Thoughts on HTTPS

[mike acker]

Find a site that's using https. click on the little padlock and ask for more info.

it'll just tell you you're connected to (e.g.) xxx.com and that their cert has been verified by a Certificate Authority.

The trouble here is simple: I have no way of knowing if this is the right display. hackers will typically obtain a cert that is similar to the real one. without verifying the fingerprint on the signature we really can't say we are connected to the right source.

a further thought: hackers typically steal data from endpoints using un-authorized programming aka "computer virus". data is said to be "at rest"-- in an endpoint and in-transit -- while moving over the net. fussing over encryption for the in-transit data simply leaves the backdoor and the frontdoor open. it's the endpoints that need attention and it is also important to add that authentication is also critical to insure that the proper endpoints are connected.

the current system of publishing certs for everybody that wants one -- isn't helpful.

[catweazel]

the current system of publishing certs for everybody that wants one -- isn't helpful.

So, what's your solution?

[BigEasy]

HTTP forever !

[mike acker]

the short answer is: we will need to validate the x.509 certificate we actually use. only those we actually use, and even less than that: just those we use in critical applications, such as logging onto the Credit Union.

just reading a news site -- not so important.

[mike acker]

HTP$

on checking I found my service provider will be happy to generate a certificate for me

$20.00 / year

[Cosmo.]

Wouldn't it be possible to get a certificate for free by Let's Encrypt?

[Hoser Rob]

No, https isn't perfect. But it's still worth using.

If you want to keep your computer 100% safe there's exactly one way, and it's easy. Buy a computer. Take it home. Leave it in the box, forever.

[Portreve]

the short answer is: we will need to validate the x.509 certificate we actually use.

The thing is, how can one credibly do this?

In the first place, I've (personally) only ever heard of x.509. I have no idea what that actually is. I have no idea where to go to validate anything. Yes, I'm intelligent enough to do a Google search on the subject, and while I trust I have sufficient mental capabilities to discern that I'm reading credible background information, I have no way to know if I'm going to a source of validation that is legitimate. I have no way to know that the https session to such a place is secure or if it's been compromised.

Would you be willing to stake your life, or the lives of your family and friends, on the absolute reliability of whatever you might give me as advice to crack this particular nut? Would you be willing to do the same, relative to absolute reliability of that particular supposed validation entity? If not, then you really can't answer this question. And that's the point: I have no independent way to validate the authority of a source validating the authority and authenticity of any particular issued x.509 certificate. It's a complete house of cards.

[mike acker]

Wouldn't it be possible to get a certificate for free by Let's Encrypt?

most likely so. I'm not sure I'd be able to install it though-- my site is hosted by CoreComm Services. I think they have to enable the HTTPS protocol for me. I'd have to call their help desk to check it out, although I can order the service from their online web page.

I probably should do this -- if only to learn to use it.

thanks for the help, though !!

[mike acker]

the short answer is: we will need to validate the x.509 certificate we actually use.

The thing is, how can one credibly do this?

In the first place, I've (personally) only ever heard of x.509. I have no idea what that actually is. I have no idea where to go to validate anything. Yes, I'm intelligent enough to do a Google search on the subject, and while I trust I have sufficient mental capabilities to discern that I'm reading credible background information, I have no way to know if I'm going to a source of validation that is legitimate. I have no way to know that the https session to such a place is secure or if it's been compromised.

Would you be willing to stake your life, or the lives of your family and friends, on the absolute reliability of whatever you might give me as advice to crack this particular nut? Would you be willing to do the same, relative to absolute reliability of that particular supposed validation entity? If not, then you really can't answer this question. And that's the point: I have no independent way to validate the authority of a source validating the authority and authenticity of any particular issued x.509 certificate. It's a complete house of cards.

thanks for the note; I always enjoy chatting with you.

the answer of course is again simple: I don't think security is ever 100% proof.

however it's important to consider the degree of difficulty a security system presents to the attacker. any security system needs to be such that the cost of breaking it is more than any value that might be obtained by doing so. we should always look at security with this in mind.

an x.509 certificate is just a special record formatted with a bunch of customer information together with the customer's public key.

remember that when a record is signed -- it is signed with the signer's private key. the private key is not to be revealed (this in opposition to the handling of symmetric keys such as your name, address, DoB, SSN etc ). the signature produced is a product of the data signed and the private key; the signature may be verified if you have the signer's public key. this is the essence of the authentication mechanism provided by Public Key Encryption (PGP/GnuPG). Thus if you hold a document that has been signed in this way, and you have the signer's public key -- you can recognize (authenticate) the signature --- but you could not have created it. I'll add a quote from Whitfield Diffie in my next post.

