Re: IE SSL Vulnerability

["J. Lasser" <jon () lasser org>]

In the wise words of Charles Miller:

> Actually, the SSL vulnerability is a very predictable answer to an old
> question. For a while now, one of the big "what ifs" of Internet
> security has been "What if one day, the SSL infrastructure is completely
> compromised?" The most common hypothetical example of this was the
> compromise of a Verisign root signing key.

Right. And along the way we've already experienced the baby version of
this (certs that appear to be from Microsoft, but aren't, etc.) and the
sky didn't fall in then, either.

> Predictions have ranged from the death of e-commerce, to the end of the
> world as we know it.

Sure, if you take the hard line Cypherpunk position that absolute
security is mandatory for e-commerce, that "key escrow" wouldn't do,
that 40 bits wasn't enough, etc.

Of course what happened is that people realized that, with a modicum
of protection offered by SSL, the network transport was no longer the
weak link --- the problem becomes the fact that the endpoints aren't
totally secure.

Given moderately insecure endpoints, the average user just wants to
stop the average cracker from skimming the credit-card info. It's
assumed that the outstanding cracker will still be able to get the info.

SSL, even with some attacks against the certificate chain, is the best
example of "good enough" crypto out there. (I tackle this argument from
a slightly different angle in my most recent SecurityFocus column,
actually. I'm becoming a big fan of "good enough," especially coupled
with insurance or an understanding of risk.)

> Now, it's not hypothetical any more. Until this is patched and the
> majority of users upgrade (in other words, give it two years), anyone
> can forge site certificates that seem valid to 90% of Internet users.
> The result? The news hasn't reached the "real world" at all. The story
> has stayed on news-for-nerds websites and in the technical section of
> mainstream press. E-commerce hasn't skipped a beat.

That's in part because of the reasoning above, probably, and partly
because the average consumer neither understands nor wishes to
understand how SSL actually works. Without entering into a long
discussion of certificate chains (not suitable for the nightly news, or
the front page of USA Today) understanding the importance of the
vulnerability is mighty tough.

Yesterday a customer wanted to know why he couldn't specify a random
(not-previously-created) account name and password and have his e-mail
work. You see, his account was too full, he was at a remote site, and he
didn't want to download all of his old mail... He's a smart fellow, in
his domain of expertise, but he's not going to learn about certificate
chains.

> Certainly none of our[1] customers, who were so adamant when we were
> speccing their web-applications that it _must_ be secured with SSL, have
> come screaming to us wondering what to do now anyone can
> man-in-the-middle them.

SSL with a weakness in certificates is better than plaintext. You can't
passively slurp all of the data; you need to be an active snooper for
this to work, and be willing to change data. Among other things, this
takes substantially more processing power than just slurping packets.

It's still good enough. Heck, the PGP signature didn't catch the OpenSSH
trojan; the MD5SUM did.

Jon Lasser
-- 
Jon Lasser      
Home: jon () lasser org         |    Work:jon () cluestickconsulting com
http://www.tux.org/~lasser/     |    http://www.cluestickconsulting.com
   Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/