[aklug] Re: reviewers needed

From: David J. Weller-Fahy <dave-lists-aklug@weller-fahy.com>
Date: Mon Mar 05 2012 - 17:30:05 AKST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Christopher Howard <christopher.howard@frigidcode.com> [2012-02-29 20:48 -0500]:
> On 02/29/2012 04:01 PM, David J. Weller-Fahy wrote:
> > 1) In "Masking Origin" perhaps some talk of traffic analysis and why
> > proxy services which do not run on your machine would be ineffective
> > (i.e., anonymizer.com doesn't do the job, really).
>
> Thanks for the response! Regarding this point, can you clarify what
> you mean? Are you referring to someone doing traffic analysis of
> output from the proxy service (and comparing it with yours)?

Nope, I'm referring to free anonymization services which allow people to
connect to the anonymization service via the web, and (from the website)
connect to other websites - for example kproxy.com. Most common users
are probably not aware those types of services are not nearly as
"anonymous" as having something like tor running on your system. Using
a service like that means any traffic from you to the anonymizing server
is effectively unprotected (especially given skilled mitm
implementations), and a note to that effect was what I was talking
about.

> I've never used anonymizer myself, of course, but it's basically a vpn
> into a proxy service, right?

Here I'm bitten by the number of years I've been online ;): They used to
provide a free service much like kproxy.com does today (connect to a
website, then surf using a proxy from that website). Disregard my use
of anonymizer as their (current) service is not what I meant to talk
about.

> > 2) In "Securing Content", perhaps a one to two sentence view on MITM
> > and why TLS has to go with not ignoring certificate errors! ;)
>
> Thanks, I'll give that some thought. To be honest, the situation out
> there with misconfigured certificates is so bad that I'm not quite
> sure what to say. Besides the self-signed certs (which includes some
> of my own Web sites) there are the folks with completely mismatched
> certs (from their hosting service or content-delivery), the servers
> with missing sub-domain certs, expired certs, "secure." certs,
> untrusted certs, and perhaps a few I'm forgetting to mention.

Indeed - I'm not sure there's anything *to* say which would actually
help people make better decisions. After all, to misquote and possibly
mis-paraphrase someone I heard somewhere: Usability is about people not
having to think, and security is about people having to think, so which
will win? Seriously, as I see it there are two major problems with the
current certificate structure and its interface with the user:

1. The errors presented to the user almost always require them to do
something counter-productive to do the smart thing (in other words, to
*not do* whatever they were trying to do, and instead do something else
they don't know how to do).

2. Even when the errors are presented in a manner the user can
understand, there is no easy method for them to accomplish the task
required to stay "safe", thus making it effectively impossible for The
implementation of certificates in web browsers fails one of the basic
principles of information protection: Make it easy (technically,
Psychological Acceptability) [1, check page 1283, left column, item h].
The whole paper at [1] is fascinating, especially reading it with the
"written in 1973" in mind.

[1]:
http://ix.cs.uoregon.edu/~butler/teaching/10F/cis607/papers/saltzer1975.pdf

> Sigh... we've almost completely failed to implement the vision the
> creators of SSL originally had in mind. It was never meant to be
> special security protocol reserved for processing credit card
> transactions or making elite Web sites look "safe". It was supposed to
> be an added security layer underlying the whole Internet, giving
> everyone the benefit of encryption and authentication over untrusted
> networks.

I'm not familiar with the politics behind SSL's beginnings, do you have
any references for that? I'll do my own searching, but a kick-start
never hurts.

- --
dave [ please don't CC me ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk9Vdq0ACgkQzahokXOb2UzfswCfXhco9OwSFW7m7qAAufF0ZXLx
7mYAnRulTM6OaPu6YwKOFwrm3DcNkzSZ
=yySX
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 5 17:30:15 2012

This archive was generated by hypermail 2.1.8 : Mon Mar 05 2012 - 17:30:15 AKST