[WEB SECURITY] Improving Authentication on the Internet

Nick Owen nowen at wikidsystems.com
Fri May 20 12:52:55 EDT 2005


Mitja Kolsek wrote:
> Paul, 
> 
> 
>>I'm not disagreeing with your analysis, but wouldn't your 
>>method invalidate the need for the local root cert?  If 
>>you're going to trust Verisign to affirm the authenticity of 
>>the local root cert, then you're back to the same place you 
>>were before you created your own - trusting the existing root certs.
>>
>>Aren't you?
> 
> 
> True, but the issue of trusting the default root certs, while an issue
> indeed, is in my opinion a bit less severe than installing a new
> un-trustable root cert. I find the latter easier to spoof than the default
> root certs (which requires tricking the user into installing a rogue
> browser, providing also other simpler attack options once the user would run
> attacker's code on his computer). Besides, installing new root certs is
> something we don't want to become too common a practice: each of them can
> issue server certificates for any web server, so to use the "weakest link"
> concept here, we can only trust the SSL-provided server authentication as
> much as we can trust the least trusted root cert in our store. While people
> like us can manually check each server cert to see who issued it (but does
> anyone, really?), most people won't.
> 
> I guess this maps nicely to Gervase's paper, only not in the area of
> trusting server certs, but installing additional root certs: how secure is
> the process of their installation, and what's the level of trust users
> should put in them (and on what basis).
> 

I was recently pointed to this Firefox plug in while discussing the need
for CAs on another list.  We were discussing trust models that don't
require a root CA to validate the identity of the company running the
web server, but that are still cryptographically secure.

http://petname.mozdev.org/

The toolbar allows you to enter a 'petname' for the SSL certified site.
 If the cert changes, the pet name changes to 'untrusted' - the default
for any unknown cert.

-- 

Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
http://www.wikidsystems.com/WiKIDBlog

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list