Comments for Giovanni Bajo's swapfile

Comment on Golomb-coded sets: smaller than Bloom filters by Rounded Corners 288 — /proc /by @assaf

Rounded Corners 288 — /proc /by @assaf — Tue, 20 Sep 2011 16:01:44 +0000

[...] bloom Golomb-coded sets are compressed Bloom filters. Quite useful when you’ve got spare CPU cycles but short on [...]

Comment on Is Convergence really solving the SSL problem? by somebody

somebody — Mon, 19 Sep 2011 06:05:36 +0000

I have been working with computers for decades and haven’t even heard of EV certs until reading this article. So, I am pretty sure 99% of the average users out there have not heard of EV certs as well. They have even done studies that show that EV certs do not provide anything to stop phishing because 1. very few people know about them and 2. even if they did, the people who would actually check are pretty much non existent.

So your argument that convergence is worse then the current SSL system b/c it doesn’t support a technology that practically no one uses is pretty crap in my opinion.

Also, if a user doesn’t recognize the url is bankoffamerica.com, then the user is most likely not going to know about ssl to begin with, let alone ev certs.

and the fact that you think that phishing is a bigger threat than mitm is scary….

Comment on Is Convergence really solving the SSL problem? by Giovanni Bajo

Giovanni Bajo — Tue, 13 Sep 2011 17:08:03 +0000

It’s true that you can’t register bankoffffamerica.com, and you can get a DV for it, but you can’t get an EV certificate for it. That’s my point: Convergence effectively disables EV certificates altogether, removing this safety barrier for end users. The fact that people might or not might depend on EV is a factor of how much we want to trust EV and CAs in providing EV, and thus how we build browsers around this concept. The end of the blog post hints at a system to provide EV information with crowdsourcing.

Comment on Is Convergence really solving the SSL problem? by Peter

Peter — Tue, 13 Sep 2011 13:58:12 +0000

I think you criticism of Convergence is a bit misplaced. You are correct, that convergence does not help with phishing attacks, and that someone with a self-signed cert with a doppleganger domain would show up as legitimate. But this is a problem with all solutions! Right now I could register bankoffamerica.com, set up an email address, and get a certificate issued from a CA because I’ll respond to the confirmation email. CA’s have _never_ provided authentication in the sense that “this is who you think it is”. They have only provided authentication in the sense that “This certificate came from the domain owner”. Basically, Phishing is a separate issue that would require it’s own solution. Convergence aims to solve the MITM and Trust agility problems.

I do agree that loosing the EV info with the certificate is unfortunate, and Convergence would be well served to carry this extra validation forward. However, as has been noted, almost no one _depends_ on EV certs, and most people don’t miss the green bar should it not be there.

Comment on Is Convergence really solving the SSL problem? by Joerg

Joerg — Fri, 09 Sep 2011 17:28:24 +0000

I still believe that convergence is a first step into the right direction. A small step technically, a big step regarding CA business models.

Let´s have one more look at the DigiNotar case. Some hacker penetrated their whole infrastructure and issued over 500 rogue certificates. DigiNotar did not disclose this “incident” and therefore those rogue certificates were fully trusted ones. The hacker seems to live in Iran and support the regime there. Maybe more kind of self-employed than being a paid “digital soldier”. Nevertheless, Iran on the one hand wants to control communication of the political opposition and on the other hand would love to strike back as a revenge for the SCADA attack against their atomic program. We are facing a period with a high amount of “rogue energy”.

SSL, DNSSEC and whatever else we currently do for Information security and privacy on the Internet is not designed to withstand this kind of attacks.

Trust relationships need to be based on “crowd intelligence” and they need to be agile also in a way that trust levels appropriate to the protected process can be defined.

Comment on Is Convergence really solving the SSL problem? by Giovanni Bajo

Giovanni Bajo — Thu, 08 Sep 2011 15:43:48 +0000

@Jon, I’m not sure I understand, can you elaborate?

Comment on Is Convergence really solving the SSL problem? by Giovanni Bajo

Giovanni Bajo — Thu, 08 Sep 2011 15:43:23 +0000

@Jeff, yes, that’s obviously a good point. I personally know non-technical people who checks the green bar, but the real question is obviously whether they would notice whenever it’s missing.

Comment on Is Convergence really solving the SSL problem? by Jeff Cutsinger

Jeff Cutsinger — Thu, 08 Sep 2011 13:01:28 +0000

I would be willing to bet money that users don’t pay attention to EV certificates, and that they do not statistically reduce the effectiveness of phishing attacks.

Comment on Is Convergence really solving the SSL problem? by Jon

Jon — Thu, 08 Sep 2011 01:14:35 +0000

You’re not taking into account the collectively run notaries that would spawn out of something like Convergence.

Comment on Is Convergence really solving the SSL problem? by Justen

Justen — Tue, 06 Sep 2011 16:09:57 +0000

Seems to me like the root of the problem here is trying to solve two completely separate issues with the same piece of technology. Namely, authentication and privacy. The CA system provides reasonable third party verification of identity (authentication) but it is clearly inadequate at privacy (due to MITM vulnerabilities). Convergence solves privacy concerns but it’s completey useless at authentication. While privacy and authentication are not mutually exclusive they’re separate concerns that can’t be adequately addressed by a single technology. You need one tool to provide air-tight authentication and another to provide privacy. Simple enough. Quit trying to make a perfect pancake-and-waffle-maker, in other words, and make a perfect pancake maker *and* a perfect waffle maker.