[cap-talk] Web introductions, fingerprint service (was: SSL protection racket)
Jed Donnelley
jed at nersc.gov
Wed Feb 27 17:15:10 EST 2008
On 2/27/2008 12:47 PM, Bill Frantz wrote:
> jed at nersc.gov (Jed Donnelley) on Tuesday, February 26, 2008 wrote:
> ...
> I don't think that Firefox has a petname system. You can add one
> on, but it isn't standard equipment.
Kind of a sad state of affairs in my opinion.
> I think it is still stuck in
> the global namespace trap that there is only one citi.com, and
> users will know which one it is, so that is the only thing that
> needs to be authenticated.
More on the above below where I think you pose a good test.
>...
> I like self-signed certs with pet names for repeat business.
> However, for a real world example, I'm about spend a significant
> amount of money with an online business with which I have no
> previous relationship. None of the good references I have for this
> business give me a fingerprint of their public key, so I have to
> leverage trust somehow. Therefore I'll probably look carefully at
> their certificate, and trust in the limited liability for credit
> cards.
Here is the approach I suggest.
1. Connect to your best guess at the site of your proposed
business partner with SSL.
2. Put a Petname name on the connection (ABC Corp. test).
3. Now do some work to evaluate your trust that this
connection is really to the ABC Corp that you know from
your other introduction information. For example:
4. You can Google references for the ABC Corp and
check that the IP address that you get to is the same
that you connect to through your SSL connection. If
so, then you are safe to within IP spoofing (e.g.
your Man in the Middle attack).
5. Talk to anybody you know who has interacted with
ABC Corp on the Web. You can ask them about the fingerprint
(hmmm. Is it common to have both SHA1 and MD5
fingerprints? It appears those fingerprints are
much larger that I thought, e.g. for Fidelity
Investments I have:
SHA1 Fingerprint:
76:BA:F8:17:69:D5:9E:09:D5:B6:D3:52:AE:03:D6:E2:4C:3E:B2
and:
MD5 Fingerprint:
C7:22:69:E4:F0:B5:8B:D4:27:59:77:7B:97:64:D1:AB
). If your introducer is communicating to the
same public key, then it seems your introduction
is sound.
Hmmm. It occurs to me that this sort of comparison
(ABC Corp. to the fingerprint[s] for their
public key) should be something rather straight
forward (though perhaps computationally costly) to
provide on a search site. I've looked around
a bit and haven't found such a search site.
Anybody know of a search site that even indexes
SSL sites?
What I'd like to see is a site that finds
https links to a DNS named site, and provides
me the fingerprints for the public keys that
it finds there. If they are all the same and
that's the fingerprint for the public key that
I'm bound to with my Petname Tool, then it seems
to me I'm in a pretty strong position.
On the other hand if there are multiple
fingerprints that claim to be for this
DNS/corporate name, then I have some issues
to resolve.
Just thinking about this a bit, probably the
best assurance would be to have many computers
at many "independent" locations around the
Web/world finding and reporting the fingerprints.
The above is a service that seems to me I
would find useful. What do you think Bill?
Would you find such a service useful? If
I looked and found multiple Fidelity
fingerprints, I'd be concerned. If I find
only one and its the one I use, then I
have more confidence in the site.
Does that seem reasonable to others? Something
like the above seems to me much preferable
to "I'll probably look carefully at their certificate"
which to me provides no real assurance/trust.
What do others think?
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list