access to single IPs, this means I can only have one SSL site. Or, more practically, the half dozen of us sharing one server are limited to one SSL site. Luckily I got there first on my server! But it still means that 2 other sites that I want run over SSL cannot be so done. You still have the ability to use alternate ports for your 2 extra SSL servers, using your single IP. If you must use the same port, all may not be lost. You might be able get a single cert with all 3 hostnames in it, for example. If you want to use different certs or cipher suites, only have one IP address, and must use the same port, then you are indeed stuck today. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Julien Pierre wrote: Ian, Ian G wrote: Nelson B wrote: [here I have snipped an old message of mine that says that SSL2 servers are hindering the rollout of new optional TLS extensions. ] Ian, how is that stopping people from using encryption? Correct me if I am wrong, but it means that the virtual hosts capability in newer versions of SSL v3/TLS v1 are not available. As many people (me, for example) have limited access to single IPs, this means I can only have one SSL site. Or, more practically, the half dozen of us sharing one server are limited to one SSL site. Luckily I got there first on my server! But it still means that 2 other sites that I want run over SSL cannot be so done. You still have the ability to use alternate ports for your 2 extra SSL servers, using your single IP. If you must use the same port, all may not be lost. You might be able get a single cert with all 3 hostnames in it, for example. If you want to use different certs or cipher suites, only have one IP address, and must use the same port, then you are indeed stuck today. except for one small thing, most hosting companies are not that obnoxious as to say no you can't use different ports. you are paying for the services you should be able to use them without errors, or they are in breach of service agreement. -- The Best Spam Campaign: snail mail a can of spam to local ( state / province ) leaders, as well as national leaders. With a note: use funds to feed homeless and poor in our country before sending foreign aide ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
RE: Low security SSL sites
Hi Peter, When the Network Solutions monopoly in the domain name world ended sometime in mid 1999, the biz was split into two parts - the registrar who can sell domain names, and a the registry who manages the central authoritative database of all .com, .net (and at the time .org) domain names. This split was tightly regulated, requiring a Chinese Wall between the two and lots of tedious organizational conflict of interest training for those involved. VeriSign acquired NetSol in mid 2000 and then sold only the registrar biz in 2003. So...VeriSign != NetSol (at least not since 2003). I do agree however that we should have fixed the SSLv2 issue way back when. For what its worth the issue was raised internally...I guess you cant win them all... Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann Sent: Thursday, April 14, 2005 11:11 PM To: mozilla-security@mozilla.org Subject: Re: Low security SSL sites Deacon, Alex [EMAIL PROTECTED] writes: It should be noted that VeriSign sold the registrar division of Network Solutions (including the brand) back in 2003. It is no longer has any affiliation with VeriSign. Sure, but I kept the association with Verisign because (a) they did own them at one point and really should have fixed it then (heck, it should have been fixed ten years ago), and (b) the separation between Verisign and NS isn't very clear. See e.g. http://www.verisign.com/products-services/naming-and-directory -services/: VeriSign is the authoritative directory provider of all .com, .net, .cc, and .tv domain names, and an industry leader in Naming and Directory Services to globalize access to the Internet. [...] VeriSign operates the largest infrastructure in the world as the COM NET Registry. Maybe it's just me, but that text is saying that VeriSign == NS, even if they have different names. Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Peter Gutmann wrote: You can see where the magic-numbers problem has lead with the magic number 128. Provided that you mention this magic number somewhere in your marketing literature, your product will be regarded as secure no matter how bad it is in practice. And of course 256 will be the new 128. Those who tried out my SSL test site at https://www.hecker.org/ will note that I am now 2^128 times more secure than your typical e-commerce site, at the leading edge of this exciting new trend in security :-) Frank -- Frank Hecker [EMAIL PROTECTED] ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: (OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping people elsewhere using crypto. What are you talking about? Stopping people using crypto should be a hanging offence. Come the revolution, they will be the first against the wall...) iang -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: I'd say 40 bit is good enough for banking, and 128 bit is good enough for banks :-) As the TLS people have now added a 256 bit protocol suite, they no doubt think that only 256 should be used by banks... I think you may have missed my point, which was: a number is still a number, and the user has to attach meaning to it, and needs teaching to do so. I assert that this is undesirable. