Many people have cited the reason for excluding us is based on our perceived ability to protect our root certificate and in fact most consider it worst then a critical browser exploit, but the more I think about this, the more I’m convinced this is just wrong, so I went to the trouble of trying to break the situation down logically, and here’s my risk analysis of the situation:
A browser exploit can effect all users of a particular browser (mozilla says 50mill so I’ll run with estimates based on that).
Browser exploits are pretty clear cut to calculate and would have the potential base of 50 million users to exploit.
A bad certificate on the other hand, the numbers aren’t so clear and you have to do some educated guessing as to what the risk would be closer to.
Without any more specific details of region break downs I’ll have to assume that the 50 million users are evenly distributed more or less on eastern and western Europe, North America, some parts of Central and Latin America and the Asia Pacific regions.
We also have to assume that most banks are either very geographically specific, or at most have a website on a per country basis and they operate different sites in different countries.
To exploit DNS effectively you either have to control a root name server or be able to exploit individual name servers of ISPs in a concurrent fashion. The banking industry and large merchants already pay large sums of money to be notified of DNS based attacks, so the risk here is going to be mitigated some what compared to normal merchant sites, and if we’re talking about normal merchants the threat is considerably lower due to lack of continuous contact that people would have, compared with their banks, and of course replication of the entire shopping cart since you need to make product selection before purchasing.
Ok, so if we evenly distribute the number of firefox copies over 6 areas and assume a penetration rate about equal we end up with about 8 to 10 million users in each location, the above numbers are spread over multiple countries so we’ll assume for the time being that at most, there are approx 3 million users in any given country.
Further to that the potential number of users likely to be effected by a DNS based attack is in the 100’s of 1000’s at most (I’m being generous, more then likely it will be MUCH less) for a banking website used nationally. To attack companies like Amazon.com or ebay.com you’d have to replicate the entire shopping cart system, of which there are easier attacks currently being deployed.
So a browser exploit is likely to effect: 50,000,000
A root certificate breach is likely to effect 100,000 or less, and that’s based on the assumption of a successful DNS breach on a mass scale, where a browser exploit may only need the user to visit a web page.
So the difference between a browser exploit having a detrimental effect or an SSL root cert exploited is somewhere in the vicinity 500x greater, although this easily could be 5000x or more depending on what figures you based your breakdown on, how proactive the bank is preventing other forms of attack so on and so forth.
Just one final note, if the domain is hijacked or even just DNS spoofed you don’t need have a root cert escape into the wild there are plenty of CAs already in the browser root stores that will issue control of domain certificates including Verisign via Thawte 123, Geotrust and Godaddy to name but a few, and this is part of the reason banks employee the services to prevent DNS based attacks, although the real reason is the fact people just don’t take enough care and verify they are connected by SSL before sending sensitive information.
So no matter how the above risk is twisted with FUD, the facts are that an SSL root key loose in the wild is highly over rated due to other factors mitigating risks.