×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Do the SSL Watchmen Watch Themselves?

Soulskill posted more than 5 years ago | from the barbers-with-a-good-haircut dept.

Security 171

StrongestLink writes "In an intriguing twist on the recent Comodo CA vulnerability discussed here last week, security researcher Mike Zusman today revealed that three days prior to StartCom's disclosure of a flaw in a Comodo reseller's registration process, he discovered and disclosed an authentication bypass flaw to StartCom in their own registration process that allowed an attacker to submit an authorized request for any domain. During a month which was marked by the continuing paradigm shift to SSL-verified holiday shopping, the Chain of Trust continues to run off the gears, and Bruce Schneier is even commenting publicly that SSL's site validation mission isn't even relevant. What lies ahead for the billion-dollar CA industry?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

171 comments

Let governments handle SSL (5, Insightful)

coryking (104614) | more than 5 years ago | (#26307853)

SSL certificates are one area best served by government. Bear with me here,

SSL certificates are the online version of your driver's license or your passport. We entrust our governments to provide us with reliable, trustworthy forms of identification. We know that if we see a driver's license or a passport, we can be reasonably certain the person holding said identification is who they claim.

It is becoming increasingly clear that SSL certificates issued by private industry cannot be trusted. Since private industry issues them, there are real standards for how one qualifies for a certificate. A $20 SSL cert from Godaddy is just as valid of identification as a $500 one from Verisign. Worse, the private industry has a conflict of interest. Their business makes money by issuing certificates to paying customers, not rejecting customers for bad information. The more stringent their policy, the more applicants they reject, and the less money they make. It is simple math, they have to make it as easy to get an SSL certificate as possible or go under. (The bond rating industry suffers from a different, but somewhat similar conflict of interest, actually)

Who then should issue certificates? The only entity that doesn't have to make money--your governments. Ideally you should be able to walk into whatever agency issues photo identification in your country and somehow get an SSL certificate issued. Businesses and non-profits could get them issued by checking a box on the form they use to set up a corporation or LLC.

Letting the government deal with this has many extra benefits. For starters, we could make SSL certificates fall under the same kinds of laws that govern passports or drivers licenses. If you forge one, or enter fake information, you could be charged under the same laws that faking a drivers license fall under. For second, if done right, good governments would issue these for virtually nothing and maybe protocols like S/MIME would finally get widespread adoption.

What about open source projects who currently cannot afford SSL certs? Well, if the government does it, they could file as a non-profit and get one for free (or reduced cost).

How would this work from a technical standpoint? How would browsers deal with a long list that has every countries certificate authority? Dunno, but it seems it wouldn't be a big problem. It is a technical problem though, so we can solve it somehow.

What international agency would regulate this? Who regulates passports? Dunno, but seems to me we already have a long history of internationally recognized identification--both for business and personal use. Why not task those guys with SSL certificates? This is more of a political problem, and isn't as easy to solve as the technical bits.

Bottom line, I know we all seem to hate more government, but SSL certificates are one thing governments should be doing, not private industries. It might create a new class of problems, but I suspect the new problems will be much less severe than the ones we have now.

Re:Let governments handle SSL (5, Funny)

Anonymous Coward | more than 5 years ago | (#26307915)

I can't wait to see the phishing websites validated by the Nigerian government's CA.

Re:Let governments handle SSL (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26307953)

I sat naked on the bench in the health club locker room, staring at the tiles on the floor between my feet, but really looking at nothing. I was waiting for Barack to decide to come up ant talk to me. He was this muscular middle-age nigger who frequented the club and had ruined my life in the last few weeks. I was ordered to sit naked on the bench without a towel or anything to cover my nakedness. I had to keep my legs spread and my cock and balls visible for the anyone In the locker room who wanted a look. I knew instantly that it had been a mistake to sign up at the inner city health club which was eighty percent black, but It was near my house and cheap which was even more important.

The harassment had started on my first visit. Dark skinned, muscular senate aides bouncing around the locker room with their huge dicks and pendulous sacks of balls swinging, high fiving each other and laughing and rapping, and there I was, this moderately built white guy of thirty two.

I will never forget coming back from the shower and one chocolate skinned thug of about eighteen let out a "weeeeeeeow" kind of sound and then said very loudly to me, loudly enough for all his pals to hear, "White man, how the hell can you fuck wit such a small dick?" They all roared with laughter and I turned bright red. Before I left that first time, I med Barack. He eased up to me while I was packing my gym bag. He is one good looking darkie, I will say that for him. He flashed me a big white toothed smile and said he hoped I wasn't thinking of quitting the club. He said he was friends with the manager and they had my address and shit, and it would be really unfortunate if I decided to quit. Then he laid one large basketball player sized hand on my shoulder and said that he would see me at the same time the next day.

Well, that's how it started. It got worse each time I went to the club. Barack and the other niggers got me to get towels for them, had me scrub their backs in the shower, even made me pick their dirty stinking jock straps up off the floor. They sent their filthy jocks and socks home with me to wash for them.

Now let me state here once and for all, that I am in no way at all gay. I don't think I ever even had a gay thought. So all of this really repulsed me. They would brush up against me so their big fat black dicks rubbed my body. They would make constant jokes about me being a faggot.

So I had it out with Barack. I told him I was a single parent with a thirteen year old daughter and in no way gay, and I wanted to quit the club. That mention of my daughter was the biggest mistake of my life. Barack demanded to see a photo of her. Her name is Crissy. After that, all they talked about was "Crissy the Cunt" in the locker room.

"Some congressman probably shoving his dick in her right now while you is at da club." They would say things like that. Barack would ask, "Do you suppose she had ever sucked black dick?" I told them she was totally innocent, and they should keep their foul mouths to themselves. They beat the shit out of me.

I didn't go to the club for a week. All the windows were broken on my car, and my newspaper was stolen, and somebody pissed all over our door. I received a package at work, and when I opened it, there was a pile of shit in a box. I was going nuts with anguish. I thought of going to the police, but I knew I would face even worse if I did. So I went back to the club. That was two months ago. A lot had happened in those two months.

Now I sat waiting for Barack to speak with me. He walked up, stark naked. The first thing I saw were his huge brown feet next to me. I looked up at his long muscular legs. How could I miss the seven inch flaccid dick, thick as a flashlight and the ball sack that looked like it had oranges in it. It was fucking obscene. His stomach was hard and tight. His ass was one of those round tight nigger bubble butts. His chest well defined with large nipples. He had a killer smile, thick nigger lips, and dark flashing eyes that often looked drugged.

"So, my man, how's that little dick of yours hangin'?"

I spread my legs wider so he could see my pathetic shriveled white prick and small ball sack. If I didn't keep myself on display for them at all times, they would have a wet towel snapping session where my scrotum was the target. It hurt like hell and was totally humiliating.

"So, bro, is everything set up for tomorrow?" He stood close to me...so close that his huge flaccid hunk of fuck meat brushed my shoulder. His dick was so huge, it was just fucking obscene, and that was in its flaccid state. He had not showered yet, and his body reeked of the nigger stink of his workout.

"Please. Please don't do this. I know I agreed, but that was after you had beaten me almost senseless. Please, isn't there some other way?"

He lifted one leg and put his foot on the bench next to me. His gigantic balls swung back and forth in their fleshy sack.

"Dere is no other fucking way, man. You don't wanna even think of what we gonna do to you next time you disobeys us. Dere is no other way. Now it so happens dat I needs me a new girlfriend, and your pretty little daughter fills da bill."

I felt my stomach turn over. I tried to relax, to breath deeply, but I felt like I was choking. This president elect nigger thug was talking about my daughter. My little Crissy. My thirteen year old angel. He had announced to me that he wanted her to become his girlfriend! Jesus Christ!

At first I had bluntly refused, letting my anger and disgust show. All the niggers in the club gathered around me, about fifteen of them, and Barack announced that I was racially prejudiced and didn't want him dating his white daughter. They started to slap and punch me.

