Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

Dave Howe DaveHowe at gmx.co.uk
Tue Apr 6 17:20:31 PDT 2010 

Rayservers wrote:
> It is an issue similar to the issue of trust when you walk into a bazaar - a
> free market with *many* of two kinds of people: *buyers* and *sellers*.

Indeed, and many get scammed, then find the peddler they bought their
"bargain" from isn't there the next day when they return.

> By requiring everyone to have an "identity" card from the Queen of England**
> herself, it just makes the Queen more equal than anyone else. Soon, you cannot
> do business selling tomatoes grown in your backyard without a special license
> from the Queen - to ensure that you only used "approved" seeds... and on it goes.

Its certainly getting that way now. My local butchers are unable to make
their own sausages - because the requirements for documenting and
providing the ingredients for each "product" apply to that, and it is
not economically viable to go though that process when they can instead
buy a standard "mix" from a supplier, add a specified weight of
specified meats, and then use the supplier's pre-certified documentation
and ingredients list.

Does that protect us against rogue food providers? possibly. Does it
stop my (formerly award winning) butcher from selling me a superior
product instead of the standardized one? yes, it does.

> Grow up people - you have to do the work of learning to trust - all by yourself.

On the internet, nobody knows you are a dog.

On your website, nobody can tell if you are or aren't really BigBank,
BigBoxShifter, or BigManufacturer; there is therefore a market for
certifying this, and the current climate (where you get to choose in a
competitive market which lizard you select, but must select a lizard) is
a viable approach; however, its plainly biassed in favour of the current
incumbents, who have a vested interest in keeping prices high and
consolidating against outsiders.

A distributed model would be good, but even leaving aside key
distribution issues for your trusted recommenders, it means that you are
basing your own trust decision on two things - one, that the person
certifying the site is himself trustworthy, and two, that the process
was not compromised (if I wished to establish a scam site, and a
distributed model was in place, the first few transactions would be
*amazingly* honest and I would take pains to get those first few
certifications well established... then fight tooth and nail to hang on
to them and prevent any revocation being posted, no matter how many
other people I scammed based on the mistaken trust assertion made by the
early visitors.)

> You better learn quick that trusting your friends is better than trusting the
> Queen of England herself - for neither you nor I know the Queen, and it seems
> she is a prisoner of certain people.

Or could be badly advised as to the trustworthyness of some of her
couriers - because she herself doesn't know if a particular supplicant
is honest and trustworthy, so must rely on others to assert that to her.

But in essence, even if you have a lot of trustworthy friends, whose
online community of interest is similar to yours, you are going to have
to be first visitor to at least some of the sites - and the trust
decision is then going to have to be made by you based on something
other than the distributed network.

> If, on the first visit, you are using a poisoned DNS system, or on a compromised
> operating system, then foo on you. The future will have neither, except at the
> option of the losers who wish to be losers.

The future will *always* have lusers. It's in the nature of the system -
spam and phishing scams would not exist if there wasn't a profitable
minority who believe that yes, there *is* a Nigerian out there who
wishes to give them 6 million dollars, and all he needs is their bank
details... that 90%+ of all email is now of this type just shows there
is a profit to be made from the gullible being gullible. All attempts to
"do something" about this will not make the gullible any safer, but will
restrict what *you* can do without the permission of the state. Laws
are, for the most part, to force the law abiding to not do things the
scofflaws will ignore anyhow, even if the law abiding previously had a
legitimate reason to do so.

More information about the cypherpunks-legacy mailing list