[WEB SECURITY] Improving Authentication on the Internet

Matt Fisher mfisher at spidynamics.com
Thu May 12 13:14:44 EDT 2005


> I'm interested in knowing if others on this list have similar 
> experiences in their local environments

I mentioned this exact problem at a conference recently.  There's one certain environment I spend a lot of time in that do this exact same thing ... Make their own certs instead of buying ( probably a good move) but then never put it on their own end-user machines .... and the users are prompted for an unrecognized cert everytime ... Conditioned to click "yes"  ... They're basically being trained to accept a MITM attack.  

I'll willing to bet that this exact scenario occurs in a lot more environments than one would at first suspect.  


> -----Original Message-----
> From: Mitja Kolsek [mailto:mitja.kolsek at acrossecurity.com] 
> Sent: Thursday, May 12, 2005 5:22 AM
> To: 'Gervase Markham'
> Cc: websecurity at webappsec.org; 'Stanka Šalamun'
> Subject: RE: [WEB SECURITY] Improving Authentication on the Internet
> 
> Gervase,
> 
> A very interesting paper, well done. What it reminded me of 
> is a peculiar practice some of our local organizations are 
> implementing, including our
> government: They don't use the default trusted CAs we all 
> have in our browsers, but rather use their own for issuing 
> their own servers' certs. So if you want to visit their sites 
> via HTTPS, you are asked to first install their root cert in 
> your browser's trusted root cert store. Now, the
> peculiarity: you download this root cert via an HTTP 
> connection and you have no way of verifying its authenticity. 
> Mind you, some root cert download sites do provide the cert 
> details in cleartext as well, so you can compare one 
> untrusted piece of data with another untrusted piece of data :-)
> 
> I'm interested in knowing if others on this list have similar 
> experiences in their local environments. The way I see it, if 
> someone "forces" you to install a new trusted root cert, we 
> need a process for verifying its authenticity. One way would 
> be to use transitivity and provide download of newcert.cer 
> via an HTTPS connection authenticating the site owner with an 
> already trusted root cert like Verisign or Thawte. Another 
> would be for the officials to provide - written and in person 
> - the newcert.cer's fingerprint to users at the time of 
> users' enrollment, along with instructions for newcert's 
> validation upon download. Any other ideas?
> 
> Mitja
> 
> > -----Original Message-----
> > From: Gervase Markham [mailto:gerv at gerv.net]
> > Sent: 11. maj 2005 20:07
> > To: websecurity at webappsec.org
> > Subject: [WEB SECURITY] Improving Authentication on the Internet
> > 
> > On the 17th of this month, at the invitation of Comodo, the 
> major CAs 
> > and browser vendors (including mozilla.org) are having a meeting in 
> > New York to discuss some of the issues surrounding the 
> future of SSL 
> > and trust on the Internet.
> > 
> > As a way of working out my thinking on this, I've written a paper 
> > called "Improving Authentication On The Internet":
> > 
> > http://www.gerv.net/security/improving-authentication/
> > 
> > It starts with the basics, mostly as a way to confirm that my 
> > understanding of the current situation is correct. All 
> comments, both 
> > correcting my facts and giving alternative views, are very welcome.
> > 
> > Gerv
> > 
> > 
> ---------------------------------------------------------------------
> > The Web Security Mailing List
> > http://www.webappsec.org/lists/websecurity/
> > 
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> 

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list