"It's not that. Honest to God, I swear, it's not that you are black. It's that she is only thirteen. She's my innocent baby!"

Barack roared with laughter. "Any bitch of thirteen is totally ready for dick! She probably sucking da boys at school every day anyway by now." He looked at the photo of her which he had taken from me. "Yeah, she got real cocksucker lips, she shore do!"

"Oh God no, she's just a baby." I was crying in front of all of them.

"No, daddy, you gots it wrong. She is a babe...not a baby. Dat pretty little pussy is ready for some nigger popping!" Half the niggers surrounding me were getting hard ons, and I don't think there there was one under eight and a half inches.

For weeks I had argued, begged, pleaded, tried to bargain with Barack, but he only wanted one thing. My daughter's virgin pussy. Once I stood up to them and told them I would go to the police. They had dragged me naked and screaming into the health club bathroom and forced me to eat turds out of the toilet bowl. I was sick for two days. The next time I went to the club, Barack had made me suck his dick. That was the first time I saw it erect. Over twelve inches of throbbing leaking nigger cock. I had a panic attack and literally tried to run out of the club. They held me down on a bench and Barack fed me his black fuck meat. His balls almost suffocated me. His dick choked me. He even made me suck his ass. What could I do? I agreed to let them have my daughter. I know, I am an awful man. A sinner. It is unforgivable, but I am scared out of my wits.

"So, tomorrow, I comes over to yo house dressed up real good. You introduce me to yo bitch daughter. Now when I sees her, dis is how I wants her dressed. A very tight tee shirt dat says printed on it, "Obama" She will wear no bra under it so I can see the tips of her budding little titties through the material. Den she is to wear her nice pleated cheer leader skirt like in da photo, only I don want her to wear no panties under it. From now on, yo daughter is forbidden to ever wear any panties. We want dat fresh young cunt and ass ready and available at all times. I want you to have some really top drawer booze at yo house ready for me. I am not sure what I will want, so you better have enough to satisfy me, whatever my taste might be. Who da fuck knows, I may want a cosmo, or maybe some of dat Louis XIII Brandy dat costs three hundred dollars. You better have it all. After I has a drink, you pretty little bitch and I gonna sit on da couch and get acquainted. Dat means you as da daddy get to watch me finger her cunt and play wit her titties. You gets to see her meet my big fat old dick and even lick and suck it a little. I always insists on sex on da first date, cause how else you know how a bitch perform, right? Shit, I insist on sex on every date. I mean dat is da only reason for da fucking date..to plow some pussy! Right? Otherwise I'd rather hang wit da congressional black caucus. Now she gonna be a little uptight and scared at firs...right? Specially when she see my dick and she know dat huge motherfucker is gonna plow her virgin twat! Oh yea, if she got any hair on her cunt yet, you make sure she shave it all off before tomorrow. I wanna see bald thirteen year old pussy."

While he said all of this to me at the health club, his dick got thicker and thicker and long strings of pre-fuck started to hang from the fat pisshole.

"Please don't hurt her...please." I was shaking in my naked agony.

"Hurt her? No why the fuck would I hurt my new girlfriend? I gonna love her. I gonna show her da pleasures of lovemaking. Shore, it gonna hurt a little da first time I ram my twelve and a half inch motherfucking dick balls deep into her tight little teenage pussy. Shore it gonna hurt when I pounds her as hard as I can, and den pull out and shove it as hard as I can up her little asshole. Shore dat gonna hurt a little, but dat is jus' part of growin' up. A her daddy, you understand dat. Right? Better to hab some senator like me who wants her for his girlfriend fucking her, den every boy at school who don't give a shit about her.

"Now don't you worry, I gonna take her into the bedroom to fuck her cunt and ass. I think dat is private. I mean, you can watch da first time she suck my balls and lick my dick and such. But fucking is between a guy and his girlfriend. I wants you dere at the start...at the sucking part, cause she is gonna be scared like I say, and you can calm her. Tell her it is a natural part of life, and she just gotta learn to please a man. She, she shoulda learned dat couple of years ago already. She is a late bloomer.

Now I am gonna want to use her bedroom for da first fuck,cause I wants to fuck her little bitch body in her teenage bed, wit all her teenage shit around. It will be so hot. But den, I is moving into your master bedroom. You can sleep on da couch. I wants a nice big bed and luxury for future fucks. I gotta fuck at least three times a day, usually more. Now of course I still going to be bangin' other cunt, but I will fuck your daughter regularly cause she is my number one girlfriend. My special bitch. I ain't gonna introduce her to my bros until after I fuck her for a week or so. Den when she broken in, I gonna share her with all da boys from dis here health club. Dere about twenty of us here as you know, so she gonna be pretty busy sucking nigga dick and getting ass and cunt fucked. We gonna do mos' of it over at yo house. You have lots of food dere at all times fo my brothers when dey comes over to fuck your daughter. Since she be fucking most every day all day and night from now on, I suggest you apply to home school her. Dat way, she don't even need to think about school and she can concentrate on nigga cock all da time."

"Please, please use condoms...." I had tears running down my face.

Barack roared with laughter. "Condoms? Shit...no. We never use condoms. It ruins da fuck. Dat little bitch gonna be pregnant in a couple of weeks at mos'. You gonna be da grand daddy of a nigga chile! And who knows. She young. If she stay tight enough and cute enough, maybe we fuck her for three or four years, you know, pass her around, pimp her out. Shit, she still young enough. She could hab five or six nigga babies! We don' allow no abortions. She gonna breed. Now my brothers and daddy be comin' over lots to fuck her too, so you better have lots of keys to yo house made, or jus' leave the fucking place unlocked. She don't leave da house without permission. I would hate it for both of you if some black bro comes over for a good hard fuck, and she not dere! Now I know you worried about her. Don' be. After a few days of getting nigga dick, she gonna love it so much, dat all she gonna live for. I seen it in young white bitches lots of times. Someday she gonna thank you for all dis. I mean how many girls her age so lucky to get ten to fifteen black cocks a day? Long as her pussy and asshole hold up, she be happy. One thing, she gonna hab to be a really good cocksucker, cause One thig is dat when da boys in my hood meet up wit da republics to work on budget agreements...we got dis thing. We hab our girlfriends suck da cocks of all da members of the other party, as kind of a peace signal, you know, a sign dat we is kewl and everything is okay. So she gonna pretty much hab a dick in her mouth twenty-four seven for da next few months. She gonna be sucking on old white guy dick even when she getting fucked by my bros. Dis house gonna be pretty packed full of black boys! Now, after a bitch has sucked fifteen to twenty dicks a day, she often get a real tired jaw and swollen lips and a sore tongue, so you gonna have to tell her no matter how tired she get, da last dick of da day she suck, gets jus' as good a suck as da first one in da morning. You gotta make sue she understand that. I can't have no bad reports from dem rpublicans dat my bitch can't suck!

Now we gots one more problem. Da little bitch gonna be so busy getting fucked and sucking dick, she ain't gonna hab no proper time to clean up da dicks after dey fuck her cunt and ass! You know it da bitch's job to clean a dick wit her mouth after a brother fuck her. I mean, you can't expect a brother to walk around wit pussy slime or ass juice on his dick. But she gonna be so busy, she ain't always gonna hab time to clean up, so you my friend is going to have to step up to da plate to help her. You gonna be the official dick cleaner. You gonna lick and suck da dicks clean after dey fuck yo bitch of a daughter. I want you naked on you hands and knees at all times around da house, ready to lick and suck dick clean. And you gonna do a fine job too, I just know it. You get all dat stink off da cock. Maybe you can entertain da brothers waiting next in line to fuck yo daughter too by lickig dere balls and assholes. I never thought of dat until just now. Hot damn, dat is a good idea, ain't it? So dey don't get bored while dey waitin. And den, to keep your daughter fresh and tight, after every three or four fucks, you gonna crawl in and suck the nigga cum right outta her pussy and asshole. Think how great dat is. You gonna get to suck some thirteen year old pussy and asshole! How lucky is dat? You gonna clean out her cunt real good with yo tongue so it is ready for da next nigga.

