mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5
From: Joe Greco <jgreco () ns sol net>
Date: Fri, 2 Jan 2009 15:33:05 -0600 (CST)
On 2 Jan 2009, at 12:33, Joe Greco wrote:
We cannot continue to justify security failure on the basis that a
significant percentage of the clients don't support it, or are
their support. That's an argument for fixing the clients.
At a more basic level, though, isn't failure guaranteed for these kind
of clients (web browsers) so long as users are conditioned to click OK/
Continue for every SSL certificate failure that is reported to them?
Yes. This is a major problem.
If I was attempting a large-scale man-in-the-middle attack, perhaps
I'd be happier to do no work and intercept 5% of sessions (those who
click OK on a certificate that is clearly bogus) than I would to do an
enormous amount of work and intercept 100% (those who would see no
warnings). And surely 5% is a massive under-estimate.
Yet I do not particularly wish to ignore the problem, just because we do
not have a completely comprehensive solution to the problem that solves
every case and prevents every mistake.
The Firefox changes to really draw attention to certificate issues is,
regardless of what people have said about "usability" and "practicality,"
an important step.
However, there's something else being highlighted here. SSL certificates
have a major failing in that it is really spectacularly annoying and
difficult for some people to acquire them, and/or the value in paying more
than a trivial sum (or any sum) is hard to justify, etc.
For example, I have absolutely no desire to pay even a modest $15/year
per device to get all my various networking devices to have legitimate
SSL certificates; instead, we run our own local CA and import our root
CA cert into browsers. It's cheaper, *more* secure, etc. Nobody but us
will be logging into our devices, and our browsers have the local root CA
Now, many sites just don't see the need, and self-signed certs are
This would seem to point out some critical shortcomings in the current SSL
system; these shortcomings are not necessarily technological, but rather
social/psychological. We need the ability for Tom, Dick, or Harry to be
able to crank out a SSL cert with a minimum of fuss or cost; having to
learn the complexities of SSL is itself a "fuss" which has significantly
and negatively impacted Internet security.
Somehow, we managed to figure out how to do this with PGP and keysigning,
but it all fell apart (I can hear the "it doesn't scale" already) with SSL.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.