[cap-talk] SSL protection racket - Petname Tool

Bill Frantz frantz at pwpconsult.com
Wed Feb 27 15:47:52 EST 2008


jed at nersc.gov (Jed Donnelley) on Tuesday, February 26, 2008 wrote:

>On 2/26/2008 3:19 PM, Bill Frantz wrote:
>> jed at nersc.gov (Jed Donnelley) on Tuesday, February 26, 2008 wrote:
>> 
>>>> Just create your own self-signed
>>>> cert for the bank of your choice and away you go.
>>> How does that get you into the middle?  All it does it to allow
>>> you to set up another secure site - without paying any extortion
>>> money to a protection racket.
>> 
>> You run a DNS poisoning attack, and get citi.com to come to you.
>> You generate a self-signed cert for citi.com and use it on your
>> server.
>
>Such a self-signed cert would fail my Petname Tool trust
>model (I assume?).  It would certainly be a different
>public key than the one that I developed the trust in.

I don't think that Firefox has a petname system. You can add one
on, but it isn't standard equipment. I think it is still stuck in
the global namespace trap that there is only one citi.com, and
users will know which one it is, so that is the only thing that
needs to be authenticated.


>> You use the real citi.com server as a back end an you are
>> now a man-in-the-middle.
>
>My basic point is that I don't trust DNS and I don't trust
>the network, but I do trust SSL to a certificate (private key)
>that I've developed trust in through other means (introductions,
>a past relationship).  It isn't the name in the certificate
>that makes me trust it.  If that was my model all sorts of
>confusion would be possible, naming ambiguities and conflicts.
>
>My system (which, sadly, I must trust) picks the nonce and
>does the handshake with the known trusted public key.  If
>the handshake works then I trust the party at the other end
>as much as my trust model has built up that trust (modulo
>my trust in SSL).
>
>Given that model, do you still believe that a self-signed
>certificate or DNS failures or generally an untrustworthy
>network (e.g. the Cyber Cafe example) results in my being
>threatened by a man in the middle attack?

I like self-signed certs with pet names for repeat business.
However, for a real world example, I'm about spend a significant
amount of money with an online business with which I have no
previous relationship. None of the good references I have for this
business give me a fingerprint of their public key, so I have to
leverage trust somehow. Therefore I'll probably look carefully at
their certificate, and trust in the limited liability for credit
cards.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | When it comes to the world     | Periwinkle
(408)356-8506      | around us, is there any choice | 16345 Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos, CA 95032



More information about the cap-talk mailing list