funsec mailing list archives
Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)
From: Dan White <dwhite () olp net>
Date: Tue, 13 Oct 2009 09:27:46 -0500
On 13/10/09 09:02 -0400, Valdis.Kletnieks () vt edu wrote:
On Sun, 11 Oct 2009 23:31:08 CDT, Dan White said:3) Doing what we can to develop and increase our participation in a public key infrastructure and IPSEC.Unfortunately, most of the problems we have would *not* be fixed with more crypto and IPSEC (with the exception of closing down unencrypted wireless and making the standard there WPA2 or a better follow-on). I mean, *seriously*,
Sure it would. The idea of an IPSEC enabled PKI is that you have end-to-end security, with perhaps many untrusted networks in the middle. It means two-way trust. It means that the two parties communicating know exactly who each other are and know that no one else can listen in on their private communications.
You want to fix something - come up with a good way to enhance the trust for websites that load from multiple places. Go read Schneier's "Secrets and Lies", he has a good chapter on SSL snake oil, but to sum it up with a re-quote of an example from yesterday: If I'm on msnbc.msn.com, and click a link that takes me to discovery.com, what reason does my browser have to trust the Flash content that gets loaded from mstories.vo.llnwd.net? (Hint - your scheme has to work even if discovery.com is compromised - if the hacker can change the link, there's a good chance that if you depend on a digital signature of the page containing the link, he can re-sign the page as well. Probably not for discovery.com, which likely has separate devel and prod machines and the signing can happen on the devel boxes - but there's a *lot* of "update in place" websites that would almost certainly have the signing keys on the webserver. Bad idea, I know, but it's gonna happen.
I'm not sure I exactly follow the scenario. I need to trust that my bank knows what they're doing, or I'm not going to do online banking, or do any banking with them. Ditto for anyone else that handles my private data. I don't need to trust anything from msnbc.msn.com, or discovery.com, or a flash file found on one of those websites. You say SSL is snake oil? I don't really disagree with that. IPSEC is a very attractive antidote to it. -- Dan White _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- dumb. Comcast pop-ups RandallM (Oct 10)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 11)
- Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 11)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 12)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Larry Seltzer (Oct 17)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)