On Thu, February 19, 2015 11:38 am, Jeffrey Walton wrote: > I don't believe this proposal - in its current form - will prove > effective in the canonical cases: (1) CA failure like Diginotar; and > (2) MitM attacks like Superfish. Are there other obvious cases I > missed that this control will be effective? > > Jeff
You're factually wrong in cases like (1), and woefully misguided in cases like (2) if you believe _any_ software, on a general purpose operating system with 1-layer security principals (such as Windows and OS X), can defend against a program with same-or-higher privileges. That's like complaining a program with root access can interfere with your usermode application. Well, yes, that's exactly correct, that's how it's supposed to work. If you can conceive a model where a super-user process would not be able to circumvent, then congrats, you've solved one of the most vexatious problems in computer security, and I know a dozen of anti-virus and anti-malware companies that will let you name your price if only you share your solution with them. Consider the following ways that an application like Superfish could have dealt with this (courtesy of a colleague far brighter than I) - PTRACE_POKETEXT a code modification at runtime - LD_PRELOAD a shim that intercepts strcmp and returns false for "Strict-Transport-Security" - Patch GTK+ (or equiv) so that the lock icon always appears on the omnibox - Rebuild a version of the browser with the code to disable such pinning commented out. There is no sane world in which anything in the HPKP spec can or should deal with this. It's doubly true and hopefully self-evident that "raising the bar" is not at all an acceptable, or even reasonable, justification. Malicious actors have every reason to escalate to more nefarious means (whether for profit or interception), while legitimate actors get shut out or, equally, burrow further into internals and cause worse experiences for everyone. I understand that you disagree. But you're also wrong if you think HPKP can or should have dealt with this. Best regards, Ryan _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec