Father of SSL Talks Serious Security Turkey

coondoggie writes with an excerpt from a Network World article: "SSL/TLS, the protocol that protects security of e-commerce, has taken a beating lately, with news items ranging from the violation of certificate authorities to the discovery of an exploit that beats the protocol itself. But despite the exploit ... and the failures of certificate authorities such as Comodo and DigiNotar that are supposed to authenticate users, the protocol has a lot of life left in it if properly upgraded as it becomes necessary, says Taher Elgamal, CTO of Axway and one of the creators of SSL."

Who needs SSL?

[Anonymous Coward]

I don't have anything to hide!

Re:

[dyingtolive]

What will you do when not having anything to hide then becomes illegal?

Re:

[wsxyz]

I suppose then the fact that you have nothing to hide would be something to hide.

Re:

[davester666]

I suppose then the fact that you have nothing to hide would be something to hide.

...and thus, are no longer breaking the law...

Re:

[justforgetme]

unless they find out you are hiding something!

Re:

[ElmoGonzo]

Just post those bank account numbers, the routing codes, and a credit card number or 2. They're not worth hiding.

Re:

[Canazza]

that's the same combination as my luggage!

Re:

[cos(0)]

That's not very bright—assuming you're this card's owner, and the info is correct. This info will now come up on a cursory Google search, and if your credit provider learns that you wilfully published this info, they'll close your account because you've violated the cardholder agreement. The law that provides for reimbursement of unauthorized charges does not extend to people shouting their credit card info from the rooftops and expecting a bailout later.

Re:

[Anonymous Coward]

All I have to do is claim that someone stole my info and anonymously posted it to this site. For all you know, I may not even be the same person that posted it.

Re:

[Inda]

The number doesn't pass the LUHN test. Panic over. Move along. Nothing to see here.

Re:

[igreaterthanu]

You could have at least put the effort in to use a valid check number.

Re:

[icebraining]

Actually, that's interesting. I don't have a CC*, and as far as I know there's nothing one can do with my IBAN; direct debits and such have to be authorized Ã-priori with the bank.

Frankly, having only a single set of numbers that anyone can use to debit money from an account seems completely retarded to me. It's like giving your password instead of using OAuth, and bank accounts are still "somewhat" more important than Twitter's, one would think.

* actually, I have many; they're just virtual, have a sma

Re:

[icebraining]

That kind of moronic system doesn't work with my bank - I have to explicitly set up the payment with the bank myself - but in any case the "Direct Debit Guarantee" means he can revoke the payment, no questions asked.

Re:

[neight108]

I don't have anything to hide!

I find it ironic that "Anonymous Coward" has nothing to hide

Re:

[justforgetme]

Spanish... very interesting ;-)

Re:

[aepurniet]

You and Todd Davis of LifeLock seem to share this unpopular opinion.

Re:

[wierd_w]

Didn't the social security administration tell him in no uncertain terms to stop posting his ssn publicly, due to the number of illegal aliens using it for job applications?

It does its job

[faldore]

I am more worried about my ISP packet sniffing my traffic than a black hat.
As long as the SSL is good enough to keep my ISP ignorant, it's good enough for me.

Re:

[dkf]

So your ISP gets a cert signed by random crappy browser-trusted cert authority (e.g., run by an intrusive government) for some domain(s) they are interested in monitoring traffic on, and due to the way SSL is implemented in browsers, you have no idea they are sniffing all your traffic to that site.

SSL is broken.

But coming up with something more secure that is still practical, that's hard. Not having certificates last indefinitely is a good thing (limits the amount of damage from an undetected theft) as is not forcing the use of the same CA every time. It's just that some CAs should never have been trusted in the first place and some clients are crap at checking whether a certificate is actually good. One isn't a protocol problem but instead a social one (and just requires a few companies to be crushed into paste t

Re:

[starfishsystems]

No, SSL is not broken.

First, to address your premise, we are in no position to criticize any protocol merely because some particular implementation of it has been installed with a predefined set of root certs that you don't like. Second, to address your conclusion, it does not logically follow from the premise. QED.