[mike acker]

Newegg trial: Crypto legend takes the stand, goes for knockout patent punch
Taking a bet on Whit Diffie, as the trial against "patent troll" TQP wraps up Monday.

SOURCE

Excerpt

There was one other big need: proving authenticity.
"The receiver of the document can come into court with the signed document and prove to a judge that the document is legitimate," he said. "That person can recognize the signature but could not have created the signature."

Phil Zimmerman describes in careful detail in his original PGP documentation how the Public Key Model is to work. The key is in understanding when a Public key is "valid".

a Public key is considered "valid" only when the holder is satisfied that the key actually belongs to the person who claims to offer it.

check in your browser; display certificates and CA Authorities. how may of these records are you sure of? this is the problem with PKI.

[Portreve]

thanks for the note; I always enjoy chatting with you.

Same to you, Mike.

I guess the point of my prior post that you quoted is to ask how I would be able to validate, and how I could know whether the validation data I was looking at was itself valid.

[mike acker]

thanks for the note; I always enjoy chatting with you.

Same to you, Mike.

I guess the point of my prior post that you quoted is to ask how I would be able to validate, and how I could know whether the validation data I was looking at was itself valid.

While I am able to follow Zimmerman's process using GnuPG to my knowledge there is not currently any provision for signing x.509 certs. Instead the certs are simply published for you by your browser OEM. These are validated by a "Certificate Authority": (which it is presumed you consider to be VALID ( you are sure you know who they are) and TRUSTED ( to sign certificates for your use ). Pretty presumptuous, if you ask me,-- and not IAW Zimmerman's Docs.

mint-cert-auth.png

For the most part these will all be good and proper.

you can inspect the certificate:

mint-cert.png

having done that you can examine the fingerprints - identifying data on the cert, and given access to proper references you could verify it. I'm using F/Fox here --

but that's about as far as I can go with it. I could go to F/Fox CA tool and mark the CA untrusted -- or delete it -- but that would affect every cert. signed by that CA. I did try deleting a CA a while back -- but -- next time Mozilla broadcast their update -- everything came right back.

these are all excellent questions. it looks to me like there is too much opportunity for rogue certs to get into the system. I have reports indicating it's already happened: Diginotar and COMODO were both hacked earlier. I've been looking also for other commentary on this topic; perhaps I'll be able to put together a few excerpts and some URL reference n that topic in the next few days.

[mike acker]

Suggested Reading

One-stop counterfeit certificate shops for all your malware-signing needs

excerpt

"In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec—the largest and most respected issuers," Thursday's report said. "The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via HerdProtect.com. According to C@T, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months."

Source: Ars Technica / Dan Goodin - 2/22/2018, 8:00 AM

[Lucap]

https://www.theregister.co.uk/2018/03/0 ... ntec_spat/

23,000 HTTPS certs will be axed in next 24 hours after private keys leak.

[mike acker]

https://www.theregister.co.uk/2018/03/0 ... ntec_spat/

23,000 HTTPS certs will be axed in next 24 hours after private keys leak.

how does Charlie Brown put it ?

Good Grief

VM2B3479 Snake Oil.jpg

Please: Help yourself. The Drummer will take your money in the Saloon.

There are three main troubles:
1. anyone can get a x.509 cert.
2. users don't know what their proper certs look like: they have not validated any of those that they hold.
3. computer users are used to material being changed continuously; it's hard to know what things *should* look like when they are getting changed and updated all the time.

too, we have some hacking and also some sloppy handling, here and there.