[WEB SECURITY] Improving Authentication on the Internet

Mitja Kolsek mitja.kolsek at acrossecurity.com
Fri May 13 05:37:54 EDT 2005


Paul, 

> I'm not disagreeing with your analysis, but wouldn't your 
> method invalidate the need for the local root cert?  If 
> you're going to trust Verisign to affirm the authenticity of 
> the local root cert, then you're back to the same place you 
> were before you created your own - trusting the existing root certs.
> 
> Aren't you?

True, but the issue of trusting the default root certs, while an issue
indeed, is in my opinion a bit less severe than installing a new
un-trustable root cert. I find the latter easier to spoof than the default
root certs (which requires tricking the user into installing a rogue
browser, providing also other simpler attack options once the user would run
attacker's code on his computer). Besides, installing new root certs is
something we don't want to become too common a practice: each of them can
issue server certificates for any web server, so to use the "weakest link"
concept here, we can only trust the SSL-provided server authentication as
much as we can trust the least trusted root cert in our store. While people
like us can manually check each server cert to see who issued it (but does
anyone, really?), most people won't.

I guess this maps nicely to Gervase's paper, only not in the area of
trusting server certs, but installing additional root certs: how secure is
the process of their installation, and what's the level of trust users
should put in them (and on what basis).

Mitja Kolsek

ACROS, d.o.o.
Makedonska ulica 113
SI - 2000 Maribor, Slovenia
tel: +386 2 3000 280
fax: +386 2 3000 282
web: http://www.acrossecurity.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list