
Mozilla SSL policy bad for the Web - nickb
http://www.cs.uml.edu/~ntuck/mozilla/
======
tptacek
Unbelievable. I've been poking about here for like 6 months now. You are all
very smart people. Why is this so hard to understand?

 _If you do not have a valid certificate signed by a CA, SSL is not providing
any security_.

Yes, the warning you get when you visit a site with an invalid cert is much
scarier than what you see if you visit an unencrypted site. But it's the sites
that use encryption that users care about, because _those are the sites that
get their passwords and credit card numbers_.

Perhaps you think the browser should make an exception for self-signed certs.
After all, there's nothing "wrong" with their signatures. Nothing's expired.
No signature fails to validate. Why not just make the URL bar orange or
something? _Because anyone can create a self-signed cert and sub it into a
Bank of America SSL connection_.

It sure is annoying that you have to pay $20 every year to keep an SSL cert. I
totally agree that this a problem. But right now, without that $20, you have a
connection that provides cryptographically zero security. Short of coming up
with a way to create a trustworthy CA that runs for less than $20 a year,
there is no great solution to this problem.

~~~
jodrellblank
To borrow from Eliezer, if you really can't believe something that is
happening can happen, then your mental model is wrong.

I originally posted: _Every time I have hit this message, it has been mostly
irrelevant to me and disrupted what I was doing_

[I'm no longer so certain - I can't be sure my router configs haven't been
stolen by a MITM attack. I suppose I really ought to find out how to generate
and install SSL certificates from a trusted root on them, and post them to
someone at the remote sites on an encrypted pen drive.]

I manage a fair amount of networking kit, I find Google results to mailing
lists with mysterious and pointless SSL connections. As someone posted in the
"End of the Windows Era" thread: "I don't care what OS you have, as long as
you have a reasonable browser". This isn't reasonable behaviour.

SSL does not prove anything useful - at the very most that you are connecting
to the site your browser intended to connect to, assuming the site DNS hasn't
been hacked.

Anyone can pay $20 and get a valid certificate and that doesn't mean you
should trust them with your bank account details. Any site with a valid SSL
cert might have been hacked behind the SSL termination. If you're scared of
MITM attacks, aren't you just as scared of valid SSL certificates on sites
with fake DNS or hacked servers?

~~~
tptacek
The security of the DNS and the security of SSL are unrelated. This is one of
those Reddit memes that won't die. You can claim to be bankofamerica.com all
you want, but you cannot complete an SSL exchange with a signed certificate
that says so.

~~~
jodrellblank
Why not?

If Eve can take control of DNS and redirect bankofamerica.com to an IP on her
servers, and it goes to a webserver with a ceritficate signed for
"bankofamerica.com" by a widely trusted CA, then the browser will load it
without complaint and show it as a padlocked site.

The only guard seems to be whether she can get any certificate company to sign
a certificate for bankofamerica.com. Since it's cheap and easy to get basic
SSL certificates from many places, this doesn't seem a very difficult obstacle
for her to overcome with a bit of forging, social engineering, insider access,
bribery, etc.

(I imagine that she could go to the real bankofamerica.com, save the
certificate details it presents, and pass them on MITM style - but hope there
are replay-prevention techniques involved. This doesn't affect the question
above, though).

~~~
tptacek
The premise of your argument is that it is "cheap and easy" to get a
certificate signed by a CA trusted by Firefox and IE for a "bankofamerica.com"
domain.

It is not "cheap and easy" to get that certificate. As evidence for that
argument, I put forth the fact that no criminal has ever managed to do it.

Now you're starting to see why certificates are so important to security of
SSL!

~~~
gaika
It was cheap and easy to "steal" microsoft's certificate in 2001.
<http://cc.uoregon.edu/cnews/spring2001/mstheft.html>

~~~
tptacek
That event was so rare that it made national news, hasn't happened since, and
has never happened to a financial institution.

If your argument is that Verisign sucks, though, I won't contest it. I'm not
saying the CA business model is good; I'm saying that it's silly to say you
can run SSL without CAs.

------
pdubroy
Johnathan Nightingale of Mozilla has a good blog post explaining the rationale
behind this:

<http://blog.johnath.com/2008/08/05/ssl-question-corner/>

An especially pertinent point from his post:

"Several CAs accepted by all major browsers sell certificates for less than
$20/yr, and StartSSL, in the Firefox 3 root store, offers them for free."

~~~
ajross
That's not the bug though. The bug is that the error message a user sees when
visiting a self-signed site using HTTPS is _much_ _more_ _scary_ than simply
visiting that site on an unencrypted connection, even though by all reasonable
standards this is a safer, more private, and more secure action.

If we're not going to warn folks about unencrypted links where every proxy in
the way is a man-in-the-middle attack waiting to happen, why are we going
through such contortions to warn them about the _same_ attacks in a situation
where they are much harder to accomplish?

I've never understood this warning at all.

