Slashdot Mirror

← Back to Stories (view on slashdot.org)

Book Review: Bulletproof SSL and TLS

Posted by samzenpus on from the read-all-about-it dept.

benrothke writes If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLS has shown that perhaps the emperor isn't wearing anything at all. There is a perception that if a web site is SSL secured, then it's indeed secure. Read a few pages in this important book, and the SSL = security myth is dispelled. For the first 8 of the 16 chapters, Ristic, one of the greatest practical SSL./TLS experts around, spends 230 pages showing countless weaknesses, vulnerabilities, attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can, if done correctly, be deployed to provide adequate security. Keep reading for the rest of Ben's review. Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications author Ivan Ristic pages 530 publisher Feisty Duck rating 10/10 reviewer Ben Rothke ISBN 978-1907117046 summary Tremendous guide on how to correctly deploy TLS by one of the top experts in the field Ristic is the author of the SSL Labs web site; a site dedicated to everything SSL, including extensive documents and tools.

One would think that it's impossible to write an interesting book about a security protocol. But for those who use SSL or just want to understand what it's all about, the book is not only quite practical, but a very interesting read.

The book provides a good balance of overview, protocol details, summary of vulnerabilities and weaknesses, and a large chunk of practical deployment guidance.

The first three chapters provide an excellent overview to SSL, TLS, PKI and cryptography. While chapter 2 may be a bit dry, the introduction is thorough and comprehensive.

Chapter 4 is particularly interesting in that the author notes that while the cryptography behind SSL and PKI is fundamentally secure, there is an inherent flaw in how PKI operates, in that any CA (certificate authority) is able to issue a certificate for any name without have to seek approval from the domain name owner. This trust dependency creates numerous attack vectors that can be exploited.

The chapter details a number of significant incidents that arose from this flaw, from the 2001 code signing certificate mistake; where Verisign mistakenly issued Class 3 code signing certificates to someone claiming to be a Microsoft employee, to the Flame malware, which was signed with a bogus certificate that was seemingly signed by Microsoft, to a number of other issues.

In chapter 5, the book details a number of HTTP and browser issues, and related TLS threats. Attacks such as sidejacking, cookie stealing, cookie manipulation and more are detailed.

The author wisely notes that cookies suffer from two main problems: that they were poorly designed to being with, allowing behavior that encourages security weaknesses, and that they are not in sync with the main security mechanisms browsers use today, namely same-origin policy (SOP).

The chapter also details a significant TLS weakness in that that certificate warnings generated often leaves the clueless user to make the correct decision on how to proceed.

Ristic writes that if you receive an alert about an invalid TLS certificate, the right thing to do is immediately abandon the connection attempt. But the browser won't do that. Browser vendors decided not to enforce TLS connection security; rather they push the problem down to the user in the form of a certificate warning.

The problem is that when a user gets a certificate warning error, they simply don't know what to do to determine how big of an issue it really is, and will invariably choose to override the warning, and proceed to the website.

The challenge the user face is that these certificate warning errors are pervasive. In 2010, Ristic scanned about 119 million domain names (.com, .net and .org) searching for TLS enables sites. He found that over 22 million or 19% of the sites hosted in roughly 2 million IP addresses. But only about 720,000 had certificates whose names matches the intended hostname.

The chapter also details that the biggest problem with security indicators, similar to the certificate warnings, is that most users don't pay attention to them and possible don't even notice them.

As valuable as the first half of the book is, its significance really comes alive starting in chapter 8 on deployment issues. The level of security TLS offers only works when it is deployed correctly, and the book details how to do that. Given that OpenSSL, which is the most widely used SSL/TLS library, is notorious for being poorly documented and difficult to use, the deployment challenges are a significant endeavor.

Another issue with TLS, is that it can create performance issues and chapter 9 provides a lot of insight on performance optimization. The author quotes research from Google that SSL/TLS on their email systems account for less than 1% of the CPU load, less than 10kb of memory per connection, and less than 2% of the network overheard. The author writes that his goal is to enable the reader to get as close as possible to Google's performance numbers.

SSL/TLS has a reputation for being slow, but that is more a remnant of years ago when CPU's were much slower. With better CPU's and the optimization techniques the book shows, there is no reason not to use TLS.

