

New draft of Trevor Perrin and Moxie Marlinspike's TACK SSL extension - tptacek
http://www.ietf.org/mail-archive/web/tls/current/msg08972.html

======
tptacek
I predict this post will receive between 2-6 votes and never see the front
page, but for what it's worth: this is the most important thing happening in
Internet security this year.

One of the biggest problems we have in security right now is that nobody knows
how many SSL CA's there are. The SSL PKI has failed. Browser vendors allowed
top-level CAs to delegate, often for money, their signing authority to third-
parties. Those third parties have in turn done predictably horrible things
with that privilege. One of them sold a CA=YES certificate to a Fortune 500
company to help them monitor their employees (and also the whole Internet).
Several others were hacked.

The problem with untrustworthy CAs is that the browser depends on CA trust to
"break ties" between competing certificate assertions; is this Bank of America
certificate BofA, or is it a European organized crime group? The only signal
the browser has is which CA the signature on the cert rolls up to.

Google ameliorated that problem for its own properties using "certificate
pinning". Pinning simply means that Google knows what their legit certificates
are, and ships a browser, and sure as shit isn't going to let its browser
trust some dinky delegated CA's certificate for GMail over the certificate it
knows it owns. It sure would be nice if everyone could pin their certificates
into browsers instead of just Google and the giant sites Google pins.

TACK allows that to happen. TACK is a small cryptosystem that accomplishes for
certificate pins what HSTS (a widely supported browser security standard) does
for defeating SSL stripping: it provides a way for browsers to see a legit
SSL/TLS certificate and then remember that certificate going forward, so even
if Iranian hackers (or the NSA) manage to cut a valid-looking CA-signed
certificate for that site later on, it won't matter because your browser will
only honor the cert it first saw. The technique, which is called "key
continuity" and forms the entire security model for SSH, relies on the fact
that the overwhelming majority of first-contact hits to sites will get their
legitimate key; if you're an attacker with an evil certificate, your odds of
intercepting a first-touch connection from a browser to BofA is very low.

You very much want TACK to get as much attention as it can. Trevor Perrin and
Moxie Marlinspike are extraordinarily competent and well-regarded crypto
protocol people and TACK is both simple and well- thought- out. TACK takes
some of the control maintained by browser vendors back and returns it to site
operators. This kind of decentralization is badly needed. Read the TACK draft,
please.

~~~
mechanical_fish
Upvote accomplished. Don't think this is near the front page, though, alas.

Thank you for commenting on this. I find things to read by triangulating
people's comments and this is way more interesting than the average HN front-
pager is these days.

~~~
tptacek
I write all these things for you. I brain, "what would mechanical_fish like to
read about today", and my brain responds, "FIVE HUNDRED PAGES OF RANTING ABOUT
THE UNFAIRNESS OF CISPA COVERAGE", and I oblige. You're welcome.

~~~
jgeralnik
For what it's worth, the way I read HN is:

a) Skim the front page

b) Go to tptacek's comments page and read everything

Almost every comment you write having anything to do with crypto is absolutely
fascinating and since realizing how much I enjoy and learn from your comments
I've been actively stalking you. Thanks.

~~~
chc
It's not a bad policy, but good grief, keeping up with that comment page is a
full-time job.

------
NateLawson
I'm a fan of TACK because it gives site operators the same abilities as Google
to ensure a rogue CA hasn't certified an attacker to impersonate them.

This draft makes some minor changes. One of the most important ones is that it
lets you make a new TACK before unlocking the old one. This means there's no
period of time in the middle, no matter how short, for an attacker to
interpose a new lock.

The main site with overview is here: <http://tack.io/>

There are existing tools on github to start playing with this:
<https://github.com/tack>

Here's the announcement with links to the various patches, downloads, and
tools. Note that a couple links are broken, as per the followup msg.

<https://lists.riseup.net/www/arc/tack/2012-09/msg00003.html>

<https://lists.riseup.net/www/arc/tack/2012-09/msg00004.html>

