Posting from Iran, Im really worried about the current security status. Iran's opposition mostly exists on internet these days and its very seriously flawed.
Man In The Middle attacks are increasing and users usually ignore error messages about them.
(Firefox throws an error dialog but it has an 'I understand the risks' button. People just ignore the error).
Also, last year many Iranian FriendFeed users were arrested and the goverment knew about all their private discussions on FriendFeed.
(FriendFeed has been censored since the beggining. But it suddenly became uncensored for a day or two. On the other hand, FriendFeed generates an 'auth' key for each user and lets him see his RSS feed using that key. And puts the auth key in every page: goverment probably collected auth keys and used it to read discussions of people they arrested)
Goverments using internet to spy on their civilians is not a myth. Anonymity, trusting the cloud and related issues seem far more important when you suddenly find out a friend of yours has been arrested and his location and charges is unknown.
"Man In The Middle attacks are increasing and users usually ignore error messages about them"
Note that the reported MiTM attack should not result in a popup warning, because the CA certificate used in the MiTM is supposedly technically valid. Does anybody know which browsers include this CA? Browser vendors should consider removing it based on ethical concerns, especially if this MiTM attack is being performed very broadly, at the country level.
Under such conditions it is obviously unsafe to trust any private communications on the open internet (including sites that use SSL to encrypt data on the wire). You should ONLY use systems that ensure your content is encrypted for a key that YOU (not your browser) explicitly trust. This means using GnuPG and exchanging keys in a reliable offline medium with anyone with whom you want to communicate, basically.
Alternatively, you can use i2p and i2p outproxies, but i2p may be vulnerable to similar poisoning attacks if the government had an interest in perpetrating them. That said, it's probably much safer to use an i2p outproxy for your browsing anyway, and definitely much safer to use eepsites.
How could one technical individual protect himself is one thing, having a secure-by-design communication channel is another thing. Whole country is being spied like that and most people dont even know/care about it. They just want to use Facebook or some 'cool' service.
Security and convenience will always be at odds with one another. If you aren't going to take the precautions, your alternatives are to watch what you write or go to jail. Anything that relies upon any unencrypted traffic for bootstrapping, etc., is unreliable when you're against a state-level player like this, because they can do just what they're doing now and replace the real response with a fake one.
As such, the only way to ensure your electronic communications are safe is to get the information necessary to bootstrap the crypto from a medium where the government has no ability to poison, which means offline transmission (CDs/USB disks). And then you still have to be careful because if the government gets the private key of your compatriot all of your conversations will be readable.
The only way to provide security for the people of Iran in a reasonable manner is to educate them on PGP and key exchange. This is not the time to talk about fairy dust, because it's not going to help anyone at this point. When you're transmitting information that will get you thrown in jail or worse, you don't dink around -- they need something tried and true, and need to understand the risks and costs associated with the communications platforms they're using.
If you want to dork with Facebook and see pictures of your neighbor's cat, that's fine, but in my opinion, it's not worth the risk (if any), and it's useless to want/expect meaningful security. I don't even know if seeing pictures of cats is a problem in Iran. :-)
If you want to communicate with other people securely, then, in my opinion, then everyone in that communications group needs to consider learning information security and operational security, and then applying it. It's not simple, it's not easy, but if you want to be secure, you're going to have to plan to be serious.
It's a catch 22 when it comes to repressive regimes. You've swapped keys and are communicating with all your friends on a perfectly secure network. Now you and your friends are in jail on charges of conspiracy.
The only solution I can think of is a false door method, where you send some fake communication over one channel and somehow hide the encrypted channel.
Image steganography? It's available to almost anyone, a plain-sight method with an expected amount of natural noise. If you use a small enough payload, it is essentially deniable and undetectable.
>The only solution I can think of is a false door method, where you send some fake communication over one channel and somehow hide the encrypted channel.
That's steganography, and there are some open source programs for that. Steghide[1], for example, can hide encrypted data in JPEG images.
Stego's actually great here. Stay on the insecure or 'fake-secure' (ala this MITM) links and put out a cover story for yourself. Then communicate for realsies on stego.
And.. if your cover gives reason for you to put out a lot of data in forms that are easily stego'd, you're in good shape.
