Shostack + Friends Blog Archive

 

Build Irony In

buildsecurityin.jpg

Secure operation of a site is hard. Really, I’m not looking to pick on CERT. They’re doing some very good work, and Build Security In [https://buildsecurityin.uscert.gov/portal/] is important. At the same time, this message is only appearing because SSL certificates are focused on identity, and that identity needs to be “rooted” at a certificate authority. That makes it expensive to deploy cryptographic keys, which should be cheap. (Ian Grigg has been experimenting with making his Financial Cryptography site SSL-enabled. There’s all sorts of little roadbumps, including the trackback protocol not recognizing https.)

I talked a bit about certificate authorities vs persistence in “Meet The New Browser Security, Same as the Old Browser Security.

3 comments on "Build Irony In"

  • Gunnar says:

    “Irony: Don’t let yourself be controlled by it, especially during uncreative moments. When you are fully creative, try to use it, as one more way to take hold of life. Used purely, it too is pure, and one needn’t be ashamed of it; but if you feel yourself becoming too familiar with it, if you are afraid of this growing familiarity, then turn to great and serious objects, in front of which it becomes small and helpless. Search into the depths of Things: there, irony never descends — and when you arrive at the edge of greatness, find out whether this way of perceiving the world arises from a necessity of your being. For under the influence of serious Things it will either fall away from you (if it is something accidental), or else (if it is really innate and belongs to you) it will grow strong, and become a serious tool and take its place among the instruments which you can form your art with. ”
    -Rainer Maria Rilke “Letters to a Young Poet”

  • Frank Hecker says:

    First, note that the “invalid certificate” message when connecting to buildsecurityin.uscert.gov using Safari is *not* because the certificate is from an unknown CA (or no CA at all); it’s because the certificate is issued to the server/domain buildsecurityin.us-cert.gov (note the dash) and thus doesn’t match the hostname you specified. So IMO at least this particular problem has less to do with the presumption that “identity needs to be ‘rooted’ at a certificate authority”; it’s more analogous to the SSH error you get when you connect to a host and the public key presented is different from what is cached at your end for that site.
    Second, regarding this notion that it’s “expensive to deploy cryptographic keys, which should be cheap”: Usable SSL/TLS server certificates are now available for as low as $15 to $30 per year, comparable to the cost of the corresponding domain name; see for example LiteSSL.com and the TurboSSL offering from GoDaddy.com. I think there are still significant barriers to SSL/TLS adoption, most notably the problem with supporting the use of virtual hosts sharing a single IP address, but I think cost per se is rapidly becoming a non-issue.

  • tom says:

    Hi Bets, you raise an interesting point, and one that I resonate with.
    One of the challenges in my mind, though, is how do you discover
    what is useful when the technology is just emerging or not even really
    apparent yet?

Comments are closed.