Bugtraq mailing list archives
Re: New whitepaper "The Phishing Guide"
From: Crispin Cowan <crispin () immunix com>
Date: Mon, 27 Sep 2004 23:15:21 -0700
Greg A. Woods wrote:
[ On Thursday, September 23, 2004 at 12:21:40 (-0700), Seth Arnold wrote: ]Methinks PGP is good for talking within friends, but perhaps trusting communications from J. Random Corporation with PGP as your best means of verification is a stretch. The Web Of Trust idea only takes you so far ...You seem to be blaming the existing state of the PGP web of trust on some fundamental failing in its design and yet you then go on to admit that people use the wrong kinds of things in real life to authenticate and identify others with, and you further admit that the public in general still has a lot to learn about using computing and networking infrastructures safely in their daily lives.
No, I think it is more general than that. Seth's criticism of PGP actually generalizes to any authentication-based "solution": it requires the users to be trained to reject all non-authenticated communications, and for the users to have a sophisticated notion of what constitutes "properly authenticated." This problem exists because the common mail clients accept non-authenticated e-mail, and the users have been trained to just accept that. No matter what you do, the users will continue habitually accepting non-authenticated traffic, with all the expected consequences. To actually fix this problem, you would have to supply your users with a mail client that will *not* do anything "interesting" unless the mail has been authenticated. Go ahead and try that on your users; I'll wait :) This has nothing to do with whether you use a hierarchical PKI (VeriSign et al) or a non-hierarchical PKI (PGP). It is all about the ease-of-use and default policies of the mail client. Disclaimers galore: I am on PGP's Technical Advisory Board, but do not speak for PGP. Seth works for me at Immunix, but gets to have his own opinions. Crispin
PGP's web of trust can be almost infinitely more reliable, trustworthy, and controllable, than any one, or many, for-profit certification agencies. Just because one takes a set of dedicated PGP users and tries but fails to establish trust relationships with non-PGP users doesn't mean PGP's web of trust is broken -- one of the parties is "broken", not the web of trust itself or the concept of a web of trust. Obviously in order to establish trusted end-to-end communciations both parties must be dedicated to using the technology that achieves their goal and both parties must have some basis for relating to each other. The web of trust simply allows that relationship to have a somewhat less direct nature and to be many-to-many instead of one-to-one. The idea that a web of trust can work very well once it reaches critical mass can be trivially demonstrated through simple analysis of the web of "friends" formed in any of these large online networking systems such as Orkut.-- AND have faith that everyone in the middle played fairly.No, that's not true -- faith doesn't enter into it. In a sufficiently connected and properly maintained web of trust it should be relatively easy for conspirators to be weeded out and eliminated. Not that such a thing is easy to achieve of course. Obviously a sufficient level of interconnection in a web of trust requires a critical mass of users; and proper maintenance of the web of trust requires a sufficient level of proficiency and dedication on the part of those users. It would certainly help a lot of those users where encouraged to learn what they need to know and encouraged to pay attention to maintaining their status and involvement through the initiative of whatever large institutions many people are already involved with. Unfortunately it seems such institutions (e.g. banks, etc.) have so far gone in the direction of using for-profit (and usually for-profit public corporate) entities to manage x.509 style certificate authorities. Technically there is not a lot of difference between PGP's web of trust and a group of certificate authorities. PGP is not just for mail and SSL/TLS is not just for HTTP. There are indeed deficiencies in PGP's implementation choices. A public web of trust can be built using any public-key crypto system. I think the important thing is that we need to work on building a democratic web of trust -- and learn to rely less on certificate authorities operated by for-profit, and particularly public, corporations. The public corporation is anything but democratic, especially when it gets involved in the affairs of private individuals and government bodies.
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- New whitepaper "The Phishing Guide" Gunter Ollmann (NGS) (Sep 22)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 23)
- Re: New whitepaper "The Phishing Guide" Seth Arnold (Sep 24)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 27)
- Re: New whitepaper "The Phishing Guide" Greg A. Woods (Sep 27)
- Re: New whitepaper "The Phishing Guide" Crispin Cowan (Sep 28)
- Re: New whitepaper "The Phishing Guide" Seth Arnold (Sep 24)
- Re: New whitepaper "The Phishing Guide" Daniel Veditz (Sep 26)
- Re: New whitepaper "The Phishing Guide" Chip Andrews (Sep 27)
- Re: New whitepaper "The Phishing Guide" Philip Stoev (Sep 29)
- Re: New whitepaper "The Phishing Guide" Juraj Bednar (Sep 28)
- Re: New whitepaper "The Phishing Guide" Brian Dessent (Sep 28)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 23)
- Re[2]: New whitepaper "The Phishing Guide" Karsten Heidrich (Sep 28)
- <Possible follow-ups>
- RE: New whitepaper "The Phishing Guide" Dehner, Benjamin T. (Sep 25)