Date: Mon, 22 Jan 2001 04:20:59 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <cjclark@alum.mit.edu> Cc: "'Arcady Genkin'" <antipode@thpoon.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) Message-ID: <012f01c0846d$d1b55ec0$1401a8c0@tedm.placo.com> In-Reply-To: <20010122025725.N10761@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: Crist J. Clark [mailto:cjclark@reflexnet.net] >Sent: Monday, January 22, 2001 2:57 AM >To: Ted Mittelstaedt >Cc: 'Arcady Genkin'; freebsd-questions@FreeBSD.ORG >Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure >authentication) > > >On Mon, Jan 22, 2001 at 01:33:09AM -0800, Ted Mittelstaedt wrote: >> >> >-----Original Message----- >> >From: owner-freebsd-questions@FreeBSD.ORG >> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of >Crist J. Clark >> >Sent: Sunday, January 21, 2001 8:18 PM >> >To: Arcady Genkin >> >Cc: freebsd-questions@FreeBSD.ORG >> >Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server >> >> Your discounting the ability to transfer the key by other mechanisms. > >No, I mentioned explicitly that secure channels do exist in my initial >response as pointed out above. But those methods are out-of-band and >not within the SSL protocol itself. > Sorry about that, I missed it when I first posted. >> Here's a thought, a CA can set itself up, get a Verisign certificate, >> then use it to bootstrap their own signatures into interested parties >> web browsers, than those users can go to other sites that are running >> certs signed by that CA. > >I think anyone who paid to get signed by someone who distributes their >cert like that has been had. Who said anything about charging anyone - I didn't! >You are counting on users following bad >security practices to get these guys' certs in place. Well, if morons >are your target market, then that actually might be a good choice. > No, because what is a CA? All a CA is, is some guy that says he's authoratative. If the user with a browser that already has a out-of-band-delivered signature in it connects to a CA that is using a cert from that CA, why then supposedly that channel is secure, and invulnerable to a man-in-the-middle attack, right? Once they have a secure channel, then if they get a key, that key isn't accessible to a crack. Now, I can hear your next argument already - how do multiple users determine if that hypothetical CA is indeed the SAME CA and not an imposter? Well, all I have to say is how do YOU know that the certs distributed with YOUR version of Netscape are indeed legitimate? Are you going to argue that every single user that has Netscape has a guarenteed channel to Netscape for their installation? Just because the Netscape that is installed has a cert delivered out-of-band, there's no guarentee that the out-of-band delivery method is any more secure than anything else. What about all of those MSN, Earthlink, and AOL CD's that arrive in junk mail, all of those have installable copies of Netscape and IE on them. Are you going to say that no possibility exists that the certs in them haven't been tampered? On the contrary, I'd say that Earthlink and AOL have a vested interest in tampering with those certs - if only so they can insert even more certs for their OWN SSL servers. Or what about the interesting possibility of writing a virus that as part of it's infection, overwrites any IE and Netscape certs it finds on the system with it's own. Combine that with a DNS attack of a popular credit-card accepting site and the results might prove most interesting. I think you can see where I'm going with this line - the honest to god truth is there's no fricken way to absolutely, positively guarentee that the cert that you have in your browser or whatever is, indeed, what it is supposed to be unless you get off your ass and drive over to the CA and walk in their office and down the hall to the guy who actually generates the signature file and he hands you a floppy disk with the file on it. >I count certs from 27 different signers in a freshly installed >Netscape browser. There are over 80 certs total. These include the >signers listed above plus other little joints like the USPS, AT&T, >IBM, etc. Verisign is not the only game in town. And frankly, I don't >really like the idea that my browser by default would trust all of >these guys. > This ignores one of the fundamental requirements of good web design and that is to not design to a specific browser or version of browser and only Verisign is guarenteed to be available on the older browsers. >> Frankly, in my opinion it's a damn shame that Verisign has been >> able to successfully propagandize most of the Internet into believing >> that they are the Only Way Truth and Light to secure data >transmission >> on the Internet. It's tremendously retarded the growth and use of >> SSL on the Internet, in my opinion. > >I really am unaware of a basis for such a claim. Are there scores >people who want to get a signed SSL cert and have been denied the >privilege? Of course nobody have been DENIED, you know perfectly well that it's against the Constitution to deny people anything - nobody is denied anything in this society, even if they want to kill themselves and others with tobacco, or SUV's, or assult weapons, there's plenty of lawyers that are going to ensure that they get the chance. However, I can say that in my capacity as the guy that gets asked the question at the ISP I work for, the single biggest reason that people DON'T pursue SSL is because they perceive that a SSL cert costs $100 or more. Now, maybe to you that's not a lot of money (to me it's not a lot either) but it seems to be to most of the folks publishing websites on our servers that accept credit cards via forms and whatnot. Now, maybe we don't have SCORES of people with websites, but we have a far higher number of websites that take credit cards with no SSL at all, then sites that take cards and have SSL. (and, please let's not go into how bad this is, I know and the site owners have been told but they do it anyway. They probably also drive SUV's too.) I squarely blame Verisign for this because they were the ones that got into the market first and viewed it as some sort of golden money machine for cranking out cash while they sat on their asses and built a giant automated process that actually did the work. Then they built a giant marketing engine that spent most of it's time justifying why they should be paid their $250 a year for a commercial cert for sitting on their asses doing nothing. Of course, today the cat is out of the bag at least among SSL folks, and this is why Verisign went down the tubes and Network Solutions was able to buy them. If Verisign had charged a REASONABLE amount for a commercial cert, like $15 a year, then today just about ALL websites would automatically come as SSL sites out-of-the-box and we wouldn't be having this discussion. They would probably have made a pile more money too just in the volume, and would probably still exist as a stinking rich, proud independent company with tentacles everywhere (like Network Solutions is today) instead of ending up a one-trick pony that got ate up (by Network Solutions). Security companies and other institutions who do this have >sprung out of the woodwork. The cool thing about selling a cert >signing service is that it takes very little actual work. Like you >point out, the real challenge and costs are in marketing and >branding. :-/ Yup - just want we need, more industries in this country that produce a product that's worth practically nothing, and plow most of their profits into marketing and sales people to justify spending a shitpile of money on it. I sure wish that we could export bullshit, then maybe the trade balance wouldn't be so out of wack. >-- >Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012f01c0846d$d1b55ec0$1401a8c0>