On Mon, June 20, 2016 13:16, Gordon Messmer wrote:
On 06/20/2016 07:47 AM, James B. Byrne wrote:
On Sat, June 18, 2016 18:39, Gordon Messmer wrote:
I'm not interested in turning this in to a discussion on epistemology. This is based on the experience (the evidence) of some of the world's foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc).
I would rather look to Bruce Schneier and Noam Chomsky for guidance before I would take security advice from organisations that have already shown to be compromised in the matters of their clients' security -- the EFF being the sole exception in the list provided. Or so I presently believe.
Really? Then why did you forward your reply a private message to a public mailing list if not to do exactly what you claim you wish to avoid?
Accidents happen. I didn't intentionally mail you off-list, and when I noticed that I had, seconds later, I re-sent the message to the list, expecting that you'd notice and understand that I intended to keep the conversation on the list.
Except that I get the list as a digest. Which means that your assumptions were wrong. Funny that think you not?
..which isn't relevant to the question of what you consider "evidence" of security practice implications.
Look, go to https://www.google.com/ right now and tell me what you see.
A snoop that self-signs its own certificates?
Do you suddenly distrust the internet's single largest domain? Do you think they implement poor security practices?
My distrust of Google developed over many years. There was nothing sudden about it. But it is deep now.
For someone who wants "evidence" you make a lot of unsupported assertions. You do see the irony, don't you?
I assert my opinions if that is what you are referring to. I do not claim them to be fact. I believe them to be true but I admit readily that I may be wrong. Indeed I most certainly must be wrong in some of them. My difficulty begin determining which ones.
However, I have formed my opinions on the basis of a long term exposure to security matters both pre and post Internet. And I have seen before the same thoughtless enthusiasms for things shiny and different in the security community. Things adopted and put into practice without even the most cursory of trials and evaluations for effectiveness and efficacy -- not to mention lawfulness on some occasions --. Sometimes I have had to deal with the consequences of those choices at the pointy end of the stick. Thus if I am to adopt a different point of view then I require something in the way of supporting measurable evidence to show that I am wrong and that others are right.
The difference is that I state this is my opinion and I do not claim it as a fact. Your statement claimed a factual basis. I was naturally curious to see what evidence supported your claim.
Citation required.
Allow me an example. To quote you: "The usual way a private key gets compromised is by theft or by tampering with its generation. Putting yourself on a hamster wheel of constant certificate generation and distribution simply increases the opportunities for key theft and tampering."
Now, when you asked "what possible benefit accrues from changing secured device keys on a frequent basis?" I pointed you to letsencrypt's documentation, which describes the benefits of 90-day certificates.
Having actual software in the possession of users rendered unusable by a policy decision implemented in the name of security is not beneficial. Referring to others self-justification of measures they have already implemented is not evidence. It is argument. Which has its place providing that one accepts the fundamental postulates of the positions being argued. These, in this case, require evidence. Assertions that these measures solve certain perceived flaws without addressing the costs of those measures is a one-side argument and not very convincing in my opinion.
Refusing to deal with that is simply ignoring the elephant in the room.
So, please describe how I am "claiming a factual basis" while you are not.
Automated security is BS. It has always been BS and it always will be BS. That is my OPINION. It may not be a fact for I lack empirical evidence to support it. However, it has long been my observation that when people place excessive trust in automation they are are eventually and inevitably betrayed by it. Often at enormous cost.
This is what I consider "enormous cost": https://en.wikipedia.org/wiki/Heartbleed#Certificate_renewal_and_revocation
After a major security bug which exposed private keys, hundreds of thousands of servers did not take the required action to secure their services, and the vast majority of those that took *some* action did it incorrectly and did not resolve the problem.
Had those sites been using letsencrypt and renewing automatically, the exposed keys would have been replaced within 90 days (typically 60 max, so 30 days on average). Instead, it is likely that the problem will remain a risk for "months, if not years, to come."
And that's empirical evidence, which you have yet to offer.
Again, you miss the point. I am not offering evidence of something that I am claiming as fact. I am seeking evidence in support of what someone else is claiming as fact. Evading the question may be a good rhetorical technique but it is hardly science. And your 'evidence' as presented above presupposes a number of unspoken assumptions. Some of which I fear would not stand scrutiny.
The consequences of Heartbleed are well known to me. I had to tear down and re-establish our entire PKI because of it. However, anecdotal references to specific cases where a particular practice might, and let us remember that HB was out in the wild being exploited for at least two years before being publicly revealed, just might have provided some protection in some cases does not prove anything. In the case cited I do not believe changing certificates on an hourly basis would have made much difference against an technically proficient attacker exploiting the weakness.
