[cap-talk] SSL protection racket

Mon Feb 25 23:49:43 EST 2008

At 07:41 PM 2/25/2008, Mike Samuel wrote:

>On 25/02/2008, Karp, Alan H <<mailto:alan.karp at hp.com>alan.karp at hp.com> wrote:
>"Pay up or most of your customers won't be able to figure out how to 
>reach you."
>
>
>Do the postal service, the yellow pages, and the telephone company 
>fit this description?

Perhaps loosely, but the cause is quite distinct and more like the
protection racket.  When you have a Web site you've already paid
for the communication service (like postal or telephone).  There is
also no problem with being found - e.g. if you have a non-ssl site
things work fine, so the yellow pages analogy doesn't apply.

There is no technical problem with self signed certificates or
even certificates signed by CAs that aren't in on the take.

The scheme becomes a protection racket when they manage to
block customers unless you pay them for "protection" that
doesn't actually protect anything.  To me that describes
this situation exactly.

Regarding:

At 07:44 PM 2/25/2008, John Carlson wrote:
>Best bet:  Download the firefox source, modify it to suit your needs,
>and provide it for download to your customers.
>
>Isn't open source wonderful?

The above might sound good, but it isn't practical.  Many (most) of our
customers are one time or seldom visitors.  You think such visitors
are going to download a special browser just to visit our site?
Even our moderately regular customers of course visit many more
sites than ours.  Every site is going to use a similar solution?

We did spend time documenting how to designate the DOE grid
certificate authority as one of the anointed few in several
browser types.  We got complaints from users that the procedure
was too much trouble.  It doesn't take too many trouble tickets
before you're better off paying off the extortion.  Of course
that's what those in the racket count on.

For me the key issue is that of providing value.  Those who believe
that blocking access to Web sites whose certificates aren't signed
by the anointed few (or have expired certificates?) (e.g. Ivan?) should
be arguing that by doing such blocking value is provided to users.

What value?  Somehow paying for a certificate signed by the
anointed few is going to provide more security than not?
The argument that paying more shows you are more serious or
reliable is specious.  People already pay for their Web
sites and their content is a much better measure of such
seriousness and must more visible.

What is driving this change - e.g. in Firefox 3?  Is it a study
that more phishing or other criminal Web sites use certificates
that aren't signed by the anointed few?  I'd be quite interested
to see such a study.  Something like that might well convince me
that such blocking might (the proof would of course become
available after the change) possibly provide some value.

If after the fact the changes doesn't provide value (reduce
attacks through Web sites), do you think the blocking will
be removed?  Dream on.

Consider an example like:

http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html

I don't know how much income is typically generated by
a phishing site, but I'm sure it's considerably more than
the $20 or so for a low end certificate signing.  To make
such work worthwhile it must compare to the value derived
from relatively low end legitimate Web sites.  Pricing the
phishing sites out of business doesn't seem like a workable
model to me.

Oh well, not capability focused so I guess not sufficiently
relevant to cap-talk.  Anybody know where such discussion is
more legitimate?  I'd be interested to hear what others are
saying on this topic.

--Jed  http://www.webstart.com/jed-signature.html 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20080225/c4ea652e/attachment-0001.html 