Bugtraq mailing list archives
Re: "The End of SSL and SSH?"
From: "Michael H. Warfield" <mhw () WITTSEND COM>
Date: Wed, 20 Dec 2000 14:42:59 -0500
Hey Kurt (et al)! On Tue, Dec 19, 2000 at 11:33:56AM -0700, Kurt Seifried wrote:
It is also incredibly difficult for users to ascertain whether the
key is legit or not. I've had some people suggest that all the
SSH keys be PGP signed and put on floppy and given to users (that one
made me laugh). Most users will happily accept SSL certs that
have expired, point to the wrong site or are self signed (all of which
could be a man in the middle attack or a lazy admin). I used
to religously sign email's with PGP until I realized that no-one probably
checked, how did I know this? I started modifying the
email after signing so that it wouldn't verify, no-one ever complained.
What you are describing is basically what Bruce Schneier has been preaching for years when he says "If you think cryptography will solve your problem, then you don't understand cryptography and you don't understand your problem." The problems you are describing are flaws in human nature. That's a given. Since your initial posting, I've been accumulating fingerprints of all my ssh hosts to verify next time I connect to one of them first time. I don't ignore "host key changed" warnings either. If I didn't change it, I don't trust it; if I did change it, I know about it; if I didn't expect it, I get to the bottom of it fast (it's usually just an IP address change or a reinstall). If I get a CA warning or an expired cert warning or a DN mismatch warning, I pay attention to it and decide for myself if it's really something that is significant enough for me to worry about under those particular circumstances. But, I realize, I'm not the norm. The norm is the idiot Exchange administrator who gets an E-Mail message from me warning not to open messages with a particular subject and then does so anyways and turns explore.zip loose on the network he's suppose to be administrating (a real event, unfortunately). Even though "everyone" should know not to touch untrusted active content, we still have viruses running rampant. Virus scanners aren't solving the problem (only slowing it down to something managable most of the time). Vendors aren't solving the problems. Viruses are going to be with us and so will E-Mail and (unfortunately) so will the missapplication of E-Mail with active content. We don't say that E-Mail is doomed just because it helps propagate viruses and we can't get the stupid lusers to leave them alone. It's a given. You can NOT solve social problems by throwing more technology at it. Trying to solve the social problem of trust (or ignoring trust) by applying cryptography is not a flaw in cryptography or in the implimentation (Well... Ok... It could be, but it doesn't need to be.) It's not understanding cryptography and it's not understanding the true fundamental nature of the problem you are trying to solve (which may not HAVE a solution). SSH and SSL are just tools and very good tools. But even a very good screwdriver has a very difficult time driving a nail, and the user who uses it that way gets what they deserve. As far as your PGP signatures go, you overlook another fundamental principle, however... If I received one of those messages, I would probably ignore the error after determining that it didn't matter to me. If I determined that the message was significant enough for me to worry about the validity, then I would confirm it and probably contact you. The fact that you signed the message does NOT mean that everyone must consider that message of such significance that they must confirm it and cry to the stars when the validation fails. It merely gives them the opportunity to make that determination for themselves. Not signing, means they DON'T have that choice. There are a couple of aspects to signing all E-Mail messages... If you sign every message, you establish a baseline and a preponderance of messages out there associating that key to you. If someone else tries the same thing in your name, the probability goes up that it will be detected and word get back to you. If you only sign important messages, that strength of association is lost (and may not be of consequence to you, I can't judge your feelings on that point). People COULD go back to past messages of your and verify them and verify that it's the same key. If they trust that past message (for one reason or another) then there is an implied trusted carried forward (whether you feel that implied trust is valid or not or how much). It also removes the significance of the signature as it relates to the importance of the message. If all you signed were those messages which you thought were significant enough to require validation, that would draw attention to those messages. Is this a good thing or a bad thing? You call the shots for you. You may care, I might not. Someone will, no doubt, point out that I rarely sign my messages. Sometimes my words don't agree with my actions either. Neither of those points have ANYTHING to do with anyone verifying all of your messages or giving a flying flip if the validation fails. If it matters to them, they will and they will get back to you. If it doesn't, they won't and you won't hear a peep. Doesn't mean that signing the messages for those other to points is or is not valid.
SSH and SSL are in my opinion poor implementations of security protocols,
they also lack a lot of things such as repudiation/etc. To
believe they are the best we can do makes me very sad. I suspect in 5
years we'll talk about ssh/ssl like we talk about telnet right
now.
Ask Al Huger about a paper one of his boys (then) wrote a few years back. The paper basically "proved" how IDS systems would not work, could not work, and would never be made to work, because there were too many ways around them. While having a beer with Thomas at a USENIX security symposium, we discussed his paper. He wanted to know what we (Internet Security Systems) were going to do about the fact that he had just destroyed our business. He was flabergasted that I replied "We'll deal with it". He said "You can't deal with it! It's done! It's busted! It's gone!" Well... IDS systems are still with us and still doing effective jobs when applied correctly and ineffective jobs when not applied correctly. The company that Al and Thomas was at even announced their own IDS later. :-) AFAICT, Thomas' paper didn't even seem to slow up the growth of the market, which is stronger than every years after the publication of his paper. Does that mean that IDS systems are perfect? Hell no. Does it mean that they can't be missapplied or missinterpreted? Hell no. In five years we will (probably) still have SSH and SSL (or one of their inheritors) and we will still have them applied correctly and providing us with a useful service and we will still have them missapplied and being incorrectly trusted by ignorant misguided people. They don't "solve" the social problems. They are still useful and still preform valid jobs. It's not the end of the world for either of those to protocols. None of this is to say that we should eliminate virus scanning, IDS systems, PGP signatures on E-Mail, SSH, SSL, or any other cryptography just because they "fail" (in one person's view point) when missapplied, missused, missinterpreted, or misstreated in the face of human nature. Life goes on. They are still valid and effective tools when applied correctly. It's in how it's applied that's the problem, not the tools themselves. My $0.02
Perry Metzger
-Kurt
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- "The End of SSL and SSH?", (continued)
- "The End of SSL and SSH?" Perry E. Metzger (Dec 20)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 19)
- Re: "The End of SSL and SSH?" Stefan Monnier (Dec 20)
- Re: "The End of SSL and SSH?" Brett Glass (Dec 20)
- Re: "The End of SSL and SSH?" Crispin Cowan (Dec 20)
- Re: "The End of SSL and SSH?" Ajax (Dec 20)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Damien Miller (Dec 21)
- Re: "The End of SSL and SSH?" Ryan Russell (Dec 21)
- "The End of SSL and SSH?" Perry E. Metzger (Dec 20)
- Re: "The End of SSL and SSH?" Michael H. Warfield (Dec 20)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 21)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Samuele Giovanni Tonon (Dec 21)
- Re: "The End of SSL and SSH?" - mongo followup Kurt Seifried (Dec 24)
- Re: "The End of SSL and SSH?" Darren Reed (Dec 21)
- Re: "The End of SSL and SSH?" Klaus Moeller (Dec 22)