For those that want an initial look, the table of contents, preface, and chapter 1 are available here. Once you get a taste of what this book has to offer, you will want to read the entire book.

As noted earlier, OpenSSL is poorly documented. In Bulletproof SSL and TLS, Ivan Ristic has done the opposite: he has written the most readable and insightful book about SSL/TLS to date. TLS is not so difficult to deploy, but incredibly easy to deploy incorrectly. Anyone who is serious about ensuring that their SSL/TLS deployment is effective should certainly read this book.

Reviewed by Ben Rothke.

You can purchase Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

57 of 92 comments (clear)

  1. It's an encryption layer by i+kan+reed · · Score: 1

    It's meant to be simple middleware in network communication: almost transparent to applications, and with only a little system setup, like certs.

    I can't imagine reading a five hundred thirty page book about it, much one essential.

    1. Re:It's an encryption layer by schneidafunk · · Score: 1

      Well based on the summary, I'm at least intrigued. I know personally I could use a refresher on it, especially with the recent vulnerabilities made public.

      --
      Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    2. Re:It's an encryption layer by nine-times · · Score: 2

      I think if you're an IT worker-- one who's actually interested in his job-- then this information is probably of some interest. It sounds like a lot of it would be things I already know, but "How to setup SSL/TLS properly so that it uses the bare minimum of resources," seems like a helpful bit of information to have.

    3. Re:It's an encryption layer by jandrese · · Score: 1

      You've never tried to actually code to the SSL library have you? It's a poorly documented nightmare of parallel APIs full of pitfalls and crypto-nerd jargon. All of the APIs are apparently written with the thought that anyone messing with SSL should have PhD in cryptography first, because otherwise they're just going to screw it up. It also has decades of old cruft in it that you shouldn't be using but the manual won't tell you which parts those are. Also, not everyone agrees as to what is the best way to use it. I'm sure someone will come out and complain that the suggested techniques in this book leave you vulnerable to some kind of weird side channel attack in certain circumstances and that you should do it a different way instead, a way that this author thinks will open you up to some other kind of attack.

      You might think I'm exaggerating, but even major corporations fuck this up all of the time. There is no "just choose sensible defaults and give me a secure socket" call, because if there were someone would complain that it's not secure and shouldn't be used.

      --

      I read the internet for the articles.
    4. Re:It's an encryption layer by petermgreen · · Score: 1

      It's meant to be, unfortunately we have learnt the hard way that the abstraction is leaky and people keep discovering new ways in which it leaks.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    5. Re:It's an encryption layer by IamTheRealMike · · Score: 1

      You might think I'm exaggerating, but even major corporations fuck this up all of the time. There is no "just choose sensible defaults and give me a secure socket" call, because if there were someone would complain that it's not secure and shouldn't be used.

      Sure there is. Perhaps not in C but what did you expect? Here we go in Java:


      HttpsUrlConnection conn = (HttpsUrlConnection) new URL("https://www.google.com/").openConnection();
      Certificate[] certs = conn.getServerCertificates();
      InputStream stream = conn.getInputStream(); // read stream here ....

      That'll do the right thing by default.

      SSL is imperfect, but that's because crypto is hard, not because of some fundamental fuckup somewhere and if only we all used the alternative protocols (which?) everything would be peachy.

    6. Re:It's an encryption layer by jandrese · · Score: 1

      Those are all concerns you shouldn't have to worry about in a proper API. It should do those checks for you and return an error if something doesn't look right.

      --

      I read the internet for the articles.
  2. So is that a yes or a no? by ArcadeMan · · Score: 1

    For the first 8 of the 16 chapters, Ristic, one of the greatest practical SSL./TLS experts around, spends 230 pages showing countless weaknesses, vulnerabilities, attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can, if done correctly, be deployed to provide adequate security.

    Half of the chapters are used to show you how much SSL sucks and the other half are used to show you how to correctly deploy SSL so that it just barely doesn't suck but you should still use it anyway?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:So is that a yes or a no? by nine-times · · Score: 2

      Well yes, you should use SSL. It may have problems, but what's your other option?

