http://www.nluug.nl/events/vj05/index.html May 26, Ede, The Netherlands. The main topic of this conference is e-mail. A CAcert booth will be on the Exposition floor. Bring along your ID if you would like to be assured.
The Central Ohio Linux User Group meets monthly at various locations in the Columbus area, having met monthly since since July, 1995. Meetings are open to anyone interested in Linux. There are no dues or fees.
Current Venue: OCSEA 390 Worthington Rd. Westerville, OH 43082
What has to be a huge blow for anyone with PGP or virtually any other encryption program on their computer, (in fact most computers these day come with cryptographic programs pre-installed). A man found guilty on child pornography related charges, was also found to have PGP software on his system and a court ruled that this was admissible as intent to commit and/or hide crimes in his case. This has huge ramifications if you are found guilty of a crime and then they find any cryptography software installed on your computer.
It’s also worth mentioning that the article also points out that the police didn’t claim to actually find anything relevant to their case that was encrypted.
What this amounts to is walking into a shopping centre with a bag, and the police concluding that you had a bag so you were intending to steal something, without actually finding any evidence of you stealing in the bag.
One FUD issue some people keep regurgitating to keep us from being included in browsers is they worry about us issuing certificates for the likes of paypal.com, most people pushing this line tend to neglect to mention that issuing a certificate on it’s own is mostly useless, unless you can attack the host file on a users computer or the DNS name system, in which case there is bigger problems then falsely issued SSL certificates, especially since most phishing attacks (which is the assumption likely to abuse this) don’t even resort to using SSL.
Currently we require people to have code signing access before issuing IDN/punycode domain/email certificates, and it has been suggested that we have a similar requirement for anyone requesting certificates for high profile sites.
One way to determine popularity is by sites like alexa.com which give out rankings.
I guess the question is how popular must a site be if we want to enforce this, and over what time period?
Another concern is with large organisations as a lot of departments inside these organisations run their own sub-domain and the TLD is handled usually by the main IT department, and this could be cause for concern if someone registers the TLD and starts getting certificates for either the entire organisation or for sub-domains they shouldn’t be allowed to control, this is usually controlled by an organisations IT policy, but this call also lead to someone intercepting traffic by setting up a reverse proxy, and there is questions hanging over this as it will potentially effect legit users one way or another.
We are meeting tomorrow (24. May 2005) at Train Station Zurich-Enge at 12:30 for assuring. Three 35 point assurers will be at the place. Look for a bunch of people exchanging a lot of papers 😉
What has to be the biggest black eye for the US banking industry in recent times had nothing to do with phishing attempts, it didn’t have anything to do with intercepting and brute forcing SSL packets, and it didn’t have to do with any root keys escaping into the wild.
What it does have to do with is a shady person talking high level bank employees into stealing the details of the banks customers and to go on and hassle people based on false collection claims, not to mention potential identity theft attacks as well.
http://www.linuxwochen.at/ May 23-27, Vienna, Austria. At Austria’s biggest Linux-Event CACert assurers will be there for you.
Many people have cited the reason for excluding us is based on our perceived ability to protect our root certificate and in fact most consider it worst then a critical browser exploit, but the more I think about this, the more I’m convinced this is just wrong, so I went to the trouble of trying to break the situation down logically, and here’s my risk analysis of the situation:
A browser exploit can effect all users of a particular browser (mozilla says 50mill so I’ll run with estimates based on that).
Browser exploits are pretty clear cut to calculate and would have the potential base of 50 million users to exploit.
A bad certificate on the other hand, the numbers aren’t so clear and you have to do some educated guessing as to what the risk would be closer to.
Without any more specific details of region break downs I’ll have to assume that the 50 million users are evenly distributed more or less on eastern and western Europe, North America, some parts of Central and Latin America and the Asia Pacific regions.
We also have to assume that most banks are either very geographically specific, or at most have a website on a per country basis and they operate different sites in different countries.
To exploit DNS effectively you either have to control a root name server or be able to exploit individual name servers of ISPs in a concurrent fashion. The banking industry and large merchants already pay large sums of money to be notified of DNS based attacks, so the risk here is going to be mitigated some what compared to normal merchant sites, and if we’re talking about normal merchants the threat is considerably lower due to lack of continuous contact that people would have, compared with their banks, and of course replication of the entire shopping cart since you need to make product selection before purchasing.
Ok, so if we evenly distribute the number of firefox copies over 6 areas and assume a penetration rate about equal we end up with about 8 to 10 million users in each location, the above numbers are spread over multiple countries so we’ll assume for the time being that at most, there are approx 3 million users in any given country.
Further to that the potential number of users likely to be effected by a DNS based attack is in the 100’s of 1000’s at most (I’m being generous, more then likely it will be MUCH less) for a banking website used nationally. To attack companies like Amazon.com or ebay.com you’d have to replicate the entire shopping cart system, of which there are easier attacks currently being deployed.
So a browser exploit is likely to effect: 50,000,000
A root certificate breach is likely to effect 100,000 or less, and that’s based on the assumption of a successful DNS breach on a mass scale, where a browser exploit may only need the user to visit a web page.So the difference between a browser exploit having a detrimental effect or an SSL root cert exploited is somewhere in the vicinity 500x greater, although this easily could be 5000x or more depending on what figures you based your breakdown on, how proactive the bank is preventing other forms of attack so on and so forth.
Just one final note, if the domain is hijacked or even just DNS spoofed you don’t need have a root cert escape into the wild there are plenty of CAs already in the browser root stores that will issue control of domain certificates including Verisign via Thawte 123, Geotrust and Godaddy to name but a few, and this is part of the reason banks employee the services to prevent DNS based attacks, although the real reason is the fact people just don’t take enough care and verify they are connected by SSL before sending sensitive information.
So no matter how the above risk is twisted with FUD, the facts are that an SSL root key loose in the wild is highly over rated due to other factors mitigating risks.
I think one of the key things that will help push things forward is and always has been our web of trust, while on the surface it seems like just a way to unlock features on the website such as increasing the length of time certificates are valid, or getting your name/company details onto certificates. However in my opinion the big advantage, which is currently largely unrealised, that our web of trust over most other internet identity schemes is that it is technology neutral, and this gives us an advantage over things like the PGP web of trust which is locked to a specific technology. If at any time in the future they move away from PKI and x509 certificates we can simply integrate the technology into our system and keep going like we always have been.
Also an insightful comment submitted on the previous post suggested that if we managed to convert 10% of self signed websites, we’ll be well on our way to having a lot more mind share, and I guess this is where things like inclusion in the Debian ca-certificates package start to become significant, because this can then be leveraged to make it easier for certificate chaining once we start offering the option to have certificates signed by a higher trust certificate for those with 50 points or more, which hopefully will be within the next 24 hours all going well!
So I guess this begs the question if anyone have any contacts with any distros or other high profile sites using self signing, that we can talk to or if you’re able to convince them to start getting their certs signed by us it would push things along that little bit further that little bit quicker, and of course getting assured will improve the over all trust of the network, especially the more inter-twined it becomes.
While our progress with the Mozilla Foundation is currently (and has always been for that matter) been in go slow mode we have been making progress on other fronts. Of late a number of distributions have either included us (such as Knoppix) or are putting considerable thought into including us (such as Ubuntu), with Debian the latest distribution to include us.
While this may not seem like much to the nay sayers (I still get told no one will ever use CAcert because it’s not included, which I think is strange), it shows that we are getting more widely accepted and more to the point, gaining credability.