That's not to say that there can be no possible flaws in SSL, though this is a point that you don't address. Both design and implementation vulnerabilities have indeed been identified in

Re:

[Lennie]

So tell me how does am access provider get a cert signed for a site/domain they don't host.

Isn't the exploit for an old version of TLS?

[msobkow]

Are there no upgrades to TLS 1.0 available? I thought the issue was browsers and websites that hadn't upgraded.

Re:

[magamiako1]

In Windows land:

IIS 7.5 (2008R2) and at least Windows 7 are required to support TLS 1.1 and 1.2.

In Linux Land:

Apache's mod_ssl does not support TLS 1.1 and 1.2, you need to use mod_gnutls, which is not default on many webservers.

Breaking news!

[joeflies]

Patches fix security flaw. News at 11

tl;dr: new trust model rumor

[colfer]

He hears rumors in Calif. of a new trust system to complement PKI. That's all he will say when the interviewer questions him repeatedly about a solution to the problem he goes on at length about: that browsers have PKI roots built in. I agree it's a terrible system, but asking the clueless user to select trusted roots would have its own problems, in, say, Iran. Or more precisely, clueless users in the US make it hard to deploy a system for careful users in Iran. The UI has to be both easy & difficult.

Re:

[pairo]

How would that help if an attacker can inject/remove data, not only sniff it?

Re:

[dkf]

I think he's talking about Convergence, the CA replacement system proposed by Moxie Marlinspike

The problem is there has to be some way to take old server certificates out of use and replace them with new ones, and that mechanism has to be doable without any signature by either the old certificate or the old CA. Moreover, you can legitimately have multiple certificates for one domain. The upshot of that is that if you pop up a dialog each time you detect such a thing happening, you'll train users to click OK for all security problems, which is an astonishingly bad idea! The advantage of the current sy

With all these different browser versions...

[Synerg1y]

Why do none support TLS 1.1, firefox is releasing new versions of its browser on an insane schedule, IE is on version 9, chrome is moving along, yet no tls 1.1? Is there something I'm missing here?

Of all the useless features they've implemented in the past year, why not secure the browser? I remember when firefox was proud of it's security.

Then again good luck replacing ssl, what are viable alternatives? Pointless discussion if there aren't any...

Also read carefully about BEAST, it's not a remote exploit, so you can't just click and choose the stream you want to sniff, it's a ways more complicated and requires a high level of trust on the compromised machine.

Re:

[AK Marc]

I checked the Opera I'm using and it allows me to use TLS 1, TLS 1.1, and TLS 1.2, and I can even disable the older ones to make sure I didn't auto-failback to an insecure TLS. Just because Firefox/IE doesn't do it doesn't mean it's not already out there in a free browser.

Then the other browsers need to update

[msobkow]

The argument that most websites haven't been upgraded is insane. The website admins won't upgrade their servers until the browser community can support it.

If Opera is already doing it, they've shown it can be done. Failure to do the same with Firefox, Chrome, et. al. is a sign of either laziness, incompetence, or extremely bad planning.

Stop farting around with 3D support and take care of the security fundamentals first!

Re:

[DrXym]

It's a chicken and egg issue and one that browsers need to force. If the major browser vendors were to multilaterally declare that sites had a 18 month period of grace to support TLS 1.1 / 1.2 after which SSL 3.0 and TLS 1.0 would default to off, then you can sure as hell bet things would start kicking up a gear. Meanwhile browser vendors need to actually implement TLS 1.1 and 1.2 so they can give sites something to test against.

Re:

[Synerg1y]

As did you, what major browsers?

Look here

http://en.wikipedia.org/wiki/Opera_(web_browser)#Market_adoption [wikipedia.org]

You calling opera a major browser and piggy backing off (#37683562) in regards to servers?

IE, Firefox, nor Chrome don't support it as stated above, a 10 second google search would yield something like...

http://www.google.com/support/forum/p/Chrome/thread?tid=0539619c98f85cbb&hl=en [google.com]

It's always worked like... browser implements new feature, web devs and admins follow, if you ask me to to turn on feature

Re:

[DrXym]

Server admins sure as hell will implement a later TLS if suddenly they're inundated with users complaining that various browsers refuse to connect to the site. The smart admins won't be caught out like that. The lazier ones will have to advise users to reenable TLS/SSL temporarily while they get off their asses and fix the thing they had ample warning was about to happen. That's why it needs to be broadcast loud and clear.

