Thoughts on HTTPS

Chat about just about anything else
Post Reply
mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Thoughts on HTTPS

Post by mike acker » Tue Feb 13, 2018 7:22 pm

Find a site that's using https. click on the little padlock and ask for more info.

it'll just tell you you're connected to (e.g.) xxx.com and that their cert has been verified by a Certificate Authority.

The trouble here is simple: I have no way of knowing if this is the right display. hackers will typically obtain a cert that is similar to the real one. without verifying the fingerprint on the signature we really can't say we are connected to the right source.

a further thought: hackers typically steal data from endpoints using un-authorized programming aka "computer virus". data is said to be "at rest"-- in an endpoint and in-transit -- while moving over the net. fussing over encryption for the in-transit data simply leaves the backdoor and the frontdoor open. it's the endpoints that need attention and it is also important to add that authentication is also critical to insure that the proper endpoints are connected.

the current system of publishing certs for everybody that wants one -- isn't helpful.
¡Viva la Resistencia!

User avatar
catweazel
Level 13
Level 13
Posts: 4881
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Thoughts on HTTPS

Post by catweazel » Wed Feb 14, 2018 12:45 am

mike acker wrote:
Tue Feb 13, 2018 7:22 pm
the current system of publishing certs for everybody that wants one -- isn't helpful.
So, what's your solution?
A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it. - Max Planck

User avatar
BigEasy
Level 6
Level 6
Posts: 1131
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Thoughts on HTTPS

Post by BigEasy » Wed Feb 14, 2018 3:14 am

HTTP forever !
Windows assumes I'm stupid but Linux demands proof of it

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTPS

Post by mike acker » Wed Feb 14, 2018 7:14 am

the short answer is: we will need to validate the x.509 certificate we actually use. only those we actually use, and even less than that: just those we use in critical applications, such as logging onto the Credit Union.

just reading a news site -- not so important.
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTP$

Post by mike acker » Wed Feb 14, 2018 9:31 am

HTP$

on checking I found my service provider will be happy to generate a certificate for me

$20.00 / year
¡Viva la Resistencia!

Cosmo.
Level 23
Level 23
Posts: 17664
Joined: Sat Dec 06, 2014 7:34 am

Re: Thoughts on HTTPS

Post by Cosmo. » Wed Feb 14, 2018 9:59 am

Wouldn't it be possible to get a certificate for free by Let's Encrypt?

Hoser Rob
Level 10
Level 10
Posts: 3407
Joined: Sat Dec 15, 2012 8:57 am

Re: Thoughts on HTTPS

Post by Hoser Rob » Wed Feb 14, 2018 10:18 am

No, https isn't perfect. But it's still worth using.

If you want to keep your computer 100% safe there's exactly one way, and it's easy. Buy a computer. Take it home. Leave it in the box, forever.

User avatar
Portreve
Level 6
Level 6
Posts: 1002
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Thoughts on HTTPS

Post by Portreve » Wed Feb 14, 2018 11:04 am

mike acker wrote:
Wed Feb 14, 2018 7:14 am
the short answer is: we will need to validate the x.509 certificate we actually use.
The thing is, how can one credibly do this?

In the first place, I've (personally) only ever heard of x.509. I have no idea what that actually is. I have no idea where to go to validate anything. Yes, I'm intelligent enough to do a Google search on the subject, and while I trust I have sufficient mental capabilities to discern that I'm reading credible background information, I have no way to know if I'm going to a source of validation that is legitimate. I have no way to know that the https session to such a place is secure or if it's been compromised.

Would you be willing to stake your life, or the lives of your family and friends, on the absolute reliability of whatever you might give me as advice to crack this particular nut? Would you be willing to do the same, relative to absolute reliability of that particular supposed validation entity? If not, then you really can't answer this question. And that's the point: I have no independent way to validate the authority of a source validating the authority and authenticity of any particular issued x.509 certificate. It's a complete house of cards.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTPS

Post by mike acker » Wed Feb 14, 2018 4:41 pm

Cosmo. wrote:
Wed Feb 14, 2018 9:59 am
Wouldn't it be possible to get a certificate for free by Let's Encrypt?
most likely so. I'm not sure I'd be able to install it though-- my site is hosted by CoreComm Services. I think they have to enable the HTTPS protocol for me. I'd have to call their help desk to check it out, although I can order the service from their online web page.

I probably should do this -- if only to learn to use it.

thanks for the help, though !!
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTPS

Post by mike acker » Wed Feb 14, 2018 4:52 pm

Portreve wrote:
Wed Feb 14, 2018 11:04 am
mike acker wrote:
Wed Feb 14, 2018 7:14 am
the short answer is: we will need to validate the x.509 certificate we actually use.
The thing is, how can one credibly do this?

In the first place, I've (personally) only ever heard of x.509. I have no idea what that actually is. I have no idea where to go to validate anything. Yes, I'm intelligent enough to do a Google search on the subject, and while I trust I have sufficient mental capabilities to discern that I'm reading credible background information, I have no way to know if I'm going to a source of validation that is legitimate. I have no way to know that the https session to such a place is secure or if it's been compromised.

