[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

[Phillip Hallam-Baker]

On Fri, Nov 4, 2011 at 3:42 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:

>
> > What makes either of them able to provide an accurate figure?
>
> The same thing that would allow you to provide an accurate figure - a
> hypothesis, a methodology for collection of evidence, analysis of
> evidence and well - peer review of the results?
>

What peer review?

Conference talks are not peer review. Putting up a Web page is not peer
review.

The EFF methodology has been shown to be false so they should if they were
honest take down the claim and stop making it. Instead they repeat the
figure to the press as incontrovertible fact. That is not peer review it is
gross malpractice.



> They have served up the goods, they explained the way they came to their
> conclusions, they've given talks, they've showed the data, etc.
>

No, they have not.

Go look at the DFN root. They know those are 200 data points in their study
that are not what they say.

If you show the data and it is demonstrated that you can't support the
interpretation you have to withdraw the claim.

EFF is a political body not a peer review body. They are making a
tendentious political claim and they are making a claim that they cannot
support.




> Did I miss your version of that? I guess so. Could you show me?


I have demonstrated that the EFF figures are a fraud. They have admitted
that they can't justify the 200 figure.

Now you are claiming them to be peer reviewed.

Can't you see how this creates something of a credibility gap?


The EFF page links to two talks. It does not have a link to a peer reviewed
journal paper. Not that peer review is incontrovertible. And in any case
their self-published paper does not actually make the 650 CAs claim in the
unqualified form that they make on their Web site.





> >
> > In the case of the EFF study the methodology is flawed, they have been
> > advised of the issue, they accept that they cannot tell if an
> intermediate
> > cert is a public CA or not. Yet they keep making the claim.
> >
>
> How is the methodology flawed? This is news to me, I'd love to hear more
> about it? Who at the EFF has been advised of the issue? Is there just a
> thread that I'm missing here?


The 650 'organizations' claimed to be a CA are identified by intermediate
issuer certificates. That is a bollocks methodology as they admit in the
paper (but not the web site). Mere existence of an intermediate cert does
not tell you anything about the issue capability or who holds the keys.

Take a look at their graph. The largest node in the graph is DFN which is
the German higher education consortium. They have 200 certs all by
themselves.


None of those 200 organizations is a CA according to any accepted
definition. They are LRAs, Registration Authorities that act for a limited
scope. If DFN are doing their job correctly those organizations should not
have their own private keys and should not be issuing for anything other
than the domains that they have been vetted for.

This was pointed out six months ago but there has been no modification of
the claim.

At the very least they can no longer support the number they give. But they
still make the unqualified claim on their Web site.


And don't start with 'well its imperfect'. That 200 figure is a third of
their total and it is due to a single point in their graph. That pretty
much demolishes their methodology.

Worse, introducing intermediate certs for LRAs is an important risk
mitigation control that we want to see more of. Here we have a political
lobby group fixing on that figure and trying to play scary bogey monsters
with it. That is disgusting in my view.



> > The number of WebTrust audits of CAs would probably be the place to start
> > since anything that is acting as a public CA that is not being audited
> > should not be.
> >
>
> Is that public information that you can link to?


Not yet. There is a gap between some person demanding information and
publishing a tendentious claim and people working out how to get an
accurate number.

Not being able to produce an accurate claim does not give the EFF the right
to peddle a fraudulent one.

Yes I am rather pissed about this, can you tell?


> That was rather unclear as I am neither the EFF nor making that claim.


https://www.eff.org/observatory

"For the public, the slide decks from our DEFCON
18<https://www.eff.org/files/DefconSSLiverse.pdf>
 and 27C3 <https://www.eff.org/files/ccc2010.pdf> talks are available, and
you can also peruse our second map of the 650-odd organizations that
function as Certificate
Authorities<https://www.eff.org/files/colour_map_of_CAs.pdf> trusted
(directly or indirectly) by Mozilla or Microsoft."