Azizam, unless you actually know the players involved in every hop of the loop, do not put your precious life in danger. If you are looking to organize, like a smart bache Terani you should go asymmetric on the the goons. Think sneaker nets, etc. I further suggest that you do not put your trust in superficially maintained hostilities between the west and the flea ridden mullahs. Remember those two brothers handed to Iran from US embassy. In one of those Persian Gulf states. They were hanged if you recall. Stenography, never signaling overt use of crypt, etc. are recommended. Qorbanat.
If you expect that you would only get targeted if you actively communicate about things your government doesn't like, but not just because you use a VPN or similar, then you should get a VPN in a country somewhat less likely to cause you problems.
If you expect that the use of secure encryption at all would get you disappeared, you're screwed. And the previous situation can turn into this one on a whim.
Either way, the long-term solution does not involve technology; it involves emigration.
I don't know how is in Iran, but I can tell you how it was in Romania before 1989 (and I guess that's pretty close to what is happening there).
It was close to impossible to emigrate legally, they would use anything to stop you. They would make you lose your job (or even do that to members of your family), they would interrogate you and members of your family (and don't think about any human rights).
A friend of my father was shot on the spot when they saw he was using a boat to cross the Danube to Yugoslavia.
It's not that simple to escape, especially with your family. You're living in a different world.
I certainly would assume the same holds true, yes; I didn't intend to imply otherwise. It still seems like the right long-term solution, just a very difficult one.
Since you are posting from Iran, can you verify this certificate is indeed being presented?
Also, how are people sure this is being perpetuated by the Iranian government? I'm asking because I see no evidence in the pastebin dumps, yet many people here seem sure the Iranian government is behind this.
My brother works in a company that produces spying software for government. Days ago, he told me he himself has written several programs to spy on yahoo, hotmail and gmail but he thought they couldn't deploy the gmail program because of https. I guess, he should think again.
I am scared. My only hope was SSL and I can't trust that anymore?
A government agency in Iran has obtained the private key of the root certificate for the DigiNotar Certificate Authority. And with that, they can decrypt and re-encrypt SSL traffic by pretending that they have the valid SSL certificate for *.google.com.
That's one possibility, and quite scary because someone with that private key could hijack any SSL connection to any site, not just Google. More likely is that Iran caused DigiNotar to issue them a valid .google.com certificate via social engineering, bribery, or hacking. This is slightly less scary because only .google.com would be affected.
Either way, IMHO DigiNotar's root certificate should be revoked and they should be barred from participating in the CA system ever again. The seriousness of SSL MITM attacks is such that a "one strike and you're out" policy is warranted. With so much commerce running over SSL these days, possession of the private key of a CA's root certificate would allow you to implement plots worthy of a James Bond supervillan.
Great! I'm glad DigiNotar will be punished for this lapse. Too bad it takes a code update to revoke their certificate. This won't be the last CA compromise we see.
Indeed. I strongly suspect too that it's only "the first one we've seen", and not "the first one".
I have very little doubt that most nation-state sized adversaries have the ability to forge whatever certs they want. It's only careful use of those forged certs (or dumb luck) by the agencies using them that have kept them out of the blogosphere...
Yeah, if NSA doesn't have at least one root CA key they're not doing their jobs. What we need is an alternative to the centralized CA system, like TOFU POP MONK.
essentially, they would be MITMing the connection and presenting an SSL cert issued by DigiNotar (instead of the actual CA that issued the cert to *.google.com). because the compromised CA is in the browser's trusted CAs list, it probably produces no user-visible warning.
Either that or they've got the cooperation of someone who has access to that private key, potentially the CA itself. But a compromise seems more likely in this case.
Ofcourse I'm also afraid that this is indeed a MITM attack against Iranian users.
With SSL certs that costs less than $15 you can expect that things cannot be thoroughly checked, however a Wildcard DigiNotar SSL cert is costing you € 750 a year (in a 4 year contract http://diginotar.nl/OnlinePrijsindicatie/tabid/1417/Default....), you would expect that these things would not be possible.
If they however hacked the root CA, it's even more scary, also Vasco (the mother company) makes virtually every Two-factor authentication used for Dutch Banking..
Scary indeed. Also responsible for authentication of DigiD, online taxes, pension funds, Chamber of Commerce, Ministry of Security and Justice, local governments, etc.
Didn't check it myself, but apparently DigiD for instance is on a different CA/root. DigiD is the Dutch "unified account" for all online government services: you can take out student loans, submit taxes, etc.