We gonna be da happiest family you ever seen! Now come on, white boy, suck my dick, can't you see it dripping all over da floor?"

I put my mouth over the head of the huge leaking hunk of fuckmeat, and resigned myself and my daughter to our new destiny.

Re:Let governments handle SSL (0)

Anonymous Coward | more than 5 years ago | (#26309371)

Someone modded it Funny but with the current call by the rest of the world for the United States government to allow *them* to have some say in what the internet is or is not for them, and us being as unpopular as we already are, I'd rather it be mostly commercial.

Here's an example. My neighbor(s) across the street are annoying fucks. Their white trash son has to drive past our place at 2am with his truck stereo so loud it can drown out our system at times, and I own a real system, not a GPX $59.95 but I digress. At least one of the kids also throws eggs at one of our cars and they're too stupid to realize that the trail of the eggs every single time has pointed directly at their house, they don't come from other directions. They set off MASSIVE fireworks at all hours of the night long before and after the 4th, to the point that there was a guy killed in the middle of September 2008 right up the street; he was killed at midnight but wasn't found until 8am(his mother was home at the time) and no one called because everyone thought the gunshot was those assholes setting off fireworks again and the cops never did anything to my neighbors when we called so it became a futile effort.

Anyway, the point of the story is. Do you have any idea how long it has taken the government to do absolutely nothing about it despite complaints from everyone around?

Now imagine that you need the Chinese government to stop directing Iliketoletgoatsfuckme.com to your rated-PG educational site about farm animals. We saw how they did with complaints at the Olympics.

If your company can lose a million dollar contract for giving a bad certificate, you'll get shit done quick to remedy it.

Re:Let governments handle SSL (1)

MindlessAutomata (1282944) | more than 5 years ago | (#26309607)

People want justice in the world. They want karma, they want a god or a superhero to come down from above and fix the ills of the world. They want safety, they want security, they want peace.

Government, like religion, usually works so long as you believe in it. When you stand back, however, you often see just how useless and ineffective it is, just like everything else. Truth is, you're not going to find any justice. No hero or knight in shining armor is going to ride out of the smoke and save you.

You can't escape from risk. A lot of the ills of everything else in the world (corruption, stealing, cheating) find their way in government just like everything else. But still people act and pretend as if the government really will be that magical entity that can make things all better, that won't be corrupt, that won't be like everything else in the world.

You are quite right about how businesses will deal with bad certificates. If they've got a bad reputation, then no one is going to give a shit about them. Nobody that is informed is going to buy a security system that doesn't work.

Re:Let governments handle SSL (1)

Hurricane78 (562437) | more than 5 years ago | (#26310287)

I trust the Chinese government as well as the US government to handle this. You just have to know how to handle them.

The Chinese you simply tell, that they have a second child that they conceived while listening to anti-communistic music, cross the street when the light is green, and read American news sites.

The US you tell, that they just "pirated" the latest hit album from Osama Bin Laden for their karaoke machine while wearing this shirt [freewebs.com].

I'm joking. You could really tell both governments anything that includes "they could be bad". They will "find" something themselves as soon as they know you exist anyway.

Nigerian CA? (0)

Anonymous Coward | more than 5 years ago | (#26311331)

And which browsers will have that CA's root certificate installed by default?

I know you were joking, but you kind of underlined the point of the GP. Was that your intent?

Re:Let governments handle SSL (3, Insightful)

wizardforce (1005805) | more than 5 years ago | (#26307927)

Your trust of government is simply astonishing after what the Bush administration has been up to for the last eight years especially considering all those slashdot stories concerning fumbling incompetence on the part of certain governments... The problem wish computer security isn't private industry, it's that there are few direct consequences for companies that produce faulty security systems, banks with shoddy security etc.- legally granted limited liability is a problem, Once they find their own heads on the chopping block after a security flaw is found they'd be a lot more keen on solving the problem.

Re:Let governments handle SSL (1)

Cowmonaut (989226) | more than 5 years ago | (#26308449)

Hey now, don't belittle the strengths of a bureaucracy because of Bush. There are certain things it can do well, licensing is one of them. It's not perfect (not hard to get a fake ID) but its good enough (moderately difficult to get a GOOD fake ID). Plus, then you know for sure that someone is checking on the security of the certificates because that's 50% of their job.

Now if only they'll make it so where there is a road, there is pipe (for the most part) and get some of the boonie yahoos some decent DSL/Cable/Fiber runs. I wouldn't mind paying taxes as a means for internet access, just like I do for road access. It's convenient and helps everyone. And like the government can't tap my 'Net connection easily now anyways...

Re:Let governments handle SSL (1)

Darkness404 (1287218) | more than 5 years ago | (#26308691)

Plus, then you know for sure that someone is checking on the security of the certificates because that's 50% of their job.

Yes, and there are also supposed to be people making laws that agree with the constitution and striking down unconstitutional ones, and people that make sure patents are valid before they get approved. But in both of them they fail in their jobs.

And think about the ways that governments would abuse this system. For example AT&T might not have a decently secured site, but because they agreed to wiretap they might give them a certificate. On the other hand a site that sells materials disagreeing with the US government might be rejected a certificate because the government simply disagrees with them regardless of the status of the site.

Re:Let governments handle SSL (1)

wizardforce (1005805) | more than 5 years ago | (#26308699)

Plus, then you know for sure that someone is checking on the security of the certificates because that's 50% of their job.

Don't be so sure:
http://www.computerworld.com.au/index.php/id;50110485 [computerworld.com.au] they [at least the UK] seem to be fairly adept at losing things, if they screw up big time you still pay for it.. when a company screws up bad enough at least people might have a chance to look elsewhere- no, I think the solution here is to make use of that horrible trait of human nature- greed, well at least enlightened self interest that is... let people deliver a headshot to these companies in court everytime there's a major screw up and things will improve... I think in this case we shouuld be careful with how much power we give the feds, it may seem like a great idea at the time, a lot of things do but idiots like Bush make it very clear that the less power we give these twits the better.

Re:Let governments handle SSL (1)

SpaceLifeForm (228190) | more than 5 years ago | (#26309365)

Exactly. As an end-user (businesses refer to you as a consumer), you expect
that the website you are interacting with is who you *trust* them to be.
And as the end-user, you expect that the reason you trust the site is because
you have the lock showing in your browser, and you believe the SSL system
is trustable.

Yet, as the end-user, what have you personally seen as evidence
that the https protocol using SSL is really trustable?

Most people have seen nothing.

And yet, here someone says the government should be trustable?

You have to be out of your fucking mind to believe that
the CA role should be managed (mis-managed) by government.

You can't trust government at *ANY* time, so why would this help
fix the CA problem?

Re:Let governments handle SSL (1)

Kent Recal (714863) | more than 5 years ago | (#26310493)

So you trust your government less than a random company that has bought its CA status with money?

Re:Let governments handle SSL (1)

wizardforce (1005805) | more than 5 years ago | (#26310871)

given enough competition I trust that if any of them prove themselves unworthy of trust that it's still a better system than any of our governments could design and no I really don't trust a governmental monopoly over competitive private industry especially when our little government has been caught spying on its own people.

Re:Let governments handle SSL (1)

Kent Recal (714863) | more than 5 years ago | (#26311011)

Would you care to elaborate on how a private company is supposed to compete for trust and profit at the same time, without sacrifying one for the other?

Oh and btw: A governmental CA can not be used to "spy" on anyone. Put down the tin foil...

Re:Let governments handle SSL (1)

Znork (31774) | more than 5 years ago | (#26311231)

As basically every government is, or wants to, listen in on any traffic they can I don't only not trust them, I am utterly certain that they will issue any number of falsified certificates enabling them to intercept and MITM any SSL communication they want to. The CA's have yet to indicate that desire. Not that I think most would hesitate to sign a false certificate on request from the government anyway.