> > I can't give a figure right now. But we should be able to get a figure
> once
> > the minimum criteria for DV issue are applied.
>
> If you can't give a figure, why do you dispute their figure? You don't
> have a figure but you're sure it's way off? Huh. Ok...


I have demonstrated that they have a flaw in their methodology. They accept
that they cannot make the inference that an intermediate cert maps to a CA.

If someone came up with a measure of the amount of gold in Fort Knox based
on remote viewing, my inability to produce an accurate figure would in no
way compromise my ability to criticize theirs.

> It should be somewhere between 30 and 50 entities performing the domain
> > validation part of the criteria after the dust settles.
> >
>
> How do you count sub-CAs under large educational institutions in Europe
> that are the subordinate of say, Comodo?


They are not CAs. They are Registration Authorities.

This is the terminology we have been using for 25 years now. The RAs do not
control keying material.



> > Then there is a much larger number of resellers some of which perform
> some
> > validation steps for OV validation but do not have keys and do not
> perform
> > the domain name checking.
> >
>
> If one of these signs a cert with 'CA = True' - what just happened?
>

They can't since they don't have a private key. They can ask a CA to issue
but not issue or sign themselves.

There might be a bug in the CA software that allows them greater access
than they should have and get the CA to issue such a cert. But that is a
different matter.



> Does that increase your number? I have a few of those from various
> research projects - will you discount them?
>
> >
> > It wasn't my idea to let all those roots into the browsers in the first
> > place. My idea for minimum standards for SSL cert issue was pretty much
> EV.
> >
>
> Huh. I think well beyond the browser here - are you limiting the CA
> count simply to the browser?


If you go beyond the CAs recognized as embedded roots then everyone with a
PGP key is a CA and the number is anything you like.

The EFF page says 'We have downloaded datasets of all of the
publicly-visible SSL certificates on the IPv4 Internet"

Which suggests it is limited to embedded SSL certs.


> > No, they both turn into matters of integrity when a half truth is
> > intentionally used to advance a political agenda. Gilmore has repeatedly
> > used the 650 figure as evidence in his attacks on the CA model. He does
> not
> > put in the caveats that the authors used in the paper, nor does the EFF
> in
> > their press releases.
> >
>
> You're quoted above as saying that you can't publish a number but you
> think their methodology for arriving at a number is flawed. It seems
> like the thing thing to do is to publish about the correct methodology
> and also publish some numbers derived from that methodology.
>

Sure. But until we can get an accurate figure the EFF must withdraw their
figure that they cannot support.

And they should give equal prominence to their retraction.

Again, I was not the party who claimed that an accurate figure could be
produced.


There is a very serious difference between an intentional backdoor and a
> methodology that you claim is flawed with some un-cited facts.


I have pointed out the issue on numerous occasions. I have taken it up with
members of the EFF board. This is hardly an obscure criticism. That you
have not heard about it before suggests you were not looking very hard.



> As far as the politics angle, you're a self professed benefactor and
> proponent of the CA model. Do you claim that you're free of a political
> agenda? That seems like an odd stone to throw...
>

Gilmore is hardly free of political bias here. He has published on the IETF
lists stating that his objective is to destroy the CA system.

The EFF is a political campaign body. So accusing others of having a
political agenda is rather odd.



> > Sorry, that is a dishonest way to conduct a debate.
>
> It is far more dishonest to try to argue from authority and to accuse
> rather than disprove. You do not assume good faith and well, huh, I
> wonder why that is?


Because I pointed out the issue months ago and the same claim is being
repeated without any of the caveats that the investigators accepted

You can't measure the number of CAs from the number of intermediate certs.
That is just a fact of the way PKI works. There may be other ways the
number can be measured but that is a completely different matter.

>> Citation please.
> >
> >
> > Personal conversation with US intelligence.`
>
> Which branch? Do you have a clearance? If so... is it TS-SCI? If so, did
> you just lose it? If not, who are you kidding?


