Re: "The End of SSL and SSH?"

["Michael H. Warfield" <mhw () WITTSEND COM>]

Hey Kurt (et al)!

On Tue, Dec 19, 2000 at 11:33:56AM -0700, Kurt Seifried wrote:
> It is also incredibly difficult for users to ascertain whether the
        key is legit or not. I've had some people suggest that all the
> SSH keys be PGP signed and put on floppy and given to users (that one
        made me laugh). Most users will happily accept SSL certs that
> have expired, point to the wrong site or are self signed (all of which
        could be a man in the middle attack or a lazy admin). I used
> to religously sign email's with PGP until I realized that no-one probably
        checked, how did I know this? I started modifying the
> email after signing so that it wouldn't verify, no-one ever complained.

        What you are describing is basically what Bruce Schneier has
been preaching for years when he says "If you think cryptography will
solve your problem, then you don't understand cryptography and you don't
understand your problem."

        The problems you are describing are flaws in human nature.  That's
a given.  Since your initial posting, I've been accumulating fingerprints
of all my ssh hosts to verify next time I connect to one of them first
time.  I don't ignore "host key changed" warnings either.  If I didn't
change it, I don't trust it; if I did change it, I know about it; if I
didn't expect it, I get to the bottom of it fast (it's usually just an
IP address change or a reinstall).  If I get a CA warning or an expired
cert warning or a DN mismatch warning, I pay attention to it and decide
for myself if it's really something that is significant enough for me to
worry about under those particular circumstances.

        But, I realize, I'm not the norm.  The norm is the idiot Exchange
administrator who gets an E-Mail message from me warning not to open
messages with a particular subject and then does so anyways and turns
explore.zip loose on the network he's suppose to be administrating
(a real event, unfortunately).

        Even though "everyone" should know not to touch untrusted active
content, we still have viruses running rampant.  Virus scanners aren't
solving the problem (only slowing it down to something managable most
of the time).  Vendors aren't solving the problems.  Viruses are going
to be with us and so will E-Mail and (unfortunately) so will the
missapplication of E-Mail with active content.  We don't say that
E-Mail is doomed just because it helps propagate viruses and we can't
get the stupid lusers to leave them alone.

        It's a given.  You can NOT solve social problems by throwing
more technology at it.  Trying to solve the social problem of trust
(or ignoring trust) by applying cryptography is not a flaw in cryptography
or in the implimentation (Well...  Ok...  It could be, but it doesn't
need to be.)  It's not understanding cryptography and it's not
understanding the true fundamental nature of the problem you are trying
to solve (which may not HAVE a solution).  SSH and SSL are just tools
and very good tools.  But even a very good screwdriver has a very
difficult time driving a nail, and the user who uses it that way gets
what they deserve.

        As far as your PGP signatures go, you overlook another fundamental
principle, however...  If I received one of those messages, I would probably
ignore the error after determining that it didn't matter to me.  If I
determined that the message was significant enough for me to worry about
the validity, then I would confirm it and probably contact you.  The fact
that you signed the message does NOT mean that everyone must consider that
message of such significance that they must confirm it and cry to the stars
when the validation fails.  It merely gives them the opportunity to make
that determination for themselves.  Not signing, means they DON'T have
that choice.

        There are a couple of aspects to signing all E-Mail messages...
If you sign every message, you establish a baseline and a preponderance
of messages out there associating that key to you.  If someone else tries
the same thing in your name, the probability goes up that it will be
detected and word get back to you.  If you only sign important messages,
that strength of association is lost (and may not be of consequence to you,
I can't judge your feelings on that point).  People COULD go back to past
messages of your and verify them and verify that it's the same key.
If they trust that past message (for one reason or another) then there
is an implied trusted carried forward (whether you feel that implied
trust is valid or not or how much).

        It also removes the significance of the signature as it relates to
the importance of the message.  If all you signed were those messages
which you thought were significant enough to require validation, that
would draw attention to those messages.  Is this a good thing or a bad
thing?  You call the shots for you.  You may care, I might not.  Someone
will, no doubt, point out that I rarely sign my messages.  Sometimes
my words don't agree with my actions either.

        Neither of those points have ANYTHING to do with anyone verifying
all of your messages or giving a flying flip if the validation fails.  If
it matters to them, they will and they will get back to you.  If it
doesn't, they won't and you won't hear a peep.  Doesn't mean that signing
the messages for those other to points is or is not valid.

> SSH and SSL are in my opinion poor implementations of security protocols,
        they also lack a lot of things such as repudiation/etc. To
> believe they are the best we can do makes me very sad. I suspect in 5
        years we'll talk about ssh/ssl like we talk about telnet right
> now.

        Ask Al Huger about a paper one of his boys (then) wrote a few years
back.  The paper basically "proved" how IDS systems would not work, could
not work, and would never be made to work, because there were too many ways
around them.

        While having a beer with Thomas at a USENIX security symposium, we
discussed his paper.  He wanted to know what we (Internet Security Systems)
were going to do about the fact that he had just destroyed our business.
He was flabergasted that I replied "We'll deal with it".  He said "You
can't deal with it!  It's done!  It's busted!  It's gone!"  Well...  IDS
systems are still with us and still doing effective jobs when applied
correctly and ineffective jobs when not applied correctly.  The company
that Al and Thomas was at even announced their own IDS later.  :-)
AFAICT, Thomas' paper didn't even seem to slow up the growth of the market,
which is stronger than every years after the publication of his paper.
Does that mean that IDS systems are perfect?  Hell no.  Does it mean that
they can't be missapplied or missinterpreted?  Hell no.

        In five years we will (probably) still have SSH and SSL (or one of
their inheritors) and we will still have them applied correctly and
providing us with a useful service and we will still have them missapplied
and being incorrectly trusted by ignorant misguided people.  They don't
"solve" the social problems.  They are still useful and still preform valid
jobs.  It's not the end of the world for either of those to protocols.

        None of this is to say that we should eliminate virus scanning,
IDS systems, PGP signatures on E-Mail, SSH, SSL, or any other cryptography
just because they "fail" (in one person's view point) when missapplied,
missused, missinterpreted, or misstreated in the face of human nature.

        Life goes on.  They are still valid and effective tools when
applied correctly.  It's in how it's applied that's the problem, not
the tools themselves.

        My $0.02

> > Perry Metzger

> -Kurt

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!