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Gervase Markham wrote: Ian G wrote: I'd say 40 bit is good enough for banking, and 128 bit is good enough for banks :-) As the TLS people have now added a 256 bit protocol suite, they no doubt think that only 256 should be used by banks... I think you may have missed my point, which was: a number is still a number, and the user has to attach meaning to it, and needs teaching to do so. I assert that this is undesirable. Good point :) And ... my point is that the difficulty of numbers that you refer to is equally applicable to any other metric we might come up with. Literally, your commerce v. non-commerce differentiation is equally fraught. So we have a dilemma: either give the user the facts, and suffer that the users might not be able to work it out, OR, give the user a subjective judgement, and run the gauntlet of hiding the real situation from the users, and getting the subjective judgement wrong. In uncertainty, I generally suggest sticking to the facts. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Nelson B wrote: Ian G wrote: (OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping people elsewhere using crypto. What are you talking about? This one: Nelson B wrote: Julien Pierre wrote: There is a TLS extension called server name indication. It is currently not implemented by NSS . There are RFEs, you can search bugzilla. I'm not aware of any client or server that implements this extension at this time, The big impediment to this is the continued existance of SSL2-only servers. There are still some big-value heavily-used SSL servers out there that speak only SSL2. Here's one:https://webmail.aol.com/ In order to use the server name indication TLS extension, the client must send out an SSL3/TLS style client hello message as the first message it sends to the server. And today, most browsers do not do that. They send out SSL2 style hellos, which cannot use that extension. Here's why. If the client sends an SSL3/TLS style hello to the server, and the server is an SSL2 (only) server, the server will misinterpret this SSL3/TLS style hello as a very large SSL2 style record, and will wait a long time (maybe as little as 30 seconds, or maybe much longer) for the rest of the message to come in. This appears to a browser user as a hung connection, and tends to anger browser users (damn browser!), even though it is no fault of the browser's. To avoid that, browser products continue to this day to send out ssl2-style client hello messages, which make SSL2 servers happy, and which SSL3/TLS servers interpret as SSL3/TLS hellos. But there is no way to put the new server name indication into an SSL2-style client hello. When all the big-value SSL servers finally all upgrade to newer server software than understands more than just SSL2, I think you'll see this new server name indication come into play. -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Peng wrote: That may instead annoy them sufficiently that they switch back to IE, if they need to visit the site a lot. Personally, I didn't used to think to contact a website if there was a problem. I just ignored it or went to another website or spoofed my user agent or something. Putting up a number in the status bar should be sufficient. If you want to go over the top and actually warn the user that 40 bit crypto is less than optimal, then put up one of those red bars with the little X on it. Popups should only be used for things that demand attention, and 40 bits is 40 bits better than 0 bits, so no attention is needed for infinitely preferable security. (OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping people elsewhere using crypto. Stopping people using crypto should be a hanging offence. Come the revolution, they will be the first against the wall...) iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: Peng wrote: That may instead annoy them sufficiently that they switch back to IE, if they need to visit the site a lot. Personally, I didn't used to think to contact a website if there was a problem. I just ignored it or went to another website or spoofed my user agent or something. Putting up a number in the status bar should be sufficient. If you want to go over the top and actually warn the user that 40 bit crypto is less than optimal, then put up one of those red bars with the little X on it. Popups should only be used for things that demand attention, and 40 bits is 40 bits better than 0 bits, so no attention is needed for infinitely preferable security. Gervase pointed out that using absolute numbers could be a bad thing, as you'd have to keep training users when a new standard was made, so why not use percentages instead... This certificate is 50% good (128/256) or 15% good (40/256) then you just alter the top number, or even subtract for bad protocols, I'm sure people would get the idea pretty quick and it would be consistent, even when things change in future... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
RE: Low security SSL sites
Hi Peter, It should be noted that VeriSign sold the registrar division of Network Solutions (including the brand) back in 2003. It is no longer has any affiliation with VeriSign. Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann Sent: Wednesday, April 13, 2005 12:06 AM To: mozilla-security@mozilla.org Subject: Re: Low security SSL sites Duane [EMAIL PROTECTED] writes: Peter Gutmann wrote: You may as well name 'em since it's fairly well known, it's Verisign (yes, the Actually another one, so that makes 2 of them (at least)... I've had several pieces of mail asking for clarification of my original statement about Verisign, here's how to see this yourself: 1. Disable SSLv2 in your browser (i.e. take it to the state that it should have been shipped in in the first place). 