The information is not classified or I would not have shared it. Some of us
do not have quite the same level of adversarial relationship with people in
that world as you do. Well not at present.

And BTW getting a clearance is easy. I would bet that if you applied for
one they would be falling over themselves to grant it. Once you get a
clearance they can control what you say. I can almost certainly gain access
to far more information from those people due to the fact that I can trade
it than they would ever let me have if I had a clearance.


First hit on the Google:

http://www.neowin.net/news/iranian-government-encourages-piracy

The Iranian Research Organization for Science and
Technology<http://www.neowin.net/news/iranian-government-encourages-piracy#>
(IROST),
an organization directly connected to the Iranian Government, is charged
with evaluating and advising policy makers on science and technology
issues. They are also host to a large FTP server full of pirated software.
Searching the FTP you will be able to find a wide range of applications all
legal to download and use if you are an Iranian citizen.

> Interestingly, I know for a fact that some people in Iran use Free
> Software whenever possible because of the sanctions that make purchasing
> Windows illegal. So is your rumor platform specific?


I don't bother much with determining the existence or the extent of an
attack. All plausible threats are realized if you wait a little while. Back
in the day we had people jumping up and down at spam conferences saying
that there was no proof that botnets were being used for distribution.

If the report is bogus, well thats great because we have maybe another six
months lead time to close it in.


> >
> > Why wouldn't they try to compromise the machines? Seems like an obvious
> > attack for them to do. If the US government tells me that Iran is
> following
> > a course of action that is obvious to me I tend to believe them unless
> > proven otherwise.
> >
>
> Compromise which machines? End user machines? Yeah, of course.


Seems like a rather more practical approach than compromising CAs and
diverting the whole net through a Blue Coat box.

I noticed that the Iranian propaganda campaign stopped rather suddenly when
I used the platform they gave me to warn people about the Warez
vulnerability.



> At ISS world in DC a few weeks ago, I heard an SS8 shill discuss their
> SSL interception gear. He said that people in the audience should a CA
> cert for use with their product. Huh, how would they... oh, right. I
> asked which one and he declined to answer because they didn't want a big
> story in the press. Huh, how about that.


It seems unlikely that any CA would issue that type of cert if they thought
it was likely to leak.

So what we need is a mechanism for detecting that type of cert. Which is
precisely what I just proposed in the WebSec working group.




> >
> > All these systems are turtles stacked on turtles. It is really easy to
> > design a system that works if you are allowed to insert a single magic
> > turtle that is absolutely trustworthy into the stack.
> >
> > And is it really easy to collapse someone else's stack by pointing out
> that
> > their turtle may not be trustworthy after all.
> >
> > If you want to go round pointing at other people's magic turtles and
> point
> > out that they are not so magic then they get to point out your magic
> > turtles.
> >
>
> There are no magic turtles in Tor or in open data sets or in published
> work about your magic turtle industry. Your analogy requires the use of
> magic turtles and thus, well, I'm sorry to say that your analogy is
> totally bogus.
>
> Imperfection does not mean that things are magic turtles.


Wasn't it Moxie who pointed out that the exit nodes from the Tor network
are a magic turtle?

And all software schemes rest on the 'code integrity' turtle.

It is a very hard problem.



> > DANE has a magic turtle called ICANN. In the case of Convergence the
> > description does not even begin to explain what the turtle is let alone
> why
> > it could be magic.
>
> DANE is compatible with the CA model and augments it with DNSSEC. DANE
> like Convergence is totally complementary to the CA model.
>

That is what you and I think. It is not what the remaining group working on
it believe.



> DANE and Convergence have potential problems. The trade-off is that they
> both realistically help alleviate the actual problems with the CA only
> model. None of these weaknesses are magic turtles. They're designs with
> strengths and weaknesses. The notion that we should trust a single
> entity and never verify things is a dead path for trust.


Agreed. That is why I have been pushing that model since last year.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111104/b4905ae4/attachment.html>