Full Disclosure mailing list archives
RE: CERT, Full Disclosure, and Security By Obscurity
From: "Jason Coombs" <jasonc () science org>
Date: Thu, 30 Jan 2003 05:44:15 -1000
Aloha Len, I'm very glad to see your comments articulating CERT's deevolution into a pay-for-access zero-day private news wire. When CERT failed to publish an advisory for the Windows certificate chain validation flaw in August, 2002 that enabled holders of SSL certificates to issue arbitrary end entity certificates that Windows/IE would trust automatically (thus destroying all alleged server identity authentication value derived through certificate chains and trust in third-party PKI) it became pretty obvious that CERT had become worse than useless. Unfortunately, CERT still holds the information security pole position in the minds of reporters around the world. Call major newspapers and other media outlets in the U.S. about vulnerabilities, exploits, or incidents and often times the technical news desk will ask "What does CERT have to say about this?" When CERT has nothing to say, reporters won't run stories. The media simply do not understand that CERT has self-interests that compel it to suppress vulnerability information. Rather than educate the public to the reality that SSL certificate chains are meaningless for server authentication purposes and lobby vendors to rewrite SSL client code so that end-users can focus more on manual verification of specific public keys known to be associated with the entities with which they exchange sensitive information, CERT sat on their hands. This MUST be as a result of financial dealings with vendors of PKI software and certificates, which have become big business in spite of the fact that certificate chains are being abused by programmers who do not understand their proper use as a means of enabling human users to authenticate the trustworthiness of particular public keys known to be associated with particular entities. The only proper use of automated PKI certificate chain verification is for verification of self-issued certificates rooted at an organization's own root CA. Programmers should never have coded systems that automatically verify certificate chains based on third-party root CA certificates. This is an extremely bad misuse of PKI, and CERT could have and should have stepped forward to help put a stop to the practice of misplacing third-party automated trust when evidence surfaced that the worst-case scenario was in fact playing out in the real world. Sun Microsystems' Java Secure Sockets Extension (JSSE) was reported recently to be vulnerable to a similar PKI certificate chain validation flaw. Do we see an alert from CERT? Of course not. Do we see media attention to the subject? No. This is no coincidence -- if CERT does not speak, then neither does the media. This makes CERT a harmful organization. It should be dismantled. Sincerely, Jason Coombs jasonc () science org -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Len Rose Sent: Thursday, January 30, 2003 4:22 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] CERT, Full Disclosure, and Security By Obscurity I'm not usually allowed to have an opinion since I moderate the list (in whatever sense that may mean for an unmoderated list) however, I would like to say something about CERT and revisit why we created this list. This list was created because we saw an ever-increasing trend to hide, delay, distort, and totally bury security information for commercial gains, or to protect certain priveleged entities (government, or paying customers) from security issues. As more and more security researchers make the crossover from research into commercial security provider the trend increases as their customers exert some pressure on them to stop releasing such dangerous information, or as they see a commercial advantage to only making the information available to those who will pay. Without condemning them at all, I have to point out that this often has an effect of leaving the rest of the internet community in the dark, often at the mercy of those who are privy to information that the average security person, or systems team can't possibly know without lists like Full Disclosure. With the recent evidence that CERT informed it's paying members about the Sapphire SQL worm before the rest of the world should now indicate that they too are not a useful resource for timely and open security information. As such, CERT has joined the list of special interest security entities for whom there are other agendas that take precedence over the interests of the internet community as a whole. Perhaps a new cooperative effort should take the place of CERT if it can avoid being prohibited from full disclosure by having it's funding tied to keeping private and government interests informeed at the expense of keeping the internet community informed of all security threats. In the knee-jerk reactions to the events on September 11, the Pax Americana campaigns around the globe, and now the recent march to Security By Obscurity, lists like Full Disclosure, and the security information it hopes to provide may well become illegal (at least here in the US) To summarize my opinion, I feel that security information must simply be made available to as many people as possible as quickly as possible, and let corporations, systems staff, and security professionals handle the problems. "The public has a right to know.." and any comparisons to dislosing national security technology to the full disclosure of software and network security problems should be totally ignored as they simply don't apply. (Gee, I never thought there would be such a thing as the Ivory Tower Security Establishment, but look, Ma.. they've all grown up..) Len _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- CERT, Full Disclosure, and Security By Obscurity Len Rose (Jan 30)
- RE: CERT, Full Disclosure, and Security By Obscurity Jason Coombs (Jan 30)
- RE: CERT, Full Disclosure, and Security By Obscurity Grant Bayley (Jan 30)
- Re: CERT, Full Disclosure, and Security By Obscurity Darren Reed (Jan 30)
- Re: CERT, Full Disclosure, and Security By Obscurity Grant Bayley (Jan 30)
- RE: CERT, Full Disclosure, and Security By Obscurity Grant Bayley (Jan 30)
- RE: CERT, Full Disclosure, and Security By Obscurity Jason Coombs (Jan 30)
- Re: CERT, Full Disclosure, and Security By Obscurity Ben Laurie (Jan 30)
- Re: CERT, Full Disclosure, and Security By Obscurity Georgi Guninski (Jan 30)
- Re: CERT, Full Disclosure, and Security By Obscurity Blue Boar (Jan 30)
- Re: CERT, Full Disclosure, and Security By Obscurity KF (Jan 30)
- Re: CERT, Full Disclosure, and Security By Obscurity Georgi Guninski (Jan 31)
- Re: CERT, Full Disclosure, and Security By O hellNbak (Jan 31)
- Re: CERT, Full Disclosure, and Security By Obscurity Georgi Guninski (Jan 30)