If you want to disable diginotar's root CA on your Mac (for Safari/Chrome) you can open Keychain Access, select the "System Roots" keychain at the top left, find the diginotar certificate in the list, and delete it (or disable it, which is what I did).
EDIT: This definitely works for Safari, not 100% sure if it does for Chrome after all.
This type of compromised-CA attack is why I never understood why browsers don't use the OpenSSH model: accept and store (prompting for confirmation) the certificate the first time you connect to a site, then throw up enormous red flags if the certificate ever changes.
The Firefox root CA list has dozens and dozens of organizations on it. Could a compromise of any one of them mean that this attack could be repeated?
Because that security model means that a compromised ISP can permanently MITM you the first time you visit a site on any computer for the first time. In exchange for losing the single points of failure, it creates a constant stream of opportunities to break the trust model.
You may think that's a good tradeoff. I don't, but reasonable people can disagree about it. However, it's completely untenable for financial information, because attackers after financial information aren't laser targeted and are perfectly happy with a constant stream of compromised sessions. Remember what TLS was designed for in the first place.
The OpenSSH model implies that you check the fingerprint of the public key before you send encrypted data using that key. That is why SSH shows you the fingerprint of the server key when you first connect, and you have to answer "yes" in order to accept the key and add it to your keyring. You are supposed to have talked to the person managing the system and that person should have given you the fingerprint of the key.
It is virtually impossible for the ISP to intercept and sniff the stream without changing the fingerprint.
"Wrong! Random people will totally verify key fingerprints when they're logging into Google Mail at Starbucks! After all, that's what every sysadmin does with SSH, right!"
I have no idea what you are trying to express here. "Trust On First Use" is a synonym for key continuity. The fact that you have to type "yes" when SSH does it and click a series of buttons when a browser does it doesn't change anything.
I think you think that "Trust On First Use" means "automatically accept keys the first time you hit a site". In fact, that's only true in practice. Presumably everyone's going to get the "Watch Out! This Could Be Iran!" dialog from their browser, too.
There isn't any non-Internet communication channel that users could use to find Google's fingerprint. Google won't give their fingerprints on the phone for billions of web users.
Theoretical models that have no practicality in a given real life context aren't worth discussing as a solution.
normally it just shows you a horizontal bar alerting you when a host's ssl certificate changes, and whether it thinks it was for a good reason like the old cert being near its expiration date.
annoyingly, google has a number of different ssl certificates installed on different servers/load balancers (some wildcard, some not, some signed by different CAs, some signed by google's root) so nearly every time i would use a google service, the add-on would be throwing warnings at me that must be manually clicked to be dismissed. eventually i gave up and stopped using the add-on.
You are absolutely right. Although I think it is undesirable to enable such a feature by default, as a technical user, I badly want it. I want browsers to cache certificate public keys and alert me when they change.
Or just when the host is migrated. This technique "works", I guess, but the false postive rate is staggeringly high. I see these errors daily (generally due to DHCP reuse of my test boxes' addressess). In decades of use, I don't believe I've ever once been MitM'd over ssh.
SSH users understand the issue and are happy to triage a "not in known_hosts" error. The general public won't have a clue.
Sounds like it. But this isn't an architectural solution. All this does is layer an additional level of "trust" requirements onto the existing protocol. The "pinning whitelist" is isomorphic to the root CA list and can be compromised in exactly the same way.
A quick check of Bugzilla didn't turn up a bug directly about this issue, but https://bugzilla.mozilla.org/show_bug.cgi?id=681902#c6 from one of the people who deals with CA issues at Mozilla mentions "the current DigiNotar incident", so they clearly know about it.
It took 3 months to get their customers transferred over to this new cert. https://bugzilla.mozilla.org/show_bug.cgi?id=622589 I wonder if the CA was compromised since earlier this year, or if it's more recent?
"...DigiNotar is an official Dutch certification authority, capable of issuing, validating and registering certificates (identities) of Dutch nationals and entities that are recognized throughout the European Union and are used to authenticate government applications. As such, DigiNotar provides VASCO with a strong foothold in the Dutch eGovernment market with the potential to expand the product line to government applications in other countries. Currently, DigiNotar’s market scope for its CA activities is limited to the Netherlands. VASCO may decide to introduce DigiNotar as a certification authority in other EU countries...."
all that security was riding on 10M euros (with such [meager] amounts in play, one would think that it would be easier for a player like Iran just buy an authority than to crack/hack it, though seems like VASCO was faster (if of course VASCO isn't in the game as well) :) :
"...VASCO acquired DigiNotar in stock and asset purchase for aggregated cash consideration of Euro 10.0 million..."
what is the cost in Netherlands to have a reasonably secure office building with some access controlled areas suitable for CA authority core operations? Sounds like very cheap.