As for which browsers implement what, the point is if all browser vendors act in a c

Re:

[Synerg1y]

No transition has ever worked that way...

Downtime is not acceptable worldwide rofl.

Browsers would allow tls 1, 1.1, and 1.2 and then figure out what's supported or not by the server. Admins would recognize the hard lined benefits of 1.2 over 1.0 especially in shops that care about their security and set their servers to 1.2 only. In a few years, more and more people would adapt 1.2 until 1.0 can finally be phased out with a broadcast like message that you are implying.

Let me be clear though, unless there

Re:

[DrXym]

As I said, give them a large notice period and a schedule and then disable the old protocols by default in browsers. Users can still enable the old protocols but suddenly browsers become secure by default. It wouldn't stop sites downgrading to older protocols for older browsers but it would hugely diminish the attack surface and vulnerability going forward.

And yes it can work assuming the major browser companies were united behind a single plan. Sites would have to change and the large majority would chan

Re:

[Synerg1y]

Really?

I'd just tell my users not to upgrade and block the update via the ASA till I got off my ass, you realize I actually do this shit professionally don't you and it just doesn't work your way, never did, never will?

Never heard of sky TV, not a comparable scope though, tiny company vs the planet earth? Keep dreaming.

Pledging for automatic updates?

[praseodym]

The guy is pledging for automatic updates:

We have to build a mechanism to automatically update things. We did not do that. The right way to design, if we were to update things an updating protocol that automatically updates itself so when the next version comes up it knows where to find the next version rather than having to wait for a Windows update or whatever.

Actually, newer windows versions (Vista and later) use Microsoft's online Certificate Trusts Lists which allows exactly this. Microsoft revoked the DigiNotar certificate without issuing a real Windows update:

On August 29, 2011, Microsoft removed the trust from one DigiNotar root certificate by updating the Microsoft CTL. Why is Microsoft releasing an update? Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List to validate the trust of a certification authority. As a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.

(http://technet.microsoft.com/en-us/security/advisory/2607712)

Re:

[Taty'sEyes]

WOW! What else can this amazing operating system do? Who makes this? Micro What?

Re:

[Beeftopia]

Actually, newer windows versions (Vista and later) use Microsoft's online Certificate Trusts Lists which allows exactly this. Microsoft revoked the DigiNotar certificate without issuing a real Windows update:

Single point of failure.

Re:

[Anonymous Coward]

Actually, newer windows versions (Vista and later) use Microsoft's online Certificate Trusts Lists which allows exactly this

No it doesn't. What Microsoft does is disable certficates.

Taher Elgamal is talking about automatically patching/updateing the SSL protocol itself, not just some certificate disabling. Nice idea, but noway that is going to happen in any serious environment. Just like with any other update, anyone taking his systems seriously will want to test this before deploying. Especially because this is about a communication protocol. Just imagine your VPN tunnels failing because the product on one end of the tunnel was

The solution is to throw out CAs

[spottedkangaroo]

I used to be in favor of patching things with DNSSEC, until I thought about it. I didn't really think about it until I saw moxie's blackhat talk. I happened to see it live, but not at blackhat. It's great. I think it's also a bulletproof argument against the CAs and DNSSEC. The protocol itself can be fixed (the security attack), but the current CA system pretty much can't be in a way that would satisfy me after seeing the talk.

http://www.youtube.com/watch?v=Z7Wl2FW2TcA [youtube.com]

http://convergence.io/ [convergence.io] (t

Re:

[Lennie]

While I really like the concept, I'm not sure how well this will work in practise scale.

The thing I like least about it is that it caches known certs for as long as the cert is valid.

How do people revoke certs of compromised keys in that model ?

Re:

[spottedkangaroo]

There are problems with this approach, but they're no worse than the CA-SSL model. In fact, they're quite a bit more survivable. And anyway, the idea is young. It will get better.

