[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

[ArkanoiD]

On Wed, Sep 07, 2011 at 12:01:27PM +0200, Jacob Appelbaum wrote:
> >>
> >> We shouldn't damage the security of the internet to meet the needs of
> >> some corporate security culture nonsense. If cert pinning is easily
> >> disabled without user interaction it will be disabled by an attacker. 
> > 
> > Not necessary.
> 
> Break the site. If you want to be a MITM where it is hard coded, I
> expect browsers to hard fail. That's a fine trade off from a security
> perspective from where I'm sitting as both a user and a network admin.

Not fine at all for me..

> 
> > 
> >> If you have special corporate needs, why don't you recompile the browser
> >> to remove the security features that protect users? I'm sure some
> >> corporation's over worked security team will do a better job!
> > 
> > Actually at the moment my MITM proxy enforces certificate security way better than browsers do.
> > 
> 
> Unless I pop a shell on your proxy, right? Is your proxy implementation
> public?

openfwtk.sf.net

> 
> >> I have requested cert pinning in Chrome because if the wrong certs are
> >> presented, I want it to fail closed. I want users to avoid being MITM'ed
> >> by attackers regardless of their intentions or corporate environmental
> >> needs.
> > 
> > Ah, then losing all network traffic control (it means just that: poke one hole and one is more than enough) is good for security. "Great".
> > 
> 
> I think you're already doomed. Do you suppose that you are able to
> detect all the covert channels in existence? Lots of covert channels
> work through such a proxy system. That's a laugh and a half to say the
> least.

Ah, then let's give up and open everything, set firewalls to pass all and so on. Great.