How easy is it to MITM the convergence requests themselves? And does it send all of my web-browsing habits to the notaries? How much money would I have to pay for someone to run a notary for me and would that be safe?
The Thawte certificate is the certificate issued to google by request of google. This certificate is apparently being used to MITM connections to gmail that originate inside Iran. Outside of Iran BGPing a major ISP into routing through them, or setting up a standard "phishing" mirror site, no one outside of Iran should worry much.
It still is a good idea to blacklist that root certificate on your internet devices though. If this certificate is being used, who knows what other websites it has issued legitimate but malicious certificates for.
No one outside of Iran should worry about this particular google cert, you mean.
The obviously compromised root CA shipped by default in every computer in operation is something we very much should worry about. Who else has access to DigiNotar's cert? Surely there are players out there willing to pay more than Iran is...
Of course you should worry. The attacker may have sold the cert to other parties, not just Iran. Or if it was Iran directly, they may sell the certs to other parties to make a pretense of deniability.
Impressive? Do you remember the news that China published routing that sent all traffic for Facebook through Beijing? Given that the China Internet Network Information Center (CNNIC) root CA comes with every browser these days, all it takes for a hostile entity is a fake BGP advertised route through a compromised router to make that happen.
On a Mac, go to Keychain Access, hit the padlock in the upper left to unlock the system keychain with an admin account, select System Roots from the list of available Keychains in the upper left, find and select DigiNotar Root CA, get info (command-I or hit the i in the bottom area of this window), open the Trust section, for "When using this certificate" select Never Trust.
Anybody knows how to view/delete the root certificates on an iPad? From what I've seen, it seems like you can only view/delete the certificates you have installed yourself.
That's right. iPhone and iPad wireless carrier profiles come with special carrier root CAs. You can't delete them, and by using them, your carrier can easily MITM your IMAP password, Google cookie, online banking credentials, or anything else you do over SSL. Your carrier's unfettered access is in addition to the Department of Defence Root CA, the China Internet Network Information Center Root CA, and the others who enjoy the same privilege already. Apple just made it easier to hide by making it impossible for you to actually see the chain of trust in Mobile Safari.
Interestingly, this is why corporations and governments managing secret information continue to rely on Blackberry, where each device gets a locked certificate on activation. That provides the only serious protection from man-in-the-middle attacks in the wireless industry today. Remember the public pressure on RIM to support wiretapping in India? They were the only company not making it easy.
In chrome looks like you can't remove it, but at least you can disable the use of that CA to identify sites,ecc... from preference>manage certificates.
Chrome uses whatever the OS uses, as far as I can tell. Preferences > Manage Certificates just opens up the Keychain Access app. Upthread are instructions for how to do it from there.
What are the implications of this? It is potentially unsecured to visit gmail.com from anywhere? Is this web-interface only, or is IMAP/POP access also vulnerable?
The consensus seems to be that Iran is poisoning intra-country connections to attach this certificate to gmail.com instead of the real certificate, so this would only be occurring where Iran controlled the network infrastructure. Since the certificate is signed by a trusted CA, no warning is provided to the user that the certificate may be unsafe.
GMail still shows a certificate issued by Thawte for me (in the USA).
>The consensus seems to be that Iran is poisoning intra-country connections
more precisely they can poison any traffic (CA-ed by Diginotar) that passes through the routers/wires under Iran's control, that can be anything what they have already hacked into before as well as just redirected traffic using BGP similar like this
The claims reported in various places suggest that people in Iran have actively observed this certificate used in MITM attacks on gmail connections. No hard evidence yet, and no idea what original source people keep repeating (possibly the pastebin itself).
It's weird, isn't it? From zero to accepted fact on the basis of some guys assumption mentioned in the title of a pastebin dump. The only other original source I've been able to find is this:
when I used a vpn I didn't see any warning ! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)
If your communications can land you in jail or get you killed don't use the internet (or even a computer, keystroke loggers are easy to install and very hard to detect), no matter how clever you think you are, and no matter how many 'lock' icons appear in your browser.