So for the purpose of certificates, I trust governments far less than a random company. Of course I also trust those random companies even less than I trust any random self-signed certificate as well.

The trust chain between me and the holder of a self-signed certificate is the only one short enough not to contain external parties potentially interested in eavesdropping.

Re:Let governments handle SSL (0)

Anonymous Coward | more than 5 years ago | (#26309255)

Are you for real?

It's not perfect (not hard to get a fake ID) but its good enough (moderately difficult to get a GOOD fake ID).

I am sure you are speaking from personal experience... and not just pulling those "DIFFICULTY LEVELS" out of your crevice.

make it so where there is a road, there is pipe (for the most part)

"For the most part"... nice qualifier. What do you mean by that? SPECIFICALLY.

And like the government can't tap my 'Net connection easily now anyways...

You think that's something to say "ho-hum" about??? Where did you COME FROM?

Re:Let governments handle SSL (3, Insightful)

djupedal (584558) | more than 5 years ago | (#26307941)

>SSL certificates are one thing governments should be doing

So, after wading patiently thru your treatise, it would seem you elected not to answer the question, which would explain your warmth towards politicos, at least :)

Nope. Government AND private companies (5, Interesting)

Cyberax (705495) | more than 5 years ago | (#26307945)

It's better to use private companies with government oversight.

I now live in Ukraine and we have such a system. Government licenses private companies to work as certification centers and mandates that only certain (strong) crypto algorithms must be used.

As a result, I can use my private key to sign my tax report for IRS (or tax report for my company). IRS in turn uses its own key to sign their letters.

That's pretty cool, if you think about it.

Re:Nope. Government AND private companies (1)

nextekcarl (1402899) | more than 5 years ago | (#26308191)

Sadly again it seems I live in a country behind the times (USA). Low broadband access rates, civic authorities that have never even heard of public/private key signing, etc.

Re:Nope. Government AND private companies (1)

Darkness404 (1287218) | more than 5 years ago | (#26308589)

Low broadband access rates,

Err, you do know that most of it is because the population of the USA is spread across a large area whereas just about any country in Europe (minus Russia) would fit within our borders? If the USA had roughly the same everything just scaled down to the size of a mid-sized state, I'm sure the USA would have the highest broadband access rates in the world.

Re:Nope. Government AND private companies (1)

nextekcarl (1402899) | more than 5 years ago | (#26308841)

And yet that doesn't address any of my other concerns. I used to think that was the case, but look at all the other things we are no longer first in, and also consider what we did with phone lines and plumbing. We got every house wired up for phones and plumbing in this country. Well, I've heard some places still don't have one or the other, but you get my point. We should have this done already for broadband, but we aren't even close. And that's just for broadband. What about the other things where the population is all that matters, and surface area doesn't (the other half of my argument from above as an example)?

Re:Nope. Government AND private companies (5, Insightful)

witherstaff (713820) | more than 5 years ago | (#26308957)

OH boy, the 'but the US is huge' argument that comes up every time broadband in the US is discussed. I'd buy that if our metro areas were chocked full of fiber speeds and just the rural areas were slow. The fact is that even in our largest metro areas the US broadband is horrid.

A recent study [speedmatters.org] shows that even our smalled state, Rhode Island, with population density of over 1000 per square mile, has an average speed of only 6.7 Mbps. If you can't make that dense of an area high speed there is something seriously wrong with our system. Namely the Telco lobby arm is so strong that their gov't sanctioned monopoly remains and speeds don't improve.

Re:Nope. Government AND private companies (0)

Anonymous Coward | more than 5 years ago | (#26309669)

The linked study shows nothing of the kind. You cannot base broadband penetration on reported speeds from home users.

My area has 32Mb cable connections available, but the reported speed from home users in my area is going to be much, much lower simply because most people are on the 6Mb plan or get 768k DSL or even dial-up if it's cheap. And that's the way it is all over the United States.

Studies show (sorry, too lazy to link) that the vast majority (~90%) of broadband users in the United States are on the lowest tier plans available and wouldn't pay as little as $10 to double their connection speeds.

Re:Nope. Government AND private companies (0)

Anonymous Coward | more than 5 years ago | (#26309703)

all that means is the users in rhode island don't need much more than 6.7Mbps on average. Frankly I'm shocked it was that high. Most people I know could still get by with 512k dsl.

Re:Nope. Government AND private companies (1)

Ed Avis (5917) | more than 5 years ago | (#26310473)

Since when was six megabits per second not 'high speed'? To me that sounds like enormous bandwidth. A wireless LAN might have only twice that. Sure, for high-definition porn in real time you might want more, but 6Mb/s is ample for all but the most greedy users.

More relevant is the quality of the upstream network and the amount of contention.

Re:Nope. Government AND private companies (1)

c_g_hills (110430) | more than 5 years ago | (#26310687)

It depends on where you live. When you can get 100mb/s to your home, 6mb/s seems pretty slow.

Re:Nope. Government AND private companies (1)

neumayr (819083) | more than 5 years ago | (#26310783)

But then, the US are a federation of states. How come those states don't take care of their telecommunication infrastructure on their own?
They most likely don't go to some federal entity if their road system needs an upgrade..

Re:Nope. Government AND private companies (2, Informative)

Znork (31774) | more than 5 years ago | (#26311281)

Sweden, Finland, Norway and Canada whose population density is lower than the US yet have higher broadband penetration seem to suggest that theory may not be entirely accurate.

Re:Nope. Government AND private companies (1)

Hognoxious (631665) | more than 5 years ago | (#26311413)

Maybe their average population density is lower, but for Canada at least that's misleading. Most of the population is in a belt along the US border. I think Sweden is the same, most people live in a few cities on the Baltic coast and hardly anyone lives in the rest.

However I don't buy the argument that the problem with the US is size and low population density; it certainly didn't stop them building roads to almost everywhere.

Re:Nope. Government AND private companies (1)

iammani (1392285) | more than 5 years ago | (#26308627)

Its the same in India, I can file my taxes online, and sign them with my private keys (Issued by 3 authorized private cos) or print the confirmation, sign and hand it to the tax office physically.

Re:Nope. Government AND private companies (0)

Anonymous Coward | more than 5 years ago | (#26309059)

As a result, I can use my private key to sign my tax report for IRS (or tax report for my company). IRS in turn uses its own key to sign their letters.

That's pretty cool, if you think about it.

Until a worm takes over your computer and starts impersonating you (or worse, uploads your private key to the cloud). Or are there "tamper-proof" USB keys that actually store the keys that you have to physically plug in when you want to sign something?

Re:Nope. Government AND private companies (0)

Anonymous Coward | more than 5 years ago | (#26311379)

Why can't it work like that in Poland. We're your neighbors.

Re:Let governments handle SSL (2, Insightful)

minsk (805035) | more than 5 years ago | (#26307947)

So you have some governments that issue high-quality reliable certificates.
And some corrupt ones which can be bought for peanuts.

So someone has to choose which root certificates to trust.
Someone, probably being the browser makers.

So what would it solve?

That is a technical problem (1)

coryking (104614) | more than 5 years ago | (#26308019)

You'd have the browser show which country issued the certificate. Use a flag, use something. Firefox already does this by using a tooltip.

Plus, unlike private companies, we all have a sense of which countries certificates we may or may not trust. A user would get suspicious if "bofa.com" was using a certificate issued by Nigeria or "tesco.com" had a certificate that wasn't issued in the UK. What the fuck is the difference between a certificate issued by Thwarte vs. Verisign? Beats me!

Re:That is a technical problem (1)

Architect_sasyr (938685) | more than 5 years ago | (#26308229)

You're putting a bit too much faith in the user I think.

Perhaps if the browser stored every certificate the first time it was seen, then flagged the user when it was changed (combined with relying on certificate chains and the like) we wouldn't be having so many issues with MiTM.