    2. Re:So is that a yes or a no? by i+kan+reed · · Score: 1

      Hand rolled encryption scheme you have to install drivers for on all your users' computers, of course.

      It'll be perfectly secure, because no one will use it.

    3. Re:So is that a yes or a no? by amorsen · · Score: 1

      There are no realistic alternatives. Opportunistic IPSEC never got started, and I am not aware of any other attempts which might actually work. You can replace the CA system with DNSSEC, but that does not solve the entire problem.

      --
      Finally! A year of moderation! Ready for 2019?
    4. Re:So is that a yes or a no? by phantomfive · · Score: 1

      I remember back in 98 or so, Yahoo actually did do encryption in Javascript when they sent the password over the wire (for yahoo mail). I was impressed when I saw it. I suspect it had some kind of weakness, but I doubt anyone ever broke it.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:So is that a yes or a no? by Gr8Apes · · Score: 1

      Hand rolled encryption scheme you have to install drivers for on all your users' computers, of course.

      It'll be perfectly secure, because no one will use it.

      That doesn't make it secure, only a potentially less desirable target.

      --
      The cesspool just got a check and balance.
    6. Re:So is that a yes or a no? by i+kan+reed · · Score: 1

      Zero traffic means zero traffic interceptions.

    7. Re:So is that a yes or a no? by freeze128 · · Score: 1

      SSL can be insecure if used improperly, but if properly set up, it can be secure.

      Thank you

      Chewie, take the professor in the back and plug him into the hyperdrive!

    8. Re:So is that a yes or a no? by Gr8Apes · · Score: 1

      But someone is using it, so traffic is not 0. And installed means potential security hole.

      --
      The cesspool just got a check and balance.
    9. Re:So is that a yes or a no? by benrothke · · Score: 1

      SSL is subject to vulnerabilities, weaknesses and misconfiguration like every other protocol and piece of software.

      It’s for the most part all we have until a SSL replacement is found.

      With that, you can maximize its usefulness by deploying it correctly, as per the 2nd half of the book.

    10. Re:So is that a yes or a no? by petermgreen · · Score: 2

      The design flaws in earlier versions of SSL/TLS were found through bitter experiance. In generally you are much better off using a well-known protocol and understanding it's flaws, limitations and what options are appropriate to your application than trying to roll your own, it's silly to belive that you are less prone to making design errors than the designers of ssl and TLS were.

      And some of the things you have to be mindful of are characteristics of variable rate encryption in general not specific to SSL/TLS, for example the fact that compression can cause changes in the content of the message to change the size of the message and this can leak information after encryption would apply to basically any encryption system that provides cypertext at a variable rate (theoretically you are much more secure with a system that outputs cyphertext at a constant rate even when no plaintext is coming in but for most people that would be too high a price to pay)

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  3. Certificate warnings by 0123456 · · Score: 2

    Browser vendors decided not to enforce TLS connection security; rather they push the problem down to the user in the form of a certificate warning.

    That's, in part, because embedded software developers ship millions of devices with the same SSL certs. If the browser blocked a cert that doesn't match the hostname, no-one would be able to connect to them.

    Of course, if they'd done that years ago, the embedded software developers would have had to find a more sensible solution. But it's far too late now.

    1. Re:Certificate warnings by ChadL · · Score: 2

      If a site sends a strict transport security header (e.g. "Strict-Transport-Security: max-age=31536000; includeSubDomains"), it will cause a browser to store that and refuse to allow an override if the certificate verification fails (and also changes plain http attempts to https). So for sites that do have certificates and wish to have enforcement of that there is a good option for that (though doesn't help for the first request, that is unlikely to have anything interesting in it).

    2. Re:Certificate warnings by Shados · · Score: 1

      Haha... I've been making a MITM proxy for debugging purpose (there's a few out there, ie: Fiddler, CharlesProxy, etc), and have been wondering for like ever why some sites seemed to handle poor certificate configuration differently than others (ie: I can MITM Google.com with a self signed certificate thats trusted, but I can't MITM account.google.com without proper SHA256 and a certificate authority chain...).

      Its because of that header. I had never heard about it (hard to find something you don't know you're looking for).

      I have learnt something useful on slashdot today. Holy crap.

