Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

5 Apr 2010

      On 04/05/10 07:37, Sarad AV wrote:
> --- On Sat, 4/3/10, Dave Howe <DaveHowe@gmx.co.uk> wrote:
> 
>> From: Dave Howe <DaveHowe@gmx.co.uk> Subject: Re: Fwd: [ PRIVACY Forum ]
>> Surveillance via bogus SSL      certificates To: "Email List - Cypherpunks"
>> <cypherpunks@al-qaeda.net> Date: Saturday, April 3, 2010, 4:19 PM 
>> Rayservers wrote:
>>> I have proposed that we strip out ALL outside
>> certificate authorities from an
>>> open source browser, and distribute such... and to
>> practice what I preach, I
>>> just went into FF and nuked the bunch - and whee, I
>> can connect, verify the cert
>>> and login :). The USER - a la monkey sphere - has to
>> decide if she trusts the
>>> Certificate Authority - who the hell are they anyway?
>> And to answer my own
>>> rhetorical question - those that issue the highest
>> TRUST certificates to
>>> licensed scammers a.k.a. the banks. I do not trust a
>> single one of the
>>> recommendations of official CAs. If I am forced, like
>> one has to in this world -
>>> to visit a bank website, I can figure out how much I
>> distrust them all by
>>> myself. All I want to know is "am I visiting the same
>> site again"... and a "self
>>> signed" cert is all I need, "ssh style". And yes, I
>> love the monkeysphere
>>> approach which would add meaningful levels of trust to
>> that choice. And no -
>>> there is no difference in my trust level if the cert
>> says "self signed" or
>>> "fairysign super duper" perhaps the former is better!
>> - at least fairysign
>>> cannot go off and bless the MITM - especially of any
>> sites I run!
>> 
>> Its a nice theory, but doesn't cover first-visit scenarios, nor the yearly
>> rekey grind of giving CAs (large amounts of) money for the results of a
>> fairly easy math problem.
> 
> 
> The first visit scenario is definitely an issue. that brings it to the other

It is an issue similar to the issue of trust when you walk into a bazaar - a
free market with *many* of two kinds of people: *buyers* and *sellers*.

By requiring everyone to have an "identity" card from the Queen of England**
herself, it just makes the Queen more equal than anyone else. Soon, you cannot
do business selling tomatoes grown in your backyard without a special license
from the Queen - to ensure that you only used "approved" seeds... and on it goes.

Grow up people - you have to do the work of learning to trust - all by yourself.

You better learn quick that trusting your friends is better than trusting the
Queen of England herself - for neither you nor I know the Queen, and it seems
she is a prisoner of certain people.

If, on the first visit, you are using a poisoned DNS system, or on a compromised
operating system, then foo on you. The future will have neither, except at the
option of the losers who wish to be losers.

Cheers,

---Venkat.

** Just picking a familiar Head of State, it could very well be your CA, a petty
government official, the Drivers License bureau, or some Wizard from the Land of
Oz. It does seem though, that the Queen of England is herself a prisoner to
certain powers, so how do you know that Fairysign is not?

> question - why cannot CA's issue certificates to sites say like 10 years or
> 20 years and get the corresponding money for that. Most certificates issued
> by CA's usually have 2-3 years validity. Incase of a significant mathematical
> breakthrough the CA should provide an alternate secure certifying mechanism
> if the breakthrough occurred within the service period (10/20 years). The
> question is why do popular https sites not go for certificates that expire in
> 10/20 years if it helps security?
> 
> 
> 
> Another question, this one is specific to gmail - which the entire session is
> on https.
> 
> when i click a pdf in my gmail to be opened with google docs, the certificate
> is signed by google(used a third part browser plugin to check this). that is
> fine, however my browser never alerts me as a potential untrusted certificate
> and if want to add it as an exception. does that mean google is an
> intermediate CA or what does that mean?
> 
> 
> Thank you, Sarad AV
> 
> 
> 
>> 
>> What I would prefer is some parallel system where person 'x', who I trust,
>> may or may not have visited site 'y', and may or may not have signed the
>> then certificate, the signature for which (with its date of providence) is
>> then stored *on the site* for me to access though a well-known url. That
>> way, I can look with suspicion at sites which do not have such a
>> certificate, investigate myself if they are serving the certificate I am
>> expecting to see (and how do I do that? I have tried in the past phoning
>> companies to obtain their website public key for independent verification;
>> most don't know what one is, a few have even said they can't disclose that
>> as it is *priviledged information*....)
>> 
>> But, who do I trust for that, who do *you* trust for that, and will those
>> people be wiling to give up a significant slice of time every year 
>> revisiting websites after their certificates are renewed, and facing the 
>> same hurdles I did (the complete ignorance of most companies as to how 
>> their websites' certificate works and unwillingness to supply an accurate
>> fingerprint over the phone).