In such cases paranoia is perfectly justified.
It's a real pity this requires a code update because that means that the change will take long to propagate and will likely never be really complete, at the same time I'm sure there are good reasons for that and that an automated process to revoke just any certificate could itself probably be used as an attack vector.
What would happen if they simply revoked the root certificate that was used to sign this fake?
The consensus seems to be that this only effects users in Iran who are not using Chrome. The result is any information sent to or from a secure Google domain could be silently intercepted and modified.
SSL snake oil. SSL and the percieved trust around it has to die. It's a big lie, especially with broken CAs, lax security, poor encryption due to international policy and several technical and conceptual flaws.
So you don't like the way SSL/TLS is configured in your browser and therefore we should throw out 15+ years of intense study for whatever flavor-of-the-month protocol is most popular when everyone agrees with you?
How about instead of "SSL sucks!", you propose things that will (from your vantage point) improve SSL/TLS? What, so you don't like that Mozilla gets to dictate what all the trust roots are? Neither do I. But that is not one of the worlds great compute or UX problems to solve. Propose a solution.
It's a virulent misconception that the SSL/TLS security model depends on Verisign and Thawte. The only place in the whole model we have that dependency is your browser's configuration and that stupid dialog it shows when a cert doesn't check out. You can replace just those two parts and get virtually any other trust model you want.
Yes I'd quite happily throw out 15+ years of intense study and research (inclusing SSL/TLS) as it occasionally breaks down and kicks you in the face (google for TLS MITM vulns).
There should be an explicit trust model where the service vendor ships your keys via an alternative side channel -or- a decentralised model which works on reputation or trust.
If it works, why do all the online banks use two-factor authentication these days?
At the current rate of discovery, every vulnerability in TLS should make you more confident in the protocol. We're running an average of 3-5 years between protocol-level discoveries in TLS. Each one is the product of, literally, millions and millions of dollars of adversarial research.
Psst. I've got news for you. adb56780a76686326612a1eb3c2b32053bbcf3d8. Ask a friendly vulnerability researcher what I probably meant by saying that. Guess what? More confident as a result of knowing it.
The rest of your comment is just pique. "Why do online banks use two-factor auth?" Because the alternative is passwords. "There should be an explicit trust model!" Go ahead and build it. Because TLS is well-designed, your new scheme will work just fine with it.
> adb56780a76686326612a1eb3c2b32053bbcf3d8. Ask a friendly vulnerability researcher what I probably meant by saying that.
OK. Hey tptacek... :)
Mind elaborating a bit more, for those of us who don't happen to know any other vulnerability researcher who know what that hash means? The one vulnerability researcher I know had no idea what you were talking about.
I assume you're referring to the practice of releasing hashes of one's advisory to prove that you discovering it while giving the vendor time to fix their software before disclosing it publicly.
Google doesn't turn up anything for that particular hash, though, nor did I see anything on the Matasano website, but I'm probably looking in the wrong places. I don't claim to be a security researcher, after all, even if I try to keep up to date.
> We're running an average of 3-5 years between protocol-level discoveries in TLS.
Everyone knows the weakness with our current system isn't the protocol--it's the "trusted" roots. There are upwards of 100 organizations that have roots installed on my computer and each of them is an attack surface. And it's frustrating because if I'm Google, there's no way I can protect myself from these other firm's security flaws. That is the part of SSL/TLS that needs to change. Getting certs from DNSSEC would be a good start...
Getting certs from DNSSEC is morally equivalent to getting them from X509 PKIs.
Again: the problem we have is that the UX and policy for HTTPS/TLS is brittle, so that it's hard to recognize and even harder to react to misconfigurations like "we're trusting CAs who are not trustworthy".
Faced with a policy and UX problem, someone needs to explain to me how a reasonable next step is to bake a new PKI into the core of the Internet.
There is a reason the IETF-types are so gung-ho on DNSSEC. But it isn't that they know it's a sound replacement for the CA system. It's that it bothers them that DNS- the- protocol is insecure. And that's fine (I think their solution stands a good chance of making DNS even less secure, but whatever). But they shouldn't get to piggyback on other security issues to achieve their goal.
You are using the words "authenticate" and "identify" in ways that professionals do not. In reality, a card and a pin are two factors in an authentication system; your fingerprint is a third (biometric) factor which does not need yet another synonym for "identify" to describe; the reputation of your origin IP is a fourth factor, your behavior a fifth.
If it works, why do all the online banks use two-factor authentication these days?
Oh wait, there is the solution!
That's used to authenticate the client. SSL's job here is to authenticate the server. So no, that's not a solution.
Besides, it's completely preposterous to claim that HTTPS is useless just because it's not enough for banks. Should each website send an RSA Token to each user?
I've been quietly hoping that perhaps Google's Authenticator app might provide this for us... If there were a way for one of my websites to seed the Authenticator, I could provide an RSA-token-like 3rd factor to my logins effectively for free (at least to anyone with an iOS/Android device).
(I don't suppose anybody's more up-to-date than me on if/when that'll be possible?)
Two factor auth is more about stopping your login details being nicked and then used at a later time - not atall really a question of SSL, not to mention that as far as I can see this attack here would not be affected by it in the slighest except for future login attempts.
The idea of having a distributed certificate mechanism over a peer to peer net seems like it might be a good starting point. Essentially, you'd self-sign and serve out your certificate on your ports; possibly connecting to some sort of super-node. You get connections from other members of the net, and they'd send you some certificates; you'd cache the certs and their IP addresses. Then after a timeout, you'd broadcast your certificates to all the interested IPs.
Part of the intrinsic concept is that there's no authoritative identity service. Without an authority, you can't crack the authority.
Of course, this is just a sketch of an idea; it has the usual issues with peer to peer nets such as "evil majority wins". Plus, it has the potential to eat a good deal of bandwidth.
Regardless, I think it'd be a good idea to explore, probably in an academic setting first.
I get that a false sense of security is worse, but we haven't yet figured out a better way that is still decentralized and works with a wide variety of user skill levels.
Because people who aren't expert users deserve security too. And they deserve functionality.
people who aren't expert users deserve security too. And they deserve functionality.
Well, SSL certainly isn't giving serious security in the "My ISP has been intruded" attack model.
You can't have both security and ignorance. If you really want to be secure, you're going to have to learn how to be secure, and then to know how to implement it.
No they can't. That's not how TLS works. The problem we are talking about is not that SSL/TLS- the- protocol allows ISPs to decrypt traffic. It's that some browsers have been shipped with a certificate authority that is willing to sign Google CN's. Remove that CA's cert. What's your ISP going to do now?
- I can install Fiddler (Windows https debugger) on my machine and read https traffic in the clear.
- A competent admin assures me that Websense can read https traffic. Couldn't really dig real detail up on the websense sites though. This chap suggests the admin is not wrong (search for corporate, it's toward the end): http://www.carbonwind.net/blog/post/Random-SSLTLS-101%E2%80%...
I have no idea how I might go about arguing with you; it's as if I were to argue "a brief search of the literature suggests that P is definitely NP". Give me something more specific and I'll give you the context behind it; right now, I don't know what you're talking about.
(Sigh). Fiddler pops the browser certificate warning when you use it; it's not breaking TLS.
You must just as productively say "my friend assures me AES is broken; maybe that's what Iran is doing." Just like your competent admin friend, there would be some reason for him to say that; it just wouldn't be relevant.
It is crazy that you're even entertaining the thought that the entire security model of the world wide web has been circumvented by WebSense. I guess they just really know how to keep a secret?
Websense doesn't break TLS or SSL or PKI. Websense abuses an organizations control over their own workstations to conduct a 'mitm' or 'proxy' of the TLS connection. It does that in a fairly straight forward manner.
Websense is used in organizations that distribute their own root ca key to the workstations behind it. The Websense machine is then given that root ca key and allowed to generate dynamic certs with it, so that a workstation with your organizational CA trusts them, but nobody on the regular inter webs will.
It's a really, really shitty way to do things, and effectively violates the trust of every user on your corporate network, but hey, they signed an agreement.
Use case 1: 60 year old man wants to access his bank online from his home. He has been using computer for 10 years, but only been using the internet actively for 5, and still requires help from IT for basic issues at work.
Use case 2: 40 year old man wants to use his laptop from starbucks for email. He has used computers for much of his life, but doesn't really understand how it works. He is on the road working 60-80 hours a week. He is taught to VPN in to work, but that is the extent of his understanding of security.
We're not talking about the use case 3: activist in Iran needs to communicate with compatriots. That is a much harder problem for which SSL is insufficient.
How do we set up a sufficiently easy system for use cases 1 and 2? Charging them $1,000 for a 2 day class in security is not going to work in scale, and nobody has yet written a security primer for dummies past the most basic of "don't give people your password and don't use your dog's name."
This is not true. There is no cryptosystem we know of that is more suited to "User Case 3" than TLS. There is a problem with the way activists in Iran are using TLS: to wit, they are trusting Mozilla, Microsoft, Apple, or Google to make decisions about who they trust. But TLS does not require them to do that. They are a point-and-click HOWTO away from not being in that position.
If Iranian activists want to trust Google for their sensitive email, all they have to do is track down Google's authentic certificate (by asking anybody outside of Iran to fetch it) and add it to their browser. Iran does not have the ability to break RSA. All they (apparently) have the ability to do is to con incompetent CAs into making new RSA signatures that some browsers are configured to believe.
So build one. Your preference actually has very little to do with the X509 CA architecture. Today we have a complex little forest of fiat CAs. No part of the TLS architecture prevents you from replacing that with an even more complex and more full-featured web of smaller CAs.
I'm not being sarcastic. Your decentralized reputation scheme could very well be better than our severely compromised system of central CAs.
And the solution is? Getting everyone on to PGP/GPG? Explaining to the general public what a web of trust is and actually get them to use it in the correct fashion (rather then clicking 'trust' the same way they click through all dialog boxes)?
So when the certificate error comes up, ask your friends whether they trust it. You are talking about a web application that is almost "hello world" in Django or Rails.
So, build it. Then make it secure enough that any schmuck won't be able to hack it and serve fake 'trusts'. Then decentralize it so that governments like Iran's can't MITM it. Then solve the problem of having a single organization deploying thousands of fake nodes and poisoning the data.
In what sense? DNSSEC is also a PKI which also has roots that can be compromised. Not only that, but it only works server-to-server (late in the game, we've decided "that's OK, everyone will just be a server!). And DNSSEC relies on HTTPS/TLS to actually protect content.
This comment is tautological. The verification you're talking about works on the same principle as X.509 (SSL/TLS) does; all it does is attempt to give individual DNS zone holders the ability to sign their own names. But every zone has a parent zone upon whose security it depends.
The reality is that DNSSEC is a lot more fragile than even that. Even on paper (DNSSEC hasn't been deployed in the large successfully) it has gaps. For instance, did you know that as conceived in the standards, your browser isn't even meant to speak DNSSEC? Your browser doesn't run a full recursive cache --- in other words, your browser isn't a full DNS name server, which is why your computer has to be configured with the address of a name server. DNSSEC doesn't secure the leg between your computer and its name server.
"No cryptographic system is perfect" is a worthless sentiment. Only in the rarest instances do we know whether any system, from "hello world" to the Tacoma Narrows, is absolutely sound. Our job as engineers is to make determinations about which system is sounder. DNSSEC takes approximately the same architectural problems that X.509 has, rebuilds them from scratch in the context of a protocol that has for 20 years been riven with security flaws, and then still requires HTTPS/TLS to function. It is less sound than HTTPS/TLS.
What I meant was there are mechanisms that let you determine that a DNS answer is correct.
I won't say more regarding this matter because you know a lot more about cryptography than I do. What do you think the best solution for this kind of problem is? PGP?
I literally think 99.999% of the problem with HTTPS/TLS is UI. The UI for certificate management and validation is virtually unchanged since the 1990s. More importantly, Mozilla, Google, Apple, and Microsoft --- however well they mean --- are not appropriate stewards for the security of the whole fucking Internet. We need the secure UX required to outsource CA management to trusted third parties that unskilled users can reasonably choose among.
Back to DNSSEC:
What we do not need to do is take this extremely complex policy problem and bake it further into the Internet's infrastructure, so that only the greybeards at the IETF and the product managers at the five largest software companies in the world get to make choices about the Internet's security model.
Today's HTTPS debacle was brought to you by a policy mistake. When we originally deployed HTTPS/TLS, we did not understand enough about the forces acting on us to make totally safe policy decisions. What we need is more flexibility and more thought, not the exact same system we have now baked into one of the core protocols on the Internet.
Wouldn't it be neat if there was a dialog somewhere in your browser that gave you the option of trusting anything Colin Percival trusted, or anything that the EFF trusted?
I had thought about something like this, sort of a combination of karma scores and netflix/pandora-style recommendations for ranking user content on sites like HN. I could say 'I like what tptacek has to say' and give your content a higher precedence for ME, rather than for the whole of the site user base. Others could say 'I dislike what tptacek has to say', and you get a corresponding drop for THAT USER, not everyone. Now add a chain - if I 'like' you, all that you 'like' gets a smaller, but significant bump for me, and so on. Add in 'OSCP' style repudiation if the source of your trust for someone changes their mind for any reason.
Moving this into authentication/trust - how do you 'start' something like this at an Internet scale, assuming actively hostile, nation-state level players, such as in this article? It seems very chicken-and-egg for something as critical as encryption and protection of important content.
Just thoughts - it seems there's some big issues I'm missing though, such as initial seeding for 'new' users en masse. I can also see the code to keep track of all the trust vectors, etc. becoming VERY complicated...
Seems like an awesome plan, but making it scale requires a lot of work. In this system, how do banks ensure their site shows up as secure in people's browsers? How do random sites of varying popularity?
Actually, for many people their bank seems like a good start for the trust chain; visit them in person and get the information you need for your trust root. And unlike the certificate companies, banks have end-users as their customers, not people who want certificates.
I'd consider subscribing to a few services that provided plausible claims to properly curate lists of ssl cert fingerprints for at least the majority of my security-critical domains. Even if it were just limited to the major internet properties (start with google/yahoo/amazon/paypal/twitter/facebook/etc), and add in major (and minor) banks, government institutions... If someone started up a service claiming to have telephoned the appropriate security people at those places and confirmed the cert fingerprints via non-internet/real-world-confirmable means, I'd certainly consider paying a few tens of dollars a year for that... Especially if it integrated nicely with a browser/os plugin.
And, hopefully, a way for Colin, the EFF, your friends, or Hacker News to say "Ummm, looks like the EFF trust list might have been compromised sometime in the last $n weeks..." and for you to be able to audit/rollback changes in that trust list, and/or compare changes with unrelated sources...
DNSSEC may have a lot of the same design limitations as HTTPS PKI, but it could still be an improvement if it represented a parallel, redundant piece of security.
But what we see is CAs authenticating cert applicants based on DNS (the ability to receive email verifies your "control" of the domain) and DNSSEC rooting to a Verisign-managed registry, just like the early days of SSL PKI.
Only if that parallel, redundant piece of security (a) isn't relied upon as a single point of failure by any component of the rest of the system (note how many DNSSEC advocates seem to want DNSSEC as a replacement for the X509 PKI), and (b) doesn't have 15 years of its own security vulnerabilities in store for us.
Yup.
a) a rare opportunity missed
b) I'd like to think we know more than we did 15 years ago, but compatibility with the existing DNS brings new challenges too
That may be true, but you have no guarantee that the IP that is returned actually routes where it should, or that a resulting connection is to one of google's actual servers.
note: Nothing against dnssec. I think it is an improvement, but I don't see how it would have helped in the situation in question.
I don't think DNSSEC is an improvement. I think that when you take a fragile and problematic security model, reimplement it from the bottom up in a setting that's even more restrictive than HTTPS, bake the result into the core of the Internet (or rather, the fraction of the core of the Internet that knows how to be a full-fledged DNS server), cause untold disruption the network as a whole and incur tens of millions of dollars in administrative overhead that could have gone to other security objectives, you are very likely looking at a measure that maybe just maybe might be a tiny step backwards.
Man In The Middle attacks are increasing and users usually ignore error messages about them. (Firefox throws an error dialog but it has an 'I understand the risks' button. People just ignore the error).
Also, last year many Iranian FriendFeed users were arrested and the goverment knew about all their private discussions on FriendFeed. (FriendFeed has been censored since the beggining. But it suddenly became uncensored for a day or two. On the other hand, FriendFeed generates an 'auth' key for each user and lets him see his RSS feed using that key. And puts the auth key in every page: goverment probably collected auth keys and used it to read discussions of people they arrested)
Goverments using internet to spy on their civilians is not a myth. Anonymity, trusting the cloud and related issues seem far more important when you suddenly find out a friend of yours has been arrested and his location and charges is unknown.