Re:That is a technical problem (1)

Kent Recal (714863) | more than 5 years ago | (#26310585)

No and yes. I think both of you are making great points.

The flags are a great idea because they give the users who care a meaningful tool to assess the trustworthyness of the site at hand.
Knowing the country of origin is much more meaningful than an anonymous padlock.

Saving the cert fingerprint and raising an alarm on change is not even a great idea by any means - it is just obvious, absolute baseline stuff.
The Mozilla guys are seriously humiliating themselves by fucking up the SSL handling even more instead of fixing the fundamentals...

Re:Let governments handle SSL (1)

Cyberax (705495) | more than 5 years ago | (#26308137)

So we need some way to rate CA quality...

Also, we can consider using money to fix this problem. For example, we can make all CAs put a big sum of money into an escrow account to be given to the first person who shows that CA doesn't perform 'due diligence' while issuing certificates.

Re:Let governments handle SSL (1)

m50d (797211) | more than 5 years ago | (#26310751)

You trust each government to sign certificates in its own TLD - Australian government handles .au, French government handles .fr, etc. Then if people want to trust a .cx (say) website that's up to them.

Re:Let governments handle SSL (0)

timmarhy (659436) | more than 5 years ago | (#26308013)

I have to say your wrong. government won't do any better job of this, in fact they don't do a better job of anything really. ultimately it comes down to do you trust a CA? i have to say never, so i don't rely it, instead i examine each certificate and accept or reject them based on other factors.

Re:Let governments handle SSL (3, Interesting)

Phroggy (441) | more than 5 years ago | (#26308107)

It is becoming increasingly clear that SSL certificates issued by private industry cannot be trusted... Who then should issue certificates? The only entity that doesn't have to make money--your governments.

The problem with your idea is, even though you're correct that private industry cannot be trusted in this matter, the government cannot be trusted in this matter either.

These are technical flaws, not policy flaws - mistakes are happening due to software errors, NOT because some executive decided that allowing anyone to have a certificate without verification would be a great idea. I may trust the government's intentions, but experience suggests that they won't develop a system like this in-house, but contract it out to the lowest bidder, who is likely to have far less experience with this sort of thing than the current players.

For starters, we could make SSL certificates fall under the same kinds of laws that govern passports or drivers licenses. If you forge one, or enter fake information, you could be charged under the same laws that faking a drivers license fall under.

Pretty much all current spam is illegal under the CAN-SPAM act, so spammers could be charged under that law. They're not. I have no confidence that fake SSL certs would be prosecuted.

You might be wrong (1)

coryking (104614) | more than 5 years ago | (#26308115)

I have no confidence that fake SSL certs would be prosecuted.

Do governments crack down on people who fake their passports? If so, what is their motivation for doing so? How would their motivation for cracking down on SSL forgeries be any different?

Re:You might be wrong (1)

Fjandr (66656) | more than 5 years ago | (#26308173)

How would their motivation for cracking down on SSL forgeries be any different?

You can't transport someone into a country with a fake SSL cert.

Re:You might be wrong (0)

Anonymous Coward | more than 5 years ago | (#26308801)

Uh.. I think the new passports basically ARE ssl certs.

Re:Let governments handle SSL (0)

Anonymous Coward | more than 5 years ago | (#26308145)

SSL certificates are one area best served by government.

I look forward having my next firefox trusting by default certificates issued by the nigerian government... So much more trustable than even a godaddy.

Re:Let governments handle SSL (1)

mortonda (5175) | more than 5 years ago | (#26308255)

Who then should issue certificates? The only entity that doesn't have to make money--your governments.

Specifically, I would opt for Notary Public, maybe as a specially trained office, but the function is nearly identical.

Re:Let governments handle SSL (1)

thetoadwarrior (1268702) | more than 5 years ago | (#26308385)

I couldn't be bothered to read this whole thing at 3am but I will say this. There is no reason a $20 cert from GoDaddy is any less valid than a $500 verisign one. The largest difference is one is making you pay extra just as you would for a sports car but in the end both get the job done.

Lastly, trusting the government not to cock this up relies on all countries doing the same thing and it relies on governments sorting their acts out and stop fucking things up as virtually every government seems to do.

A Better "Web of Trust" (1)

a302b (585285) | more than 5 years ago | (#26308399)

What about simply creating a better web of trust? For example, if you only trust governments, then you only accept certificates issued by them. If I trust Verisign but not Godaddy, then I only accept Verisign and the other sites I trust.

This is how a web of trust should work. People trust certain sites to issue certificates. As certain sites gain trust, more people want to get certificates from them, etc. I might trust my friend Bob, but there is no reason you should. If a bank or e-commerce site wants to do business, then they need to make sure that they get certificate(s) from sources that the majority of their clients also trust. Simple as that.

This way, governments can issue certificates with the stature you mention. At the same time, it is not monopolized by them, and people who don't trust the government are also free to use certificates by private companies.

Re:Let governments handle SSL (4, Insightful)

Lumenary7204 (706407) | more than 5 years ago | (#26308525)

The United States under the Clinton/Gore administration already tried something similar to this; five words spring to mind: "Clipper, Skipjack, and Key Escrow". (If you need a refresher, I suggest the book "Crypto" by Steven Levy [amazon.com].)

The **last** thing I want is for my government to be the entity that issues the requisite public/private key pairs to the private institutions and companies with whom I do business. My business is **my** business - and not the government's business - until a **legitimate** search warrant or indictment says otherwise. And even then, it's still **my** business [wikipedia.org].

As the article posting indicates, SSL is built around a Chain of Trust. People buy SSL certificates from the likes of VeriSign, Thawte, Equifax, etc., because they are well-known and (ostensibly) trustworthy organizations.

I, for one, do not entirely trust my government. I don't trust VeriSign and crew all that much, either, but their reputations are a strong motivation for them to do their jobs reasonably well, and provide products that perform as advertised. To do otherwise would damage their reputations, resulting in lost customers and weaker profit margins.

Most governments, on the other hand, don't care much about their reputations, and have little regard for profit margins (just look at the US Government's annual budget deficit). They therefore have no compunction against using excuses such as "national security" and "protect the children" to provide (at best) or mandate (at worst) inferior solutions to technological problems.

Admittedly, some companies - like AT&T [wikipedia.org], for instance - are so large and well-entrenched that they sometimes bow to the mandates of government, and little heed the damage done to their reputations because of it.

But most companies are not that large, and can ill afford to lose face in the marketplace. Reputation is their bread-and-butter, so they do what's in their own best interests, which may even coincide with their customers' best interests.

Re:Let governments handle SSL (0)

Anonymous Coward | more than 5 years ago | (#26308953)

The **last** thing I want is for my government to be the entity that issues the requisite public/private key pairs to the private institutions and companies with whom I do business. My business is **my** business - and not the government's business - until a **legitimate** search warrant or indictment says otherwise.

I beleive the process for obtaining a ssl certificate involves you generating the key pair, then sending the public key to the CA for them to sign with their public key. The CA never sees your private key, and thus there is no such security issue.

Re:Let governments handle SSL (1)

celle (906675) | more than 5 years ago | (#26309453)

You forget, many of the companies are limited or just plain monopolies. They don't have to care about reputation as they always know they're going to get paid. So essentially we're getting screwed at both ends and still can't trust anybody. The government has some advantages as an issuer, it's huge, not going away soon, and bureaucracy helps keep the corruption away and eventually can be held accountable for what corruption there is as it's all public. Look at all the hundreds of business scandals of the last eight years and I doubt you can count on more than one hand the number of people held accountable for all of them. That's including the latest series of financial/real estate debacles. The threat of lawsuits hasn't been all that effective at reigning any of this in either. Business has advantages of being more dynamic, well, more than government, and the effects of competition in the market. I won't get into private records as neither side has any kind of shiny record.

According to many arguments, not just mine. Private companies, especially big companies, can't be trusted and neither can government. Guess we're screwed, eh folks?

Maybe go back to actually visiting and talking with people/businessmen and snail mail for business transactions.

Re:Let governments handle SSL (1)

Lumenary7204 (706407) | more than 5 years ago | (#26310151)

You forget, many of the companies are limited or just plain monopolies. They don't have to care about reputation as they always know they're going to get paid.

One could argue that the telephone carrier industry as a whole falls into this category. AT&T may no longer be a monopoly vis-a-vis "Ma Bell". However, one could make a case that "Alltel + AT&T + Sprint + T-Mobile + Verizon" add up to a "collective" monopoly, or (more properly) a hegemony.

The government has some advantages as an issuer, it's huge, not going away soon, and bureaucracy helps keep the corruption away and eventually can be held accountable for what corruption there is as it's all public.

Gotta disagree on this one. Cases in point: Watergate [wikipedia.org], Iran-Contra [wikipedia.org], NSA/AT&T Room 641A [wikipedia.org] (not to overuse the example), Coingate [wikipedia.org], Danngate [wikipedia.org], Rodgate [wikipedia.org]... That's just a small list of US Federal and State scandals, from off the top of my head; an exhaustive list would fill many, many, many pages (did I say "many"?). The first three scandals listed all revolve around "national security" in some way, shape or form; the last three scandals mostly involve personal gain and prestige.

And while all scandals go public at some point (it's not a scandal if the public never finds out about it), the "accountability" factors do little to stem the tides of backroom dealing. Either way, governments often use "accountability and transparency" to justify actions taken in the name of "national security".

The threat of lawsuits hasn't been all that effective at reigning any of this in either.

Don't even get me started on tort reform in the US...

Private companies, especially big companies, can't be trusted...

That argument could go either way: On one hand, private companies in the US appear to lack a certain "trustworthiness" because they don't need to file quarterly and yearly financial performance statements with the SEC. On the other hand, private companies aren't bound to the "profit-NOW!!" whims of a large pool of shareholders, so they tend to take a longer view of things and operate in a more conservative fashion.

Public companies in the US are somewhat more transparent, because they are required by law to file quarterly and yearly earnings statements with the SEC. These statements are available to the general public, so any underhanded activities by public companies are more likely to be noticed. However, public companies are driven by necessity to take a shorter-term, more immediate view with regard to cashflow because their shareholders demand instant gratification.

Re:Let governments handle SSL (1)

sjames (1099) | more than 5 years ago | (#26309899)

Clipper etc. was a scheme where a back door was explicitly built in. A system where the government signs your PUBLIC key without ever seeing your private key wouldn't permit such abuses.

That is part of the solution. In addition, the web of trust needs to be more configurable in any case. I may trust a particular key's validity. I might or might not trust keys signed by it. Further, I might trust that much but not trust keys signed by a particular key to sign other keys (I know the key belongs to the person and that person will be careful enough to verify the identity of people he signs, but he's a terrible judge of character so I don't trust him to know who I should trust).

Re:Let governments handle SSL (1)

Eskarel (565631) | more than 5 years ago | (#26310961)

That's not really what signed certs are for though.

You don't really use your signed cert to encrypt your data(for data encryption you don't need a signed cert, and additional information is used within the SSL procedure to generate temporary keys. I can get a copy of the signed cert for your bank, but that doesn't mean I can read the transaction you're making. You don't even have to have a signed certificate to have secure transmission of data.

Signed certs are about validating "who" someone is, they are pretty much exactly like a drivers license of passport, and that's a perfectly valid place for government to be in. That doesn't mean that doing S/MIME through a government agency is necessarily a good idea(at least not for all things), but having the government be the issuer of the certificate used to identify you is a totally different kettle of fish.

Re:Let governments handle SSL (0)

Anonymous Coward | more than 5 years ago | (#26311185)

Mod parent "+7 On The Ball."

Which Government? (2, Insightful)

upuv (1201447) | more than 5 years ago | (#26308693)

You have placed your trust in the government. However which one?

Most governments would with the best of intentions try to do the right thing. However some would not. Some would down right look at this as a cash cow. It would be ripe for the picking of corruption and miss use. With next to no legal recourse.

So who governs the government?

I would contend that this belongs in the hands of grander body. The UN or blocks of countries, the EU, NAFTA, African Union, G8,9,10,11(What ever it is now). etc. At least this way there is an established forum for discussion, sanction, policy standardization.

You are correct on the other hand that companies are not the right bodies to govern the safety of web commerce. This is just begging for greed, non-disclosure and abuse.

Re:Let governments handle SSL (1)

Plutonite (999141) | more than 5 years ago | (#26308935)

The more stringent their policy, the more applicants they reject, and the less money they make. It is simple math, they have to make it as easy to get an SSL certificate as possible or go under. (The bond rating industry suffers from a different, but somewhat similar conflict of interest, actually)

It's never that simple, clearly, because there is another factor called "trust". If you let in too many false positives, you lose the trust hierarchy and are pushed out of business by the other (more stringent) competitors. Who will put the government out of business when their sloppiness leads to disasters(as it uniformly has when dealing with security)? We trust the government locally because federal/state docs are produced with other federal/state documentation - we have 'faith' in the authentication mechanisms that have been in place before digital technology(though they can also be fooled of course). In fact, online trust is such a hard freakin problem, that I imagine the only way to provide decent answers is the continued commercial activity and competition in the field.

Re:Let governments handle SSL (1)

DiegoBravo (324012) | more than 5 years ago | (#26309027)

>> We know that if we see a driver's license or a passport, we can be reasonably certain the person holding said identification is who they claim.
>> but seems to me we already have a long history of internationally recognized identification--both for business and personal use.

Apparently no. That's the reason the travel to USA is now a PITA with all that added biometric registrations.

And for developing countries, the passports never were enough: because immigration laws, most require visa applications that are also a PITA.

I'm not sure if this kind of inter-national burden can be added to IP data without converting Internet in a nightmare or clueless regulations.

Re:Let governments handle SSL (3, Interesting)

pha3r0 (1210530) | more than 5 years ago | (#26309381)

Their business makes money by issuing certificates to paying customers, not rejecting customers for bad information. The more stringent their policy, the more applicants they reject, and the less money they make. It is simple math.....
Who then should issue certificates? The only entity that doesn't have to make money--your governments.

Sir. I am not sure where you live but here in America we have seen countless changes made by various government agencies just so they can grab more tax money for there already inflated budgets.

Allow me to weave a tale for my fellow readers. My very first job was in a paper and printing supply warehouse. Things were great. I worked there for about 6 months before I got a rather strange call. It was a customer of ours who placed regular orders for pens and toner and the like. She said she was going to be placing a year end order and would like to know what our current prices on commodity items were. I gave her the run down for copy paper her normal toner carts and some other odds and ends. She said okay and a few minutes later I had a PO in the fax machine.

Now there normal purchases were anywhere from 5-50 dollars. She sent me a PO for 10000 dollars even. The top of the list was her standard set of supplies there was then a note to fill the rest of the 10000 bucks on copy paper.

Now being young and trying to do a good service i called her back to make sure there had not been a mistake. She told me no, that is correct. "We need to spend the rest of our budget or they will not give us as much next year".

Yes, the current system might have holes but I for one am all for keeping business private and reducing the size of MY current government

Re:Let governments handle SSL (1)

MindlessAutomata (1282944) | more than 5 years ago | (#26309551)

Your overall point is rather silly, but this in particular stuck out:

Worse, the private industry has a conflict of interest. Their business makes money by issuing certificates to paying customers, not rejecting customers for bad information. The more stringent their policy, the more applicants they reject, and the less money they make. It is simple math, they have to make it as easy to get an SSL certificate as possible or go under. (The bond rating industry suffers from a different, but somewhat similar conflict of interest, actually)

Actually, if the business wants their SSL certs to continue to mean anything, then they very well will be rather stringent, at least theoretically. If the certs are meaningless it devalues the certs meaning less people want it in the end. To use a loosely analogous example, a magazine wants to have a lot of stuff to publish, but they won't publish everything--they'll (theoretically) do fact-finding and verifying before bringing things to print. Bungling facts is going to lower their reputation. "More", in the end, can often lead to "less", and business knows that.

