oss-sec mailing list archives
Re: HTTPS
From: Pavel Labushev <pavel.labushev () runbox no>
Date: Thu, 22 Aug 2013 20:19:30 +0800
On Wed, 21 Aug 2013 14:13:55 -0600 Kurt Seifried <kseifried () redhat com> wrote:
Right now the bar is so low as to be in the negative scale. Using HTTPS instead of HTTP raises it, the attacker now has to compromise the server, if they can do that, they could have also done it before most likely, so adding HTTPS doesn't make things any worse/riskier.
I didn't say HTTPS could make it riskier. And since you seem to put words in my mouth, please, read carefully what you're replying to.
I'm honestly tired of the "we shouldn't change the status quo of no security because we might not do the new security perfectly", guess
I didn't mean or say that neither. I objected to calling HTTPS "a good approximation" to content signing. Because: - It's not. It just doesn't address many problems and risks that content signing does, and that were proven to be statistically (even more) significant in practice. - When someone calls HTTPS a good approximation to content signing or something like that, expect no other integrity/authenticity checking measures to be implemented. I wonder, are there any major practical examples that prove the contrary? Doesn't seem so. Besides, content signing isn't perfect or even isn't something new, at all. It has been available for more than a decade. It even has known issues, including unsolved or even unsolvable (in practice) ones. Yet it's much more suitable for the task than HTTPS. I'm tired of people who propose flawed or inappropriate solutions on the premise of "doing something is better than doing nothing" when at the same time there are better solutions available and practically applicable, many of which are even considered to be common practices. There are variations of that misguiding fallacy: - "The perfect is the enemy of good" - "Perfection is unreachable" Except the proposed half-measures are usually not good at all. And their good available alternatives are not perfect. Just like HTTPS is not good as a replacement to content signing, and content signing is by far not perfect yet is reachable (applicable) pretty much. Sure, it's much easier to just plug HTTPS in and go like "ok, it's good enough". No, it's not. Even statistically - it's not.
what: you're not going to get any better at this without practise, when I was in my early 20's O bought a copy of stronghold and an SSL cert for seifried.org, Thawte had no idea how to sell a certificate to an individual (as opposed to a company), we compromised on a scan of my passport (since I had no business papers for it, being that it was just my name and not a company). Did I deploy SSL properly? in
All this is just totally irrelevant.
retrospect not really. But that's why we do things, find the mistakes and then correct them. And the only way to find a lot of these
Well, as long as we're talking about HTTPS, I don't see any mistakes that were corrected. It has many flaws, and even though solutions do exist for some of them, it's like no one cares to implement and/or use them. HTTPS is being misused, over-advertised, inappropriately implemented, overcomplicated and in many cases provides false sense of security instead of any due security.
mistakes is to actually do it. We can sit around and discuss possible issues till the cows come home but that's not going to really help anyone.
Was I just told to shut the fsck up? The issues are not "possible" but real. So I refuse to follow your advise and instead will continue to say against implementing ineffective half-measures and spreading false sense of security. And perhaps it's you, for whom you should "set up a room", where you could speak of behalf of anyone.
Attachment:
_bin
Description:
Current thread:
- rubygems insecure download (and other problems) Kurt Seifried (Aug 14)
- Re: rubygems insecure download (and other problems) Donald Stufft (Aug 14)
- Re: rubygems insecure download (and other problems) Marcus Meissner (Aug 15)
- Re: rubygems insecure download (and other problems) Henri Salo (Aug 15)
- Re: rubygems insecure download (and other problems) Kurt Seifried (Aug 15)
- RE: rubygems insecure download (and other problems) Christey, Steven M. (Aug 15)
- Re: rubygems insecure download (and other problems) Marcus Meissner (Aug 15)
- Re: rubygems insecure download (and other problems) Donald Stufft (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) gremlin (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Pavel Labushev (Aug 16)
- Message not available
- Re: HTTPS Kurt Seifried (Aug 21)
- Re: HTTPS Pavel Labushev (Aug 22)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)