tag:blogger.com,1999:blog-5127857.post1888737785411553154..comments2009-08-06T21:32:42.161+02:00Asgeir S. Nilsenhttp://www.blogger.com/profile/09990435798930983334asgeirn@gmail.comBlogger5125tag:blogger.com,1999:blog-5127857.post-5020812317508464922009-08-06T21:32:42.161+02:002009-08-06T21:32:42.161+02:00The security of DNS is a separate issue, and TLS actually solves this problem. This doesn&#39;t have much to do with DNSSEC. If the DNS is spoofed, even if the CN of the server certificate matches the spoofed hostname, it won&#39;t (or shouldn&#39;t be certified) by a CA you trust. This trust can be enhanced by EV certificates.<br /><br />Regarding your second example &quot;The last time I registered with a new bank the welcoming package was delivered to me via certified mail where I had to identify myself with my passport.&quot;, that&#39;s exactly the same problem of logic as in your first suggestion (&quot;1. The browser issues a digital certificate&quot;): the fact that you identify yourself with your passport does not mean that what you&#39;re receiving comes from a legitimate source. It&#39;s up the the sender to identify itself first.<br />The same problem exists with client certificates and hardware tokens: there&#39;s no point sending your client certificate to a server you haven&#39;t verified. That&#39;s where the man-in-the-middle attack may come from.<br /><br />What you would want from your bank is to go to their branch (assuming that it&#39;s a place you can trust) and ask them for their certificate or fingerprint in person, so as to be able to verify it when you connect to their website later. It&#39;s relatively easy to do for shops that have physical branches you can trust (assuming they&#39;re all real shops), but it becomes much harder for companies you can&#39;t get hold of physically (e.g. Amazon, etc.). That&#39;s why you need trusted intermediates such as commercial CAs.<br /><br />I totally agree with the fact that few users really understand warning messages (and act upon them correctly), but checking each certificate isn&#39;t necessarily easier.Bruno Harbulothttp://www.blogger.com/profile/08679661710559052320noreply@blogger.comtag:blogger.com,1999:blog-5127857.post-26703184119815355392009-08-06T20:31:56.468+02:002009-08-06T20:31:56.468+02:00Thanks for your comment. You are absolutely right regarding my first suggestion and it being vulnerable to a man-in-the-middle attack. However, TLS is here trying to fix a problem with DNS; the fact that you cannot be sure that the DNS server you are talking to is serving the correct data for a host name. <br /><br />This is something DNSSEC or OpenDNS attempt to fix.<br /><br />My second suggestion is actually part of what TLS support already today, as Jeff Moser pointed out: TLS-PSK or TLS-SRP.<br /><br />The exchange of this pre-shared key is of course an issue, but one issue web banks solve already today upon customer registration. The last time I registered with a new bank the welcoming package was delivered to me via certified mail where I had to identify myself with my passport. <br /><br />This welcoming package can then serve as the out-of-band delivery method for the pre-shared key. Many banks also require hardware tokens for logging in.<br /><br />One final point: Many users have very little understanding of what these server certificates are for, and act wrongly: Look at the article <a href="http://www.infoworld.com/d/security-central/security-certificate-warnings-dont-work-researchers-say-725" rel="nofollow"><em>Security certificate warnings don&#39;t work, researchers say</em></a>.Asgeir S. Nilsenhttp://www.blogger.com/profile/09990435798930983334noreply@blogger.comtag:blogger.com,1999:blog-5127857.post-47214493540565934402009-08-06T20:04:04.411+02:002009-08-06T20:04:04.411+02:00The TLS trust model isn&#39;t broken as such. Your concerns are valid, but what you seem to be disagreeing with is the concept of Public Key Infrastructures (PKI). You seem to have missed the problem they aim to solve: key distribution. What you&#39;re suggesting is a manual Web-of-Trust approach (a la PGP). This is fair enough, but it leads to a lot of practical problems when you want to deal with someone with whom you haven&#39;t pre-established trust (or established it via intermediate parties).<br /><br />You don&#39;t need to change anything in TLS or Firefox to fulfil your requirements; all you need to do is to delete the certification authorities from your Firefox installation and re-import the certificate of each website you trust one by one when you visit them. However you verify those is up to you, and will have to be done out of band (and will certainly be tedious).<br /><br />Regarding your key exchange suggestions:<br />(1) could lead to a man-in-the-middle attach (checking the identity of the server first is fundamental for the security of TLS);<br />(2) presents the same problem: that&#39;s what TLS does ultimately during the handshake (exchanging shared keys securely), again you do need to pre-verify the identity of the remote party to do this, so you&#39;d need to know how to verify its key/certificate in advance.Bruno Harbulothttp://www.blogger.com/profile/08679661710559052320noreply@blogger.comtag:blogger.com,1999:blog-5127857.post-26715590994247785952009-08-03T10:56:17.167+02:002009-08-03T10:56:17.167+02:00Thanks for your comment. Your references to TLS-PSK and TLS-SRP were interesting reads indeed.<br /><br />Seems I didn&#39;t think thoroughly enough into the man-in-the-middle issues.Asgeir S. Nilsenhttp://www.blogger.com/profile/09990435798930983334noreply@blogger.comtag:blogger.com,1999:blog-5127857.post-75524191083515548032009-07-28T17:11:26.876+02:002009-07-28T17:11:26.876+02:00Good thoughts, however I think your #1 recommendation has a man-in-the-middle attack issue.<br /><br />I posted a full reply to the this at http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html#c9103997414201993900Jeff Moserhttp://www.blogger.com/profile/16074905903060665396noreply@blogger.com