[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]

Ralph Holz holz at net.in.tum.de
Sat Nov 12 06:09:49 PST 2011


Hi,

Hm, I think academia is already involved in this, to some degree (*),
although it likely won't dig much deeper. For one thing, there's our own
analysis that ran over 1.5 years, presented at IMC 2011. Then, Hubaux's
group at EPFL has presented a shorter, but similar analysis at WEIS
2011. EFF+iSec and Ivan Ristic have both given talks at hacker
conferences, and their data sets are available. So are ours. We also
used EFF data and found the numbers well in line with our other data
sets. There are 1 or 2 other works with different foci (e.g. the one
about the Debian weak keys deployment, IMC 2009).

And, yes, the problem is there. Is it going to stay? Our view on it is
that the "certification structure" is the main problem, i.e. bad and
very bad PKI deployment plus a failed concept of overly large root
stores in clients. The attack vectors are quite clear and have been
discussed quite often. I don't think it's a problem that industry will
solve on their own - the monetary incentives are actually quite the
opposite of what you'd want (Oh dear, that might be another thread now).
Plus, the threat model is quite unclear - is this PKI supposed to
protect against Mallory trying to get CC numbers over the WLAN or is it
against a state spying on her citizens' Gmail communication?

(*) One issue for academia in continuing with this is funding by state
or industry. We were actually very lucky we could receive some funding
through an EU program, and even then that was very late in the research
and paid us less than 2 full-time months. You see, all these PKI
problems are well-known, and no-one has come up with sensible solutions
in the past decades. I currently know of no funding programs that would
focus on analysis and improvement of PKIs. All the money in security
seems to be with malware, botnets, firewalls, network resilience and,
recently, privacy and possibly censorship (all important, of course).

Ralph

On 11/11/2011 06:04 PM, Ben Wilson wrote:
> Maybe "the Cause" needs to be taken up in academia, if it isn't already.
> There are serious problems with the ecosystem and empirical studies and
> models for the security infrastructure need further architecting.  For
> instance, the EFF's Observatory, Phillip's criticism of the CA data, and the
> demands from academia and local, regional and national governments for
> publicly trusted roots leads me to think that "the problem" - if it is one -
> is only going to grow.  I think more studies need to be done.


-- 
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111112/31a121ea/attachment.sig>


More information about the Observatory mailing list