Regarding revocations. Do you really (honestly) subscribe to any revocation lists now? I've done this in the past, but I haven't done it for years and I care about this topic very much. The problem is the same with CA-SSL vs Convergence-SSL only with convergence you can sometimes detect the problem and with CA-SSL, you'll

Re:

[Lennie]

No revocation lists are usually huge, like 200MB+ so pretty much useless.

But you don't need a revocation list to revoke a certificate in any moden browser. It usually supports OCSP.

I believe browsers don't cache OCSP-responses longer than the browsing session (for as long as the browser is open) ?

So if you enable "When an OCSP server connection fails, treat the connection as invalid" you will be 'safe'.

Next time you start the browser OCSP is checked, thus if the certificate is revoked you would get a proper

Re:

[spottedkangaroo]

You're probably right. I have no idea how OSCP actually works, just nebulous ideas about how it probably functions. I don't think it changes much with respect to my (er, moxie's) arguments though. Who really has this turned on anyway? How does it solve the trust problems inherent with the CA-SSL model?

Local caching is a personal decision and it's a setting even in the prototype. You can choose to cache, or not. You can choose your notaries, or use the defaults. You can also choose between simple

Re:

[Lennie]

Forgot about that, you can turn off the cache. I don't currently use it, I was actually looking at the source on github. :-)

Anyway, I keep wondering how it will scale in general, like how would the general public who knows nothing about these settings and how it works or how to use it.

For example let's say you have many, many people using the same notary as a default in the browser, you could never ever turn it off.

Re:

[Lennie]

Something else I'm thinking.

If this gets introduced to the general public.

The first thing that will happen immediately is that when you install your new Windows Anti-Virus software the vendor will implement their own and just add their notary to the list.

Let me guess the OEM will add it's own notary as well ?

This all seems like a bad idea.

I don't know, maybe I'm just in a negative mood :-)

Re:

[spottedkangaroo]

Right now there's only one notary... er, two ... But later, if this catches on at all, there'd be like 30 or a thousand... and your client would probably pick randomly the first time. And if one failed, you'd just skip that one and use another (depending on your settings of course). I can imagine a hundred ways around the scalability problems (in your browser anyway).

Actually, Moxie talks about what happens if some of your notaries are untrusted. Since the FBI or the credit card thief will never know

Re:

[spottedkangaroo]

(Didn't really finish my thought: So if the OEM adds its own notary, you don't really lose anything as long as there's a couple others on the list too.)

Impossible to say?

[carcomp]

Talks Serious Security Turkey... I had to read that four times before it actually made sense. Talks securitious security... turkey security.. Sorry for the randomness, but I wouldn't have even clicked this article had it not been for the title being so weird.

Re:

[Thud457]

I'm sorry, like all users, all I heard was:

Father of gobble Talks Serious gobble gobble
Posted by Unknown Lamer on Tuesday October 11, @03:27PM
from the trust-me-i-invented-a- gobble - gobble dept.
coondoggie writes:

with an excerpt from a gobble World article:

" gobble / gobble , the gobble that protects gobble of e- gobble , has taken a beating lately, with news items ranging from the gobble of gobble gobble s to the discovery of an gobble that beats the gobble itself. But despite the gobble ... and the failures of gobble gobble such as Gobble and Gobble that are supposed to gobble users, the gobble has a lot of life left in it if properly gobble ed as it becomes gobble , says Gobble Gobble , gobble of gobble and one of the creators of gobble .

Security Turkey?

[The Grim Reefer2]

Wasn't Canadian Thanksgiving yesterday?

BEAST, TLS 1.0 v. 1.1, CA model, security upgrades

[Onymous Coward]

Summarizing...

BEAST, TLS 1.0 v. 1.1
The BEAST attack is somewhat a concern for TLS 1.0, just how practical the attack is has yet to be seen. Requires malware on your the system, so he says, which means you've already lost the game. Moving to TLS 1.1 would protect against BEAST, but is problematic because of lack of support.

CA System, upgrades

Is there a better way than certificate authorities?

The fact that browsers were designed with built-in root keys is unfortunate. That is the wrong thing, but it's ver