[Ach] StartSSL for Business Sysadmins

ianG iang at iang.org
Tue Jan 14 09:34:34 CET 2014

I see we are dragging into a PKI discussion :)  There must be a law to
predict this...

On 14/01/14 11:09 AM, Tobias Dussa (SCC) wrote:
> Hi,
> On Mon, Jan 13, 2014 at 03:26:00PM +0100, Alexander Wuerstlein wrote:
>> Physical security may be nice in general, but its beside the point. All
>> your steel doors with two locks and stuff won't help if a) your software
>> is faulty (please show me the CA that has its root cert completely and
>> utterly offline, some HSM doesn't count)
> That's easy: http://www.gridka.de/ca for starters.  And while I'm not entirely
> certain, I do believe that all EUGridPMA-accredited CAs have to be strictly
> offline.

So, IMHO, it turns out that the whole offline/online thing is not so
reliable.  You can't trust the audits and you can't trust the
pronouncements.  Nor can you actually trust the notion.  The CAs
regularly do one thing and say another.  They have their techniques for
dealing with the costs and conundrums and the audit.  They're not
published, just shared hand-to-hand.

This is just one area where the whole compliance thing is smoke & mirrors.

>> For everything else there are more trustworthy, systematically better
>> alternatives like ssh- and GPG-keys. Or private, organisation-wide CAs,
>> but with those there are still the generally weird problems with X.509
>> itself.
> So in what world are GPG and SSH better concepts?

In the economic and effective world.  They provide security for quite
minimal cost.  SSH's realworld, measurable cost-effectiveness is very
high, and leaves SSL/certs looking like a joke.

GPG not so much, granted.  It's failure to integrate into user clients
(enigmail notwithstanding) has slowed its adoption in today's world.

> Yes, they do provide the user
> the theoretical possibility to do key verification in a more sensible way.  That
> doesn't mean that people actually do that.

That is exactly why SSH wins over SSL.  It provides the possibility for
verification, but it does not force it on users.  So the cost is optional.

In contrast, with SSL, the cost is imposed.  So it creates a drag on
economics.  And for what purpose?  Most of the benefit of crypto is
found without verification.

The numbers are stark -- we're talking like 99.99% of the benefit is
accrued if you don't verify, because nobody does MITMs.

(Until now :)

> In fact, at this point, I'd say that
> the vast majority of serious GPG users are somewhat concerned about their
> privacy, certainly more so than the average, and even THESE people don't always
> verify stuff properly.

You are confusing procedures with protection.  Measurable protection is
provided by SSH because it keeps servers secure.  The attacks on servers
through rsh and telnet before SSH were quite severe, now they are pretty
much eliminated, and have been since around 1998.  (OK, there are still
password attacks, but easily solved, and SSH should just turn off
password authentication and be done with it).

Meanwhile, you can talk procedures all you like, but at the end of the
day, you have to establish protection, to users, not procedures.  The
reason that SSH and GPG people do not follow the procedures so much is
that they don't need to -- they get the protection without the procedures.

(GPG less so because we can't measure the attacker.  But even then,
privacy protection is still a statistical game, and 99.99% protection is
worth getting, if it is free of money costs.)

> Some do, and I certainly almost always do decent GPG key
> verification (though there have been occasions when I was reasonably certain
> that a given GPG key was authentic and the information to be passed was not
> sufficiently important but time was critical, so I felt that was good enough for
> the occasion), but SSH host key verification?  C'mon, who are you trying to
> fool?  And I'm not even considering Joe R. Loser here as target audience, who
> probably neither sufficiently grasps the concept nor gives a shit.

Wrong.  SSH host key verification isn't typically done because the most
part of the protection is provided.

PKI on the other hand is a business that sells itself on the procedures:
 verifications, audits, compliance, physical security, etc etc, long
list taken from documents.

It delivers long on procedures, but fails to deliver protection at a
cost-effective rate.

> For those
> people, SSH and GPG are simply worthless in terms of the security problems that
> are being laid at X.509's feet.

If you're talking about the different business spaces here, sure.  The
SSL world declines to provide cost-effective security.  Oh well.

> The fact is that in the real world, there are trade-offs to be made between
> valid security goals, usability, effort required (financial and otherwise), and
> user acceptance.

Right.  And the tradeoff of SSH is pretty nigh perfect.  You get most of
it for free.  If you're under MITM attack, then check the server
fingerprint too.

> In the end, fundamentalistic lines of reasoning are necessary
> to create awareness and keep an audience, but at the end of the day those
> simplistic views don't do anything to help improve security in practical terms,
> which is what this project is about.

The point stands:  how do you advise people to improve security with PKI
in practical terms?

At the end of the day, it is all and only about economics.  What gets
good enough security for the user at the lowest cost?


More information about the Ach mailing list