  4. SSL? by Dr.+Evil · · Score: 2

    "Chapter 4 is particularly interesting in that the author notes that while the cryptography behind SSL and PKI is fundamentally secure,"

    Post-POODLE, SSL has been shown fundamentally insecure.

    TLS is fine as far as we know.

    1. Re:SSL? by phantomfive · · Score: 2

      Post-POODLE, SSL has been shown fundamentally insecure.

      POODLE is an implementation problem, not a fundamental cryptography problem.
      Practically speaking, it doesn't make much difference. Security is no better than your implementation.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:SSL? by Dr.+Evil · · Score: 1

      POODLE is not an implementation problem. It's a protocol problem.

      https://www.us-cert.gov/ncas/alerts/TA14-290A

      "There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol"

      It's an implementation problem if you're speaking abstractly about the application of crypto. But we're talking about "SSL", a protocol.

    3. Re:SSL? by complete+loony · · Score: 1

      It's a protocol problem if a man in the middle can control some bytes in the encrypted stream. The biggest problem with attempts to keep HTTP & SSL secure, is the combination of sensitive application and user supplied data sent over the same stream in both directions.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    4. Re:SSL? by phantomfive · · Score: 1

      us-cert.gov doesn't give really give you enough info. Look here for a fix that fits within the protocol. No one wants to do any serious work on it though because SSL isn't worth it.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:SSL? by Dr.+Evil · · Score: 1

      That's an excellent article, thanks.

      The fix would require specific changes to the implementation and "...there's a high risk that this would also cause compatibility problems." IMHO, it would be highly misleading to call it an implementation problem that an unforseen encryption weakness could be mitigated with changes to the implementation.

      I offer the above to be XKCD1318 compliant.

    6. Re:SSL? by phantomfive · · Score: 1

      The compatibility problems mentioned are because of people not following the standard. They're not a problem with the standard itself.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:SSL? by phantomfive · · Score: 1

      is the combination of sensitive application and user supplied data sent over the same stream in both directions.

      I'm not seeing how that's the problem. Ultimately it's all going to go across (roughly) the same IP pathway, right?

      --
      "First they came for the slanderers and i said nothing."
    8. Re:SSL? by complete+loony · · Score: 1

      POODLE, BREACH, CRIME etc all require the attacker to control some bytes in the ssl stream in order to deduce other bytes that they shouldn't be able to see. POODLE requires the attacker to change the http url & form post body in order to force the alignment of bytes, BREACH and CRIME are gzip length attacks. Both require the attacker to control bytes in a http request in order to guess the contents of other bytes in the request that they wish to know, like a session cookie.

      All of these are attacks on HTTP & SSL, not on SSL alone.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  5. HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by s.petry · · Score: 2, Interesting

    I have not seen very much moderated for myself, which is fine for the most part but I'm seeing a trend. Has the moderation system been killed and we have no notification that the system is dead? Here is some evidence. Yeah, you have some explaining to do!

    3 moderated posts 2 funny 1 insightful.

    0 moderated posts.

    2 moderated posts 1 insightful 1 interesting.

    0 moderated posts.

    1 moderated post 1 insightful

    No, this is not about me it's about concern for a system that has been repeatedly fucked with at the expense of the members.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by DigitAl56K · · Score: 2

      I also suspect moderation has slowed down. I suspect more generally long-term members with good karma and mod points have been coming here less due to the content and the beta site.

    2. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by s.petry · · Score: 1

      This trend started last week when the system went into off line mode for several hours, so has little on the surface in common with long timers leaving.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    3. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by phantomfive · · Score: 1

      Also, it seems I'm not getting email notifications when people reply to my comments anymore. I suspect that is related as well, both happened about the same time.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by s.petry · · Score: 1

      I received an email from a moderator that they thought the messaging issue was fixed. Looks like it is now, as I'm starting to see responses from the last week pour in.

      So lets see if they can answer why moderation seems to be borked as well..

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    5. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by phantomfive · · Score: 1

      Oh, yeah, I just got emails from all my responses for the last week.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by MyFirstNameIsPaul · · Score: 1

      I went several years without getting any mod points, then a few months ago started getting them again. Can't remember if I had any since the outage last week.