On the other end, the government isn't going to be so concerned on the value of the certs because, hey, it's not like the government particularly cares what you think about their certs. The idea that a business must make it as easy as possible to get an SSL certificate "or go under" is ludicrous.

I find it interesting that you trash business doing SSL certs for profit motive supposedly making them hand out certs like candy to get money, and then you go and say an advantage of the government, which you claim "doesn't have to make money" (I guess they can just print it off, but that devalues the overall money supply...), basically can just "rubber stamp" an SSL cert for anyone who walks in! So apparently it's bad for a business to not be (supposedly) stringent but the government can just hand them out to whoever walks in, being a lot less stringent?

We already have laws that could apply to forging SSL certs--fraud. Forgery, probably, or maybe those laws could be updated. Kind of like how, you know, the whole scamming thing often done by shady websites is already illegal in the first place?

As far as licenses, those are different from security measures, which an SSL is.

Then, SSL certs would not be equal for all countries, and we can't just let the USA hand them out. Nigerian SSL certs? HAH!

In the end, though, the real truth is that with computers, nothing is simple, and to think that you'll end up with a "perfect" or "not-easily-breakable" SSL scheme is just as misguided as the pro-DRM crowd. You make it, someone else will break it, whatever it is, whatever system it is.

Re:Let governments handle SSL (1)

MindlessAutomata (1282944) | more than 5 years ago | (#26309579)

Let me clarify my last statement:

You make it, there is no guarantee that someone won't end up breaking it, or find some flaw or way around the system.

Re:Let governments handle SSL (1)

Hordeking (1237940) | more than 5 years ago | (#26309555)

SSL certificates are one area best served by government. Bear with me here,

SSL certificates are the online version of your driver's license or your passport. We entrust our governments to provide us with reliable, trustworthy forms of identification

No, it's not the equivalent of a driver's license. A driver's license (or other issued gov't ID) is there for the Gov't to verify it has given you permission to do something (for instance, to drive). The fact that it serves as a general purpose identification is an example of feature creep.

Licenses and passports can be faked. 18-21 year olds do it all the time. Making it harder only sets up an arms race. My friend, what we have here is the SSL version of a fake ID.

The government shouldn't be in the business of deciding who and who not to verify. What if they decide to not verify or revoke a cert of someone critical of them?

SSL certs work because you trust the issuer. And the issuer's issuer, and the ultimate issuer.

This isn't an easy problem, as most users of the internet aren't exactly "security" sensitive (even the savvy ones). They look at the top for an "https" and at the status bar for a lock icon. If everything looks good, they go about their business.

For security, it's probably back to the drawing board. For most things, SSL certs probably do well enough in the meantime.

Re:Let governments handle SSL (1)

DarkOx (621550) | more than 5 years ago | (#26310977)

You are totally wrong giving the problem to governments does nothing to address the trust issue. Is a cert from Libia as good as one from the UK? How could the average person know other then by using applying the same international prejudices we use today for other things? How is that any different then trusting Godaddy more or less then Verisign?

The problem is a certain popular web browser shipping with windows and the most popular open source browser for following the behavior of the former ilk. They scare uses with big warning dialogs and traffic signal colors rather then educate them on what certificates are and how they really work. They don't even educate users on what they are actually used for and ignore the fact that multiple uses exist.

For instance there are lots of cases where I don't need or care to positively identify the entity on the other end. I just want to encrypt what I am sending to keep my activities a little more secret from prying eyes. In that case a cert from any place is a good as the next the only thing that matters is key length and cipher employed.

Positive identification for or B2B site? The best cert is the self signed one our sales staff physically hands the customer out-of-band. They know who gave it to them! They saw them in person there is no doubt of the validity of the public key. That is much stronger then a third party CA which at best used a automated telephone dial back system to validate me; no matter how much the bribed browser makers to scare folks with red and yellow address bars.

SSL as it exists to day is a RACKET and nothing more these companies should be investigated for RICO and conspiracy with browser authors and each other. That is what government should be doing.

Re:Let governments handle SSL (1)

wkk2 (808881) | more than 5 years ago | (#26311203)

I'm sure governments would also like to generate your private key while they issue certs. Maybe a middle ground would be to have government enforced standards with audits on the CAs.

What's next? (0)

Anonymous Coward | more than 5 years ago | (#26307933)

"What lies ahead for the billion-dollar CA industry?"

Ummm, let me guess... government bailout?

bailout?, Not what I was thinking, but ... (1)

reiisi (1211052) | more than 5 years ago | (#26308591)

I was thinking more along the lines of jail time. Scams that take money under false pretenses often do result in jail time.

But, then I thought about the recipients of the current bailouts, and bailouts do seem to be an alternative to jail time.

You could be right.

Paradigm Shift? (2, Funny)

Zordak (123132) | more than 5 years ago | (#26307985)

Apparently somebody didn't get the memo that the only valid way to use this phrase anymore is to mock people who want to grow the enterprise by leveraging synergies.

CONTINUING paradigm shift (0)

Anonymous Coward | more than 5 years ago | (#26308075)

the change from brick and mortar retail to online shopping probably can't be described as anything else.

Sorry to go off-topic (0)

Anonymous Coward | more than 5 years ago | (#26308021)

WTF does this tag mean?
"quiscustodietipsoscustodes"

I can't parse it at all. ... Oh.

Qui.....odes [wikipedia.org]

Re:Sorry to go off-topic (0)

Anonymous Coward | more than 5 years ago | (#26308105)

WTF does this tag mean?
"quiscustodietipsoscustodes"

Who eats custard with custard creams?

Re:Sorry to go off-topic (4, Informative)

chill (34294) | more than 5 years ago | (#26308117)

quis custodiet ipsos custodes

Latin for "who will watch the watchers".

Re:Sorry to go off-topic (3, Funny)

93 Escort Wagon (326346) | more than 5 years ago | (#26308531)

quis custodiet ipsos custodes

Latin for "who will watch the watchers".

So did you know that phrase before it was used on Star Trek: TNG?

Re:Sorry to go off-topic (1)

chill (34294) | more than 5 years ago | (#26308583)

I sort of tuned out TNG after a while. I didn't realize it was used in there. Also, I don't know if they used the Latin or just a rough translation in Enemy of the State.

One year of high school Latin did it for me.

ILLEGITIMI NON CARBORUNDUM!

Re:Sorry to go off-topic (0)

Anonymous Coward | more than 5 years ago | (#26310689)

Some of us actually studied Latin, so yes, I knew this before I watched ST-TNG.

Re:Sorry to go off-topic (0)

Anonymous Coward | more than 5 years ago | (#26311063)

So did you know that phrase before it was used on Star Trek: TNG?

One word: Watchmen.

demontrate control of the domain in question (3, Insightful)

dencarl (138314) | more than 5 years ago | (#26308113)

Why don't they use the method Google uses to verify control of a domain (and hence ownership)?

The CA should require a unique file (containing a serial number) to be posted to a specific location on the website. Failing that you should be able to receive mail to an arbitrary email address at the domain.

CAs who don't employ a technical measure (such as above) to verify domain ownership *prior* to issuing a cert would be taken out of the list of trusted CAs.

Re:demontrate control of the domain in question (1)

lord_sarpedon (917201) | more than 5 years ago | (#26308233)

I believe StartCom and probably the other free providers do something like this. StartCom is in Firefox by default, by the way.

Re:demontrate control of the domain in question (1)

polarsd (1329425) | more than 5 years ago | (#26308291)

Well, who is going to do that? What about all those browsers that don't get updated, and even so, why trust the update? This is the same problem as with Certificate Revocation Lists (CRL). For the most part, the relying party doesn't check.

