2005/02/15 04:07: Why SSL isn't much help.

Security Warning dialog

This is wrong for several reasons. It's the usual “unrecognized certificate” warning, this one is the variation for when the hostname and server cert name don't match. I chose this dialog simply because it's easy to trigger.

The biggest problem is with the word “trust”. It's asking you to accept only if you trust 206.168.112.32 and theinternetco.net. First off, the IP address has nothing to do with it. Since we've got a mismatch going, that IP could be being spoofed. You can't trust it, and yet it's asking you to considder it. Next, theinternetco.net — the problem here is more subtle: it's asking you a technical question, should I connect to this site? but advising you to make the decision on a non-technical basis, do so only if you trust the domain (and I'm extending in typical fashion here, that the domain really means the company who owns or operates it. The problem is that not only do you have to trust them to be honest, but you have to trust them to be competent. When microsoft.com's certificate was cracked (or was it stolen?), the warning above would have come up ... we've covered that the IP could be spoofed, and since the certificate isn't valid, we can't authenticate that, and it would have said microsoft.com right there. Any sane user, given the information that dialog box provides, would have connected. And they'd fall right into Joe Cracker's hands.

The solutions to this aren't easy. The reason it's not been solved is that it's not a technical problem. To know whether you should trust a connection to a server, you have to take into account three things: Is the company trustworthy? Are the admins competent? Is this who it says it is?

Is the company trustworthy? can't be answered technically: we only know through prior transactions and through word of mouth. This can be subverted with PR campaigns, too, and slander.

Are the admins competent? is nearly impossible to guage without a longstanding relationship. Some companies you may never know. In fact, it's easier to find a trustworthy small company than a large one on this basis.

Is this who it says it is? is subject to all sorts of attacks: A stolen certificate allows one to impersonate the server. Tricks with character sets can trick one into thinking that “Pаypal” is actually “Paypal” and similar. And if the certificate authority is broken into, You can't even meaningfully check the digital signature there either.

After I started writing it, I found a similar rant by Bruce Schneier.

Comments