      --

      I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

    7. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by Opyros · · Score: 1

      I had mod points which were supposed to expire on the 20th, but in fact didn't expire until today! There is obviously a bug somewhere.

    8. Re:HEY DICE, WHAT THE FUCKHAPPENED TO MODERATING? by meustrus · · Score: 1

      Oh, so that's why I didn't see any responses for the last week, and then this morning just a huge flood of stuff to go through. Interesting data point: the only post of mine that kicked off a lot of replies despite the messaging bug was political.

      --
      I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
  6. Cookies and SOP by MobyDisk · · Score: 1

    they are not in sync with the main security mechanisms browsers use today, namely same-origin policy (SOP).

    Really? What's different? (Yeah yeah: someone will tell me I should buy the book... I'll add to my book list and get to it by 2047).

  7. Amazon Book Price by psergiu · · Score: 1

    I see the book price in the provided Amazon link as US$ 48.10 for the Paperback version.
    Everyone sees the same price ?

    Slashdot has given us a Amazon link - let's investigate if we get a lower or higher price when accesing the link from Slashdot as compared to other ways.

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
    1. Re:Amazon Book Price by dumfrac · · Score: 1

      $48.10 for me.

    2. Re:Amazon Book Price by gerald.edward.butler · · Score: 1

      Same here: $48.10 - that's with Amazon Prime and through the "AmazonSmile" link (where it donates a portion to your chosen charity).

    3. Re:Amazon Book Price by jtownatpunk.net · · Score: 1

      $48.10 from my regular browser, anonymous browser and IE.

  8. public keys for hosts by fredan · · Score: 2

    (hold on for a little bit longer.) I will publish drafts soon of how to using public keys for hosts. All public keys will be stored with a new DNS RR. (I'm writing the drafts at this very moment).

    If you are going to comment on this, remember that I sad "hosts".

    1. Re:public keys for hosts by fredan · · Score: 1

      No.

  9. How long... by jtownatpunk.net · · Score: 1

    I wonder how long it will be before Ristic is disappeared. My money's on 110 days.

    1. Re:How long... by jtownatpunk.net · · Score: 1

      Do you really think any government wants its citizens to have secure communication?

  10. Encryption by davidwr · · Score: 2

    SSL/TSL/etc. are supposed to do two things:

    1) Authenticate that you are talking to the machine you think you are talking to
    2) Encrypt the traffic so that it would take a large amount of effort (ideally, an infeasible amount) for someone listening in to see the traffic.

    SSL and TLS do make it difficult if not impossible for someone with just a wire-sniffer to decrypt the traffic. Typically they would either need the legal resources to get a court order to get the server's private keys, the technical resources to either acquire the keys another way or to fool you into connecting to their MITM machine, and/or the technical or other resources needed to compromise either your machine or the server. If they have that many resources, they may also have the resources to break into your house or office while you aren't there and install a hidden camera, at which time them snooping on your internet traffic suddenly becomes a lower-priority problem.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  11. TLS/SSL/PKI is just the wrong algorithm. by aberglas · · Score: 1

    For logging into a secure server the correct algoritmm is Secure Remote Password (SRP).

    This uses a little crypto magic to produce STRONG security from weak passwords. It is a bit like using a nounce, but it does not give a man in the middle any way to brute force guess the password.

    If the user tries to log into a phished website the attempt simply fails. The phisher learns nothing. And there is no need for all the PKI certificate signing trusted third party nonsense.

    It is not just dumb end users. What do you do when an SSH session says "new certificate". Check its finger print? Of course not, nobody does. With SRP this would be completely unnecessary.

    It does not work for sites upon which you have no account. But for banking etc. it is the obvious way to go. But somehow the PKI mob and their expensive certificates got all the press. And no patents on SRP.

    (There are a number of similar algorithms known as PAKE. But SRP is the latest and greatest incarnation.)

  12. This person should be banned from book reviews by mcmonkey · · Score: 1

    "If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLS has shown that perhaps the emperor isn't wearing anything at all."

    Perhaps? PERHAPS??

    If you're going to reference "the emperor's new clothes" then certainly the emperor isn't wearing anything at all. That is the very meaning of "the emperor's new clothes." Sheesh.