2. Go to https://www.networksolutions.com/ With Mozilla I get an error to say that I can't connect because SSLv2 is disabled. With MSIE it just hangs forever trying to connect, with no indication of what's wrong (Thank Bill kids. Thanks, Bill). I can't remember any more which banking sites had problems with the same thing, it was last year some time, but the Verisign/NS issue is fairly well known (at least among SSL'ers) and they don't seem interested in fixing it. Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Duane wrote: This certificate is 50% good (128/256) or 15% good (40/256) then you just alter the top number, or even subtract for bad protocols, I'm sure people would get the idea pretty quick and it would be consistent, even when things change in future... That's better, but it doesn't address the questions a user actually has. Is 50% good enough for banking? 65%? If I upgrade my Firefox and my bank is now 80% instead of 100%, should I change bank? Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Duane wrote: Ian G wrote: Peng wrote: That may instead annoy them sufficiently that they switch back to IE, if they need to visit the site a lot. Personally, I didn't used to think to contact a website if there was a problem. I just ignored it or went to another website or spoofed my user agent or something. Putting up a number in the status bar should be sufficient. If you want to go over the top and actually warn the user that 40 bit crypto is less than optimal, then put up one of those red bars with the little X on it. Popups should only be used for things that demand attention, and 40 bits is 40 bits better than 0 bits, so no attention is needed for infinitely preferable security. Gervase pointed out that using absolute numbers could be a bad thing, as you'd have to keep training users when a new standard was made, so why not use percentages instead... If you wanted to use numbers, then the cryptographic reference is the paper by Lenstra and Verheul, and supporting docs. Those guys have thought about what the numbers mean, and even though they admit that the assumptions are arbitrary, they have got a relatively consistent framework. As the numbers change, unless you want to select a Pareto-secure set and stick to it, you are far better off just sticking the number there and explaining on the web site what it means. Arguments about 40 bit this and 56 bit that go round and round forever, because there is no strong basis for them in browser work. iang Ref: http://iang.org/papers/pareto_secure.html which includes the references to Lenstra and Verheul. -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
On 04/11/05 23:27, Peter Gutmann wrote: Frank Hecker [EMAIL PROTECTED] writes: Doug Wright wrote: Gerv suggested I post this here for discussion - copied from bug 288693 [Snip] In Opera, the message must be OKed/cancelled *before the site is even rendered* My personal preference would be a dialog with a delayed OK button (like XPInstall) to force people to read it. This raises the question that we've previously debated on this group: If popping up a warning dialog the right thing to do, or does that just encourage users to blindly click OK? Is a better alternative to just display the page without the SSL lock icon, with an accompanying information message? And so on... I don't make any claim to knowing what the absolute right thing to do is. I think the intent isn't so much to warn the users (they'll click OK eventually) but to annoy them sufficiently that they bug the site owners to upgrade their crypto. You don't really need the click-OK, just play a wav of a mosquito while they view the page and render the entire thing in blink and you'll get the desired effect. Peter. That may instead annoy them sufficiently that they switch back to IE, if they need to visit the site a lot. Personally, I didn't used to think to contact a website if there was a problem. I just ignored it or went to another website or spoofed my user agent or something. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Duane wrote: Peter Gutmann wrote: You may as well name 'em since it's fairly well known, it's Verisign (yes, the Actually another one, so that makes 2 of them (at least)... Duane, Either you are working for some company and you have a conflict of interest that stops you doing security work. Or you are working to put security out to users. If you have a conflict of interest, it's best if you declare this. If there is something stopping you from dealing directly in the security of users for Mozilla, then let's hear it. That's ok. It's still possible to do great work with conflicts of interest as long as everyone knows what not to ask you to do. Maybe your conflict of interest is that you work with CACert and it is not good to antagonise the other CAs? If so, state that. Otherwise, who is it? Name them. Shame them. Don't worry, they'll ignore you. But those here who are trying to craft security directions for Mozilla will not, and we can only do that if we have the facts. If they are holding up the mozilla users from receiving better security then we need to know. Security does not compromise on facts. It can be poisoned from within as from without, and poisoning from within starts with keeping information confidential. Once there is a lid on information, security stalls. It gells, it stagnates. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Frank Hecker [EMAIL PROTECTED] writes: Doug Wright wrote: Gerv suggested I post this here for discussion - copied from bug 288693 [Snip] In Opera, the message must be OKed/cancelled *before the site is even rendered* My personal preference would be a dialog with a delayed OK button (like XPInstall) to force people to read it. This raises the question that we've previously debated on this group: If popping up a warning dialog the right thing to do, or does that just encourage users to blindly click OK? Is a better alternative to just display the page without the SSL lock icon, with an accompanying information message? And so on... I don't make any claim to knowing what the absolute right thing to do is. I think the intent isn't so much to warn the users (they'll click OK eventually) but to annoy them sufficiently that they bug the site owners to upgrade their crypto. You don't really need the click-OK, just play a wav of a mosquito while they view the page and render the entire thing in blink and you'll get the desired effect. Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Duane [EMAIL PROTECTED] writes: Ram A M wrote: I have SSL2 disabled and AFAIK it has not limited my access to sites in a long time. Perhaps it is time to retire SSL2 in the default config. I have had problems with one domain registrar using it... You may as well name 'em since it's fairly well known, it's Verisign (yes, the most trusted name on the Internet) who still require that you use SSLv2 to talk to their servers. A few banks (of all the people who should be aware of proper security) still use it as well. I tried to get wording to kill SSLv2 into the TLS 1.1 spec, while everyone agreed that it was long overdue for retirement there were backwards-compatibility/interop concerns with making it a MUST NOT :-(. Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Peter Gutmann wrote: You may as well name 'em since it's fairly well known, it's Verisign (yes, the Actually another one, so that makes 2 of them (at least)... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Gervase Markham wrote: So in two years, time, when the advice changes to 256/2048, they have to learn a new set of numbers? I should issue a better cert for the CAcert website, but it's more common then not that I'm getting 256/1024, and the root cert is 4096, which some software still doesn't handle correctly... Up until the 1.5 version release of java, java apps/binary couldn't handle certs over 1024 bit either... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Duane wrote: Ram A M wrote: I have SSL2 disabled and AFAIK it has not limited my access to sites in a long time. Perhaps it is time to retire SSL2 in the default config. I have had problems with one domain registrar using it... Yep me too, it seems netsol still requires SSL2. I wonder how many sites that require SSL2 do so because they are misconfigured accidentally. Anyone know a good reason to support only SSL2 in cases where SSL3 or TLS support is available in the same server (perhaps some old SSL enabled load balancers)? A quick peak reveals that netsol uses Netscape Enterprise 6.x which supports SSL3. I also checked and the AOL site mentioned in an earlier thread and it uses IIS6 which seems to support SSL3 or TLS when run at https:/www.microsoft.com . Both these sites could turn on SSL3/TLS if they wanted to. Anyone know of a non-small site that operates SSL2 using a server that can't do SSL3? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
If one wanted to achieve a useful distinction, then I suggest warning when an SSL v2 protocol site is struck, as at least then a real issue is being addressed. I have SSL2 disabled and AFAIK it has not limited my access to sites in a long time. Perhaps it is time to retire SSL2 in the default config. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ram A M wrote: If one wanted to achieve a useful distinction, then I suggest warning when an SSL v2 protocol site is struck, as at least then a real issue is being addressed. I have SSL2 disabled and AFAIK it has not limited my access to sites in a long time. Perhaps it is time to retire SSL2 in the default config. There's some incompatibility that means that the default is set to be SSL2, while there are a few sites out there that still are stuck on SSL2 as server-side protocols. Nelson explained this a while ago ... until the browsers go to SSL3 / TLS 1.0 they cannot handle virtual hosts. So my suggestion at the time was to simply set a time schedule and state in a PR that Firefox switches over to TLS 1.0 at a certain date, and sites using SSL2 would suffer. (name them and shame them, I say. Take no prisoners!) The other browsers would no doubt follow suit. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ram A M wrote: I have SSL2 disabled and AFAIK it has not limited my access to sites in a long time. Perhaps it is time to retire SSL2 in the default config. I have had problems with one domain registrar using it... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Frank Hecker wrote: This raises the question that we've previously debated on this group: If popping up a warning dialog the right thing to do, or does that just encourage users to blindly click OK? Is a better alternative to just display the page without the SSL lock icon, with an accompanying information message? Again, this would be a good use for the you are connected to the site you think you are connected to stage (stage 2) of my proposed four-stage model: - you are connected to some site or other - you are connected to the site you think you are connected to (secDNS, weak SSL) - you are connected to the site you think you are connected to and your connection is secure (strong SSL with domain verification) - you are connected to the site you think you are connected to and your connection is secure and safe for banking (SSL with better verification) Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Ian G wrote: Why not just put the number of crypto bits on the status bar, next to the site name, CA name and padlock? I'm surprised at you, Ian. I would have thought the reason was obvious :-) In Opera, the message must be OKed/cancelled *before the site is even rendered* Heavens above! I wonder what they are going to do when an unprotected HTML site asks for a credit card number? Self destruct? Launch an SS18? If there were some way of reliably detecting that they were asking for a CC number, I would seriously consider disabling the form field in Mozilla and refusing to allow it to be re-enabled. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Doug Wright wrote: Gerv suggested I post this here for discussion - copied from bug 288693 When visiting 'secure' sites that use outdated encryption, Firefox/Thunderbird should give a big ugly warning about the dangers of submitting information to this site. [...] My personal preference would be a dialog with a delayed OK button (like XPInstall) to force people to read it. I'm surprised nobody has said until now that there's already such a warning dialog for 40 bit crypto (at least in the suite, maybe FF removed it). I don't believe 512 RSA keys trigger it, though. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Jean-Marc Desperrier wrote: I'm surprised nobody has said until now that there's already such a warning dialog for 40 bit crypto (at least in the suite, maybe FF removed it). I don't believe 512 RSA keys trigger it, though. 512 bit keys are a lot stronger than 40 bit, they are more like about 60 bit. So if you are going to hit 512 bits you are probably going to want to hit 64 bit ciphers as well, which would address all of the older suites I suspect. This highlights a difficult area: it's quite difficult to decide what and where the weaknesses of small keys becomes a problem, and any binary warning is unlikely to be correct or useful in real life. If one wanted to achieve a useful distinction, then I suggest warning when an SSL v2 protocol site is struck, as at least then a real issue is being addressed. Only about 0.33% of sites are limited to the old 40 bit crypto, but a greater number use 64 bit ciphers. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Gervase Markham wrote: Ian G wrote: Why not just put the number of crypto bits on the status bar, next to the site name, CA name and padlock? I'm surprised at you, Ian. I would have thought the reason was obvious :-) It could be blindingly obvious to others ... but it's not to me! In Opera, the message must be OKed/cancelled *before the site is even rendered* Heavens above! I wonder what they are going to do when an unprotected HTML site asks for a credit card number? Self destruct? Launch an SS18? If there were some way of reliably detecting that they were asking for a CC number, I would seriously consider disabling the form field in Mozilla and refusing to allow it to be re-enabled. Right. But there never will be ... so the alternate is to try and expand SSL usage so that certs can be used to do the job of protecting against spoofing. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Gervase Markham wrote: Ian G wrote: It could be blindingly obvious to others ... but it's not to me! Because 99.99% of users will have no idea what the numbers are, nor will they have any ability to make sensible decisions based on them. Well, they are generally in a much better position to make sensible decisions than anyone else is. So, a necessary step is to give them the information to make those decisions. It might be that they then need to know what the numbers mean, but this doesn't seem to be much of a barrier, no more of a barrier than knowing what a speed limit sign is when driving down the road. when banking, make sure you have 128/1024. when doing sex chat with your boyfriend, make sure you have 40/512. when plotting to overthrow the government, don't do it on less than 256/4096. (The alternative is for a programmer to make the decision for them, but as programmers aren't there when the browser is being used, they can only do that on the scantiest of signals.) iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Low security SSL sites
Doug Wright wrote: Gerv suggested I post this here for discussion - copied from bug 288693 When visiting 'secure' sites that use outdated encryption, Firefox/Thunderbird should give a big ugly warning about the dangers of submitting information to this site. For reference: the latest Opera 8 beta does this and displays the message 'This site is using an outdated encryption method currently classified as insecure. It cannot sufficiently protect sensitive data. Do you wish to continue?' From reading the Opera forum, it appears the issue is with SSL connections for which the server is using a 512-bit RSA key. (Or to be precise, an RSA key with a 512-bit modulus, if I remember my RSA stuff correctly.) One could imagine Opera or other browsers (like Firefox!) producing similar warnings for SSL connections with 40-bit keys, SSL connections using the SSL 2.0 protocol, etc. In Opera, the message must be OKed/cancelled *before the site is even rendered* My personal preference would be a dialog with a delayed OK button (like XPInstall) to force people to read it. This raises the question that we've previously debated on this group: If popping up a warning dialog the right thing to do, or does that just encourage users to blindly click OK? Is a better alternative to just display the page without the SSL lock icon, with an accompanying information message? And so on... I don't make any claim to knowing what the absolute right thing to do is. Frank -- Frank Hecker [EMAIL PROTECTED] ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security