Would you be willing to stake your life, or the lives of your family and friends, on the absolute reliability of whatever you might give me as advice to crack this particular nut? Would you be willing to do the same, relative to absolute reliability of that particular supposed validation entity? If not, then you really can't answer this question. And that's the point: I have no independent way to validate the authority of a source validating the authority and authenticity of any particular issued x.509 certificate. It's a complete house of cards.
thanks for the note; I always enjoy chatting with you.

the answer of course is again simple: I don't think security is ever 100% proof.

however it's important to consider the degree of difficulty a security system presents to the attacker. any security system needs to be such that the cost of breaking it is more than any value that might be obtained by doing so. we should always look at security with this in mind.

an x.509 certificate is just a special record formatted with a bunch of customer information together with the customer's public key.

remember that when a record is signed -- it is signed with the signer's private key. the private key is not to be revealed (this in opposition to the handling of symmetric keys such as your name, address, DoB, SSN etc ). the signature produced is a product of the data signed and the private key; the signature may be verified if you have the signer's public key. this is the essence of the authentication mechanism provided by Public Key Encryption (PGP/GnuPG). Thus if you hold a document that has been signed in this way, and you have the signer's public key -- you can recognize (authenticate) the signature --- but you could not have created it. I'll add a quote from Whitfield Diffie in my next post.
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTPS

Post by mike acker » Wed Feb 14, 2018 4:57 pm

Newegg trial: Crypto legend takes the stand, goes for knockout patent punch
Taking a bet on Whit Diffie, as the trial against "patent troll" TQP wraps up Monday.

SOURCE

Excerpt
There was one other big need: proving authenticity.
"The receiver of the document can come into court with the signed document and prove to a judge that the document is legitimate," he said. "That person can recognize the signature but could not have created the signature."
Phil Zimmerman describes in careful detail in his original PGP documentation how the Public Key Model is to work. The key is in understanding when a Public key is "valid".

a Public key is considered "valid" only when the holder is satisfied that the key actually belongs to the person who claims to offer it.

check in your browser; display certificates and CA Authorities. how may of these records are you sure of? this is the problem with PKI.
¡Viva la Resistencia!

User avatar
Portreve
Level 6
Level 6
Posts: 1002
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Thoughts on HTTPS

Post by Portreve » Thu Feb 15, 2018 3:56 pm

mike acker wrote:
Wed Feb 14, 2018 4:52 pm
thanks for the note; I always enjoy chatting with you.
Same to you, Mike.

I guess the point of my prior post that you quoted is to ask how I would be able to validate, and how I could know whether the validation data I was looking at was itself valid.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTPS

Post by mike acker » Thu Feb 15, 2018 8:14 pm

Portreve wrote:
Thu Feb 15, 2018 3:56 pm
mike acker wrote:
Wed Feb 14, 2018 4:52 pm
thanks for the note; I always enjoy chatting with you.
Same to you, Mike.

I guess the point of my prior post that you quoted is to ask how I would be able to validate, and how I could know whether the validation data I was looking at was itself valid.
While I am able to follow Zimmerman's process using GnuPG to my knowledge there is not currently any provision for signing x.509 certs. Instead the certs are simply published for you by your browser OEM. These are validated by a "Certificate Authority": (which it is presumed you consider to be VALID ( you are sure you know who they are) and TRUSTED ( to sign certificates for your use ). Pretty presumptuous, if you ask me,-- and not IAW Zimmerman's Docs.
mint-cert-auth.png
For the most part these will all be good and proper.

you can inspect the certificate:
mint-cert.png
having done that you can examine the fingerprints - identifying data on the cert, and given access to proper references you could verify it. I'm using F/Fox here --

but that's about as far as I can go with it. I could go to F/Fox CA tool and mark the CA untrusted -- or delete it -- but that would affect every cert. signed by that CA. I did try deleting a CA a while back -- but -- next time Mozilla broadcast their update -- everything came right back.

these are all excellent questions. it looks to me like there is too much opportunity for rogue certs to get into the system. I have reports indicating it's already happened: Diginotar and COMODO were both hacked earlier. I've been looking also for other commentary on this topic; perhaps I'll be able to put together a few excerpts and some URL reference n that topic in the next few days.
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTPS

Post by mike acker » Fri Feb 23, 2018 8:32 am

Suggested Reading

One-stop counterfeit certificate shops for all your malware-signing needs

excerpt
"In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec—the largest and most respected issuers," Thursday's report said. "The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via HerdProtect.com. According to C@T, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months."
Source: Ars Technica / Dan Goodin - 2/22/2018, 8:00 AM
¡Viva la Resistencia!

User avatar
Lucap
Level 5
Level 5
Posts: 858
Joined: Tue May 24, 2016 1:40 am

Re: Thoughts on HTTPS

Post by Lucap » Thu Mar 01, 2018 6:18 am

https://www.theregister.co.uk/2018/03/0 ... ntec_spat/

23,000 HTTPS certs will be axed in next 24 hours after private keys leak.

mike acker
Level 6
Level 6
Posts: 1395
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Thoughts on HTTPS

Post by mike acker » Thu Mar 01, 2018 8:05 am

Lucap wrote:
Thu Mar 01, 2018 6:18 am
https://www.theregister.co.uk/2018/03/0 ... ntec_spat/

23,000 HTTPS certs will be axed in next 24 hours after private keys leak.
how does Charlie Brown put it ?
Good Grief
VM2B3479 Snake Oil.jpg
Please: Help yourself. The Drummer will take your money in the Saloon.

There are three main troubles:
1. anyone can get a x.509 cert.
2. users don't know what their proper certs look like: they have not validated any of those that they hold.
3. computer users are used to material being changed continuously; it's hard to know what things *should* look like when they are getting changed and updated all the time.

too, we have some hacking and also some sloppy handling, here and there.
¡Viva la Resistencia!

Post Reply

Return to “Open chat”