It is well to recall how HB came to be. A misguided attempt at an improvement in protocol exchange which amounted to not much more than gilding-the-lily and which since has been discarded without noticeable loss.
What prevents similarly motivated 'improvements' to an automated certificate authority from having equally damaging effects on the robustness of the the certificates that they provide? We trusted OpenSSL because it was open. How do you trust an organisation's internal practices once they have been automated? Does anyone here actually believe that once in production this automation is or will be adequately documented? Or that said documentation will be rigourously maintained up-to-date? Or that independent and competent audits will be regularly conducted without notice?
I take particular care with my PKI. I rebuild all the moduli for ssh on all of our servers for SSH. Because I trust no-one with my security. And that includes RedHat and any other external organisation, volunteer or commercial, open-source or proprietary. Automating your certificate replacement and entrusting it to an outside provider is begging to have some state actor or other financially powerful group subvert it.
Look at what the NSA pulled off with RSA. That was for just money. What about patriotism? What would a true believer do if asked by his state and they were in a position to act? Think of the security nightmare that would result from having the certificate production of an automated 90 day certificate authority tampered with and left undetected for even a modest amount of time, say 180 days.
At its core security is about risk analysis. And at the core of risk analysis is cost/benefit analysis. If the cost of a security measure exceeds the value of what is being secured then it makes no sense. I am seeking that cost-benefit analysis for short term certificates. And I have not seen anything in the way of objective evidence that supports the assertion that short-term certificates, or passwords for that matter, provide any measurable security benefit other than the feel-good sense that "at least its something".
For one thing, this position presupposes that the rest of your security is so bad that frequent key compromise is inevitable. For another is assumes that the cost to users having to constantly deal with change is negligible. I run a business. Let me assure you that the cost of change is never negligible.
This impediment however is strictly an artefact of signing code with short term certificates. I simply had to reset the date on my MB back to some future date when the certificate was valid and everything worked fine.
Apple's intermediate certs have a 10 year lifetime. If you consider that "short term" then I fear that nothing is suitable in your opinion.
Apple evidently did not use those certificates to sign their software in this case. So you point is irrelevant even if it may be true.
But hey, what is my time worth in comparison to the security those certificates provided? SECURITY that was trivially evaded in the end.
Fixing your clock is not "evading" security.
Setting a clock backwards in time by two years is 'fixing it'? A curious point of view in my opinion.
Exactly what mindless person or committee of bike-shedders decided that software should be distributed so that copies of it expire?
Expiration is a fundamental aspect of x509 certificates. Do you understand x509 at all?
Expiry is a fundamental part of many things including life itself. That does not imply that shorter is better.
Why sign software with an expiry date when you know that your recovery programme will fail to operate after it expires? Imagine that you are on a hospital operating table and the defibrillators fail to function because the certificate that signed the firmware has expired. And that the immediate the fix is to simply reset the computer clock in the defibrillator controller backwards in time. Which of course no-one in the OR knows. So, too bad. But, you were secure when you expired.
There is absolutely no sensible reason why the recovery software could not have simply warned me that the signature had expired and then asked me if I wished to proceed regardless. Having made the design decision that it would not do so then it was incumbent on the organisation responsible to allow people to override it. Instead they offer up some weasel-worded warning about "TAMPERING" and "CORRUPTION". Just what a person in the middle of system recovery is waiting to hear.
Most of what passes for informed opinion about security is folk remedy dressed up with techno-babble and pushed onto an audience mostly too embarrassed to admit that they do not understand what is being talked about. In my opinion of course.
However, decisions having real consequences are made on the basis of such ignorant acceptance of received wisdom. Therefore I think it important to challenge those that assert such things to produce convincing evidence that what they say is so.
I understand that you believe that short term certificates and passwords and such provide a measure of security. That very well may be the case. I am not trying to convince you otherwise. All I ask for is a reasonable explanation of how much these practices cost those that employ them, how much benefit they provide to those users and what further risks they introduce.
Security is a funny sort of thing being mostly based on our fear of the unknown; our too-active imaginations; and our attraction to the spectacular at the cost of dealing adequately with the mundane. At one time an automobile had to be preceded by a pedestrian waving a red flag. This too was done for the general security of all. We do not do it any more so there must have been a reason we stopped. I suggest that it was because the evidence did not support a positive cost/benefit analysis. But it sure sounded reasonable at the time to people that had little or no experience with automobiles.
YMMV.