~~~
sh1mmer
This is because users are being trained to use sites "with the yellow bar at
the top" to do personal things (e.g logging in, credit card details, etc).
Making users have to jump through a couple hoops of hoops if the certificate
is self-signed is a good way to protect users that don't understand the
technology.

While I understand you want to be very egalitarian about it most users would
value their personal information's safety over the principle of a completely
open web.

In the spirit of the open web you are free to a) not use Firefox b) fork the
Firefox project c) file a bug with Firefox d) contribute to Firefox and argue
for this feature to be removed

~~~
Herring
Yeah it's a branding issue. The yellow bar or the lock at the bottom should
indicate a "secure" site. A self signed cert is no different from a fraudulent
cert.

------
axod
SSL certificates for HTTPS are a big fat scam. Why do I need to pay money to
get a certificate, just to provide encryption.

Encryption should be separate from identity verification.

Of course identity verification should be properly vetted and you should have
to pay a fee, and have documents checked etc.

If however, you just want to provide security for your users by encrypting
http, you should not have to jump through hoops and spend money.

~~~
olavk
But what good is encrypted communication if you cant be sure who you are
communication with?

~~~
josefresco
What good is verified communication when you can buy an SSL cert with pretty
much any fake information you want.

~~~
huhtenberg
I'd like to know where I can buy a cert this way. Pretty please.

~~~
45454564654
All that's require are scanned documents. And these documents can easily be
tampered with or photoshopped. You may think your company details are checked
before the cert is issued, but that's crap. We email our docs to a US company,
and all the docs are issued by Irish government departments. There's no way in
hell that some guy in what amounts to a call centre in the US has access to
any Irish database to prove or disprove their validity. SSL certs are a crock
of shit - all you need to do to get one you're not entitled to is to be
slightly outside the norm, and claiming any small country as your location is
good enough for that. Hell, you could make up your own government departments
and documents, and that'd be good enough for must of these companies.

~~~
tptacek
Give me a break. This is like saying all online security is a sham because I
can always physically break into your office. You know how many times a real
CA has fucked up and accidentally issued a Bank of America certificate to
organized criminals in Estonia? _ZERO_.

------
msg
Here's an interesting solution. CMU just put out a tool called Perspectives
that runs public notary servers. The servers probe sites periodically to get a
history of keys. This can go a long way toward determining whether there is a
man-in-the-middle sending you a fake SSL certificate (because it will not
match the history).

<http://www.cs.cmu.edu/~perspectives/>

(hat-tip Lauren Weinstein)

<http://lauren.vortex.com/archive/000414.html>

------
grhino
What's encryption without authentication?

Encryption ensures that only the entity you are sending the message to can
read it. If you can't be sure of the entity you are sending the message to,
then what's the point of encrypting it in the first place?

Why does the article pick out Mozilla in particular? Are they suggesting that
FireFox makes it overly complex to ignore the warning and continue on?

~~~
aristus
Encryption without authentication is just that: encryption. The point of
encryption is to make sure no one else is listening OR modifying the data in
transit. Like, say, your cash-starved ISP, or the government.

~~~
tlrobinson
No, it's not. If a man-in-the-middle attack is possible (certainly the ISP
could), then encryption without authentication is as insecure as no encryption
at all. And in fact _worse_ if the user has a false sense of security.

The MITM pretends to be the bank's server (or whatever) when talking to you,
and pretends to be you when talking to the bank's server. Both channels can be
encrypted, but the attacker still sees (and can modify) everything that you
think you're sending directly to the bank's server.

This is the key point that most people seem to be missing here. If browsers
didn't warn about self-signed certificate, the entire system would break down
because an attacker could just use a self-signed cert in a MITM attack, and
the user would have no idea.

------
marketer
Having a trusted third party is a pretty big deal in cryptography. Without it,
many of the core assumptions of public-key cryptography are invalid. It's a
huge part of making sure the other end is authentic. I'd place a lot more
trust in Bank A's public key if it was signed by verisign, rather than an
unverified third party. Having verisign's public key in my browser
elimininates a large class of man-in-the-middle attacks.

If paying $20/year is too inconvenient for you to transfer your data securely,
then perhaps the data isn't sensitive enough, and you shouldn't bother.

~~~
tptacek
It's not even that complicated.

The problem with not having a valid certificate is this: if both sides can't
tie every packet in the SSL handshake back to Verisign or Thawte's pubkey,
attackers can inject their own handshake passwords and set the session key.

------
sh1mmer
Also, you can see the "add an exception" in the screen shot. You can manually
add an SSL certificate to a white list, it's just a little bit harder, with a
few more steps, than the previous YES|NO dialogue.

I think this a good thing. 99% of user probably don't need to or shouldn't
interact with pages with self-signed certificates. That's a good thing. Self-
signed certs should really only be on development pages. I'm sure this is a
good anti-phishing measure.

~~~
aristus
In this case I disagree. The web is not all corporate, and there is a
confusion between encryption and authentication.

A certificate, signed or no, is a means to establish a secure connection
between Alice & Bob. This ensures no one is snooping or modifying the data
passing between them. _this is a good thing that should be encouraged_ in an
age when your ISP injects ads and the government keeps tabs on what sites you
visit.

A signed certificate is a means of authenticating the identity of the
presenter of that certificate, to give some reassurance and trust about the
other party.

These two things can and should be kept separate. What Mozilla is doing is
making it much more difficult to have a secure-by-default Web.

Imagine if your mail program suddenly stopped receiving email unless each
sender either paid 100 bucks per year to VeriSign, or faxed a copy of their
passport to Microsoft, or you went through a scary, four-step process to
"enable" them.

~~~
tptacek
A self-signed certificate does not establish a secure connection between Alice
and Bob, because Alice can't verify the certificate. Bob can send his
certificate, Mallory can trivially intercept it and replace it with her own,
and nobody will be the wiser.

Let's _not_ encourage people to adopt security mechanisms that provide no real
security. Let's make the security mechanisms we have today, which are strong
enough to stop many governments and all of the largest corporations, cost-
effective and easier to deploy. Let's solve the right problems, instead of
trying to make ourselves feel better by sugarcoating browser warning messages.

~~~
aristus
It took me a while to get what you are saying, but you are right. I didn't
know what I was talking about.

Unless you have a means of verifying the public key fingerprint I you are SOL.
Wish I had more modpoints for you.

------
stcredzero
I once bought a broadband router that was marked down ridiculously cheap. It
had all the features I wanted, and it was half the price of any of the others.
When I got it home, everything was running slowly. After poking around, I
discovered that my machines' DNS servers had changed from Time Warner Cable's
to IP addresses in China!

If self signed certificates were indistinguishable, I may have been making
connections through man in the middle machine located there without any way of
knowing.

------
plusbryan
One possible solution: use two icons

Since SSL covers two cases of security, both encryption and identity, maybe
it's time to invent a new icon - i.e. this web site is secure (a lock) but its
identity could not be verified (an id card).

Self-signed certs wouldn't show warnings, but wouldn't show the ID-verified
icon. CA certs would show both.

If they're worried about user education, the first time firefox encounters a
self-signed site, it could provide a permanently dismissible dialog.

~~~
tptacek
You can't have one without the other. The first icon doesn't mean anything.
You might as well add a third icon for "this connection is compressed".
Attackers can't read your credit card number out of a compressed stream
either.

------
jncraton
I'm not entirely sure why Firefox is being specifically targeted here. The
pages that Opera and IE8 throw for self-signed certs aren't much less scary.

~~~
jodrellblank
IE8 isn't out properly yet. Maybe with enough fuss, it can be changed before
it is.

------
invisible
In my opinion, self-signed SSL certificates shouldn't cause this. If I want to
use an SSL connection for my users to sign in with, I shouldn't have to pay
tons of money for a wildcard certificate for my domain (they charge a large
amount more just to add *. to your certificate). SSL is to SECURE THE
TRANSMISSION, but these companies have turned it into a certificate war, where
you must have one signed by a "distinguished" CA or the browser will tell you
that you're visiting a "bad" site (Mozilla has a stopping guard, IE has
attention images).

So don't even show the user that it's SSL. I don't care if my site seems more
secure to the end-user, it just should be SECURE without regard to the mindset
of the individual operating on it. Heck, even hide the https! Banks and online
stores, sure, they should buy SSL certificates so they ease the end-user's
mind. That is a relevant operating cost to incur for those individuals.

------
cstejerean
"Snooping a connection (i.e. on a wireless link) is much easier than any of
the impersonation attacks that SSL authentication prevents."

I wouldn't be so sure about that.

~~~
rcoder
> I wouldn't be so sure about that.

Umm, I would. Running Wireshark or tcpdump to sniff traffic over the wire is
_easy_ , and analysis can be done offline at the attacker's leisure.

Hijacking DNS and phsishing for users' login credentials to other sites
requires a lot more preparation, and in most cases, prior selection of the
desired target sites.

~~~
tptacek
(1)

An attacker in Estonia manages to compromise a single DNS cache serving a
residential cable ISP in Tuscon, AZ. Without SSL in the way, she now owns
several thousand bank account logins and Yahoo Mail passwords.

(2)

An attacker in Estonia manages to compromise a single DNS cache serving a
residential cable ISP in Tuscon, AZ. With SSL in the way, she now owns several
bank account logins and Yahoo Mail passwords.

------
mattmcknight
Amusingly, this policy blocks several US Dept of Defense public facing
websites.