  13. Good read, really enjoying it. by motorsabbath · · Score: 1

    It gives you plenty of information and tool descriptions to test your own setups as you put them together. This, to me, was always the hardest part. Building LibreSSL fro source for the hell of it is also useful if for no other reason than getting the updated man pages. Just sayin'.

    This book + wireshark = very, very informative, esp. if your background is in hardware design and not networking...

    --
    The heat from below can burn your eyes out
  14. Re:It's not only SSL/TLS by petermgreen · · Score: 1

    and the CA mechanism would work acceptably if CAs did their jobs diligently (which they don't all the time.)

    They don't even pretend to, there are plenty of CAs who will hand you out a cert based on nothing more than sending an email to your domain (which of course is unencrypted and unauthenticated, remember you most likely don't have a cert yet....). If your hosting providers upstream ISP or a CAs upstream ISP is compromised by an attacker then they can easilly get the CA to issue them certs.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  15. Re:It's not only SSL/TLS by IamTheRealMike · · Score: 1

    That's not "lack of diligence", that's a fundamental bootstrapping problem. CA's are meant to verify identities. If the identity you are trying to verify is not itself cryptographically verifiable, then the attempt to verify can be tampered with, but the only way to solve that is to use harder to verify identities. Which is what EV certs do, and my own experience of getting one was pretty smooth.

  16. Re:Really? by meustrus · · Score: 1

    We should concentrate on educating Web designers to only use HTTPS when it's really appropriate and necessary.

    No we shouldn't. HTTPS should be everywhere. A somewhat insecure implementation of SSL is better than no SSL. Further, everything should be encrypted so that we can have some basic level of privacy. It's also not a good idea to raise a red flag for hackers to see over every "appropriate and necessary" use of strong encryption. And finally, if you want it to be illegal to spy on you, it helps to have the DMCA on your side. Any attempt to protect communications makes it a crime to break the encryption no matter how trivial it is to do so (based on my not lawyerly understanding; I am not responsible if this assumption gets you into trouble).

    --
    I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
  17. Re:Really? by meustrus · · Score: 2

    An invalid cert means you could be susceptible to a man in the middle attack. But even with an invalid cert, you're still more protected than without SSL. An educated user can make an educated decision. Unfortunately we are talking about mass market computer users, who as anyone in IT can tell you do the stupidest things imaginable on a daily basis. We're also dealing with web site operators that just want to put something up and let the server deal with everything with a minimum of hassle. Doing SSL at all is not easy, and doing it right is hard.

    In the military, they have a standard that all technical manuals must be written for a 4th grade reading level. How to operate the tank? 400 pages that an average 10 year old could understand (with enough attention span). Every piece of open source software should have the same goal, not just for its documentation (you do have docs, right?), but for its API design. Instead, as I read in another comment by jandrese: "All of the APIs are apparently written with the thought that anyone messing with SSL should have PhD in cryptography first, because otherwise they're just going to screw it up."

    --
    I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
  18. Re:It's not only SSL/TLS by petermgreen · · Score: 1

    That's not "lack of diligence", that's a fundamental bootstrapping problem. CA's are meant to verify identities. If the identity you are trying to verify is not itself cryptographically verifiable, then the attempt to verify can be tampered with,

    Agreed in general but I don't think a single email counts as "diligent verification". it's doing the bare minimum the browser vendors will let them get away with.

    but the only way to solve that is to use harder to verify identities.

    Specifically validating through multiple independent channels so that an attacker would have to compromise all of them to get the certificate.

    The proper fix is to get rid of third party CAs entirely and integrate certification of domain ownership with the purchase of the domain.

    Which is what EV certs do, and my own experience of getting one was pretty smooth.

    EV helps a little but the web's page-by-page model works against it. The connection where a form is received and the connection where it is submitted are logically seperate and afaict there is nothing requiring them to use the same certificate. So an attacker who has a regular certicate for a domain that normally uses an EV certificate can avoid MITMing the initial connection (likely the request for the login form) and show the green bar. Then they can MITM the second connection and grab the form data.

    I was dissapointed to find that HTTP strict transport security doesn't seem to do anything to address this.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register