Re:demontrate control of the domain in question (1)

cdrguru (88047) | more than 5 years ago | (#26308319)

A brute force attack upon a server which gives you the ability to receive email through it or place files on it does not mean you have legal "control" over the domain.

OK, it tends to indicate it but it is not any real assurance.

Re:demontrate control of the domain in question (2, Insightful)

blueg3 (192743) | more than 5 years ago | (#26308361)

Kaminsky's DNS attack -- and the BGP hack, for that matter -- demonstrate pretty clearly why being able to masquerade as a particular host to the CA is not sufficient to prove you are actually the proper owner of that domain.

Re:demonstrate control of the domain in question (1)

dencarl (138314) | more than 5 years ago | (#26308619)

I'm not sure an internet level hack should be considered a valid weakness. By that logic the only way to validate identity is via telephone or fax. But wait, where is that contact info coming from? A Whois lookup could be compromised by the same technique.

Re:demonstrate control of the domain in question (1)

blueg3 (192743) | more than 5 years ago | (#26309437)

The domain has to be registered to someone, and the path to companies who hold the "someone" information can be made trusted. You don't have to issue a whois query and hope that the information hasn't been tainted.

For the issuing of SSL certificates, which essentially protect against network-level hacks, being susceptible to network-level hacks is a pretty big deal.

We need multiple tiers (3, Insightful)

lord_sarpedon (917201) | more than 5 years ago | (#26308317)

Need a two tiered system.

The world is so fucked up right now as far as censorship and snooping. We need encryption, everywhere, right now.

Tier 1:
"httpe" that acts similar to SSH - big warning on key changes. Known key can be included in html links even from untrusted sites (such as from a google search results page) for a cautionary warning with no loss of security. No prompt for a new site. Prompt if it changes. Prompt if a link gives a 'known' key different from the given one.

Very easy to gradually deploy.

Tier 2:
Well-known certs for the root nameservers. Stick self-signed cert in DNS records. Sign DNS responses. Imposes a chain of trust type requirement on lesser nameservers.

Tier 3:
The fancier certs being passed around these days which are supposedly hyper deluxe verified. Actual monetary cost involved here. Determine a magic solution to make at least a few of the CAs trustworthy.

Re:We need multiple tiers (1)

phantomfive (622387) | more than 5 years ago | (#26310253)

You are totally paranoid to a ridiculous degree (seriously, when was the last time you were censored, or even snooped on?), but you make a good point. It would be excellent if you could install your public key in the DNS server. Then if all traffic from the DNS server were encrypted, it would be extremely difficult to create a man-in-the-middle attack, in fact a number of attacks would be made quite difficult or impossible. There may even be a provision for this already in the DNS specification, since it is an extensible protocol. It would just be a matter of convincing DNS hosts to allow to store that information.

It was vaporware anyways (4, Insightful)

Gothmolly (148874) | more than 5 years ago | (#26308363)

The "industry" provided no value - it merely allowed you to pretend you were somehow secure, above and beyond the actual SSL part. Smoke and mirrors. If this "industry" dies, it will be a market correction, nothing more.

Bruce is wrong (4, Insightful)

dachshund (300733) | more than 5 years ago | (#26308465)

"SSL protects data in transit but the problem isn't eavesdropping on the transmission. Someone can steal the credit card on some server somewhere. The real risk is data in storage. SSL protects against the wrong problem," [Schneier] said.

I respect Bruce, but I think if you say something true enough times, you lose sight of the fact that in this case it may not actually be a valid point. While credit card theft is a major problem, Phishers frequently target bank account login credentials--- which are not stored all over the place. In this case, SSL is one of the primary protections keeping you from all kind of hell (losing your credit card is a pain in the butt, but usually it's insured... losing your banking credentials can be a huge disaster). Now imagine that instead of a few rubes being conned by Phishing emails, you had millions of relatively savvy customers at a large ISP diverted to a fake Bank of America site (perhaps with help from insiders at the ISP). The losses could be substantial.

Again, Bruce is right about one problem but not necessarily about every problem (and I can't help but notice that he works for a storage company...)

Re:Bruce is wrong (1)

jd (1658) | more than 5 years ago | (#26308603)

Well, no, they're not stored every place. Usually, they're stored on the user's web browser or in some other similar system. As I recall from the paper on The Internet Auditing Project, their SSH security was broken because someone had the password on their Windows box and the Windows box was broken into. Also bear in mind that there were many stories in 2008 of servers being cracked, leading to the loss of hundreds of thousands, occasionally millions, of credit card numbers. So whilst I agree with you that Bruce isn't identifying all of the critical points, I would argue that there are an enormous number of weaknesses in existing systems and that almost all of them have been exploited in the past.

For online shopping, I take the line that credit card numbers (and indeed any other personal information) should never be stored on online servers. That information should be passed, still encrypted, to servers behind the DMZ. If DMZ-based systems need to authenticate against such data, they should authenticate against a strong cryptographic hash of that data, never against the raw data itself. All actual use of the data should be on internal, secure networks that have no direct outside access and only very controlled, very limited communication with DMZ-based machines which should be assumed to have already been broken into.

For personal machines, browsers have way way too much access to data. The same basic concept should be applied as for servers, so that browsers are completely sandboxed, the key data (such as accounts, passwords and so on) is kept by software with no direct outside access, and that browsers should merely proxy that data (again, already in encrypted form) to remote sites. Ideally, browsers should never manipulate raw data of any kind, with all true client-side I/O (be it JPEG images, SSL certificates, or whatever) being handled elsewhere.

Re:Bruce is wrong (1)

NynexNinja (379583) | more than 5 years ago | (#26308657)

If counterpane is a storage company, then microsoft is a furniture company.

Re:Bruce is wrong (0)

Anonymous Coward | more than 5 years ago | (#26309019)

Did BT buy Microsoft too?

Re:Bruce is wrong (2, Insightful)

blueg3 (192743) | more than 5 years ago | (#26309463)

Actually, it's mostly popular to get bank credentials directly from the user's machine via malware. Jacking SSL isn't as successful.

Taking a harder line on certs. (4, Interesting)

Animats (122034) | more than 5 years ago | (#26308677)

There are really three tiers of SSL certs being sold:

  1. "Domain control only validated" certs. This means the cert issuer got an answer from an e-mail sent to the domain. This is the "QuickSSL" tier.
  2. "Location and business identiti validated" certs. What SSL certs were supposed to mean. The cert issuer actually checked out the business for existence. At this tier, there's often a "relying party" guarantee.
  3. "Extended validation" certs. The cert issuer had to meet some audited standards to issue the cert. Mostly used by banks.

Current browsers don't distinguish between #1 and #2. They should. "Domain control only validated" certs are enough to secure some social networking site or blog, but not good enough to send someone a credit card number. If they're taking your money, the cert should contain enough info to allow you to find and sue them.

Our SiteTruth [sitetruth.com] system distinguishes between #1 and #2, because we're looking for business identity. It's a useful way to filter out the "bottom feeders".

The problems with bogus SSL cert issuance seem to be, so far, confined to the "Domain control only validated" certs. This is an additional good reason to distinguish between them and the better tiers.

Re:Taking a harder line on certs. (0)

Anonymous Coward | more than 5 years ago | (#26310449)

Current browsers shouldn't be in a position to *have to* distinguish between #1 and #2. The CAs should have been earning their keep and doing most of #3 all along. The whole basis of the certificate hierarchy is an establishment of "trust". CAs are charged with ensuring that trust isn't miss-placed and they've sold out for quick bucks.

You either trust something or you don't. "Almost trusting" doesn't cut it when I'm making an electronic payment. EV certificates are a symbol of the CA industry attempting to charge for the service they should have been providing in the first place ... again.

Re:Taking a harder line on certs. (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26310803)

I find this site a bit concerning. I entered my site, which does not use SSL anywhere, and it flags it up red. Surely a site not using SSL should say 'no info available'?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...