Saturday, April 9, 2011


The failure of fragmented security



With recent attacks against SSL/TLS and certificates, everyone has been thinking a lot about security. What can we do to prevent security problems in the future?

The problem really stems from the fact that our different security components are separate from one another, and don't entirely see eye to eye, leaving gaps for attackers to walk right on through. The current certificate system for certifying the identity of a website is flawed in theory, and in its implementation in many browsers.

The current system works as follows: An entity submits proof of ownership of the domain(s) it owns to one of hundreds of certificate authorities out there, who follow some kind of verification process, and then proceed to give a certificate identifying the site to that entity. This certificate is digitally signed by the certificate authority itself using their private unknown keys. Since no one but the certificate authority itself has their private keys, they're the only ones able to sign certificates in their own name. Browsers ship with a certificate bundle identifying the certificate authorities they trust. In this way, when you see a site with a certificate signed by a known certificate authority, you know it's the site you intended to visit.

Except there's some flaws with this idea. If terrorists wanted to, they could attack a certificate authority's physical headquarters and steal their private keys from their server and sign whatever they want for whichever domain they wish. Or, hackers could hack into machines remotely and perhaps get lucky and find some private keys on them. Or, anyone could start their own certificate authority. It really isn't that hard. Once your new authority becomes trusted by the various browsers, you can proceed to generate certificates for any domain desired.

This entire system has multiple points of failure. Further compounding the issue is that several "trusted" certificate authorities also are in themselves ISPs or run various links in the vast internet. Having both components in your control allow you to impersonate any site for any information passing through your systems. America Online for example is both a trusted certificate authority and an ISP, and anyone who works there and has access to their infrastructure and private keys can view all HTTPS encrypted data passing through their network as unencrypted. Want to buy something with your credit card online? You might want to traceroute your connection first and ensure no one along the way is also a certificate authority your browser trusts.

In order to mitigate a certificate authority signing something it shouldn't have, they invented Certificate Revocation Lists. Where an authority can revoke specific certificates it once signed, since every certificate also has an ID number associated with it. But, some browsers don't even bother checking these lists. Further, some browsers which make use of CRLs and their friends, resume as if nothing happened if they couldn't access a CRL for some reason. Further, these CRLs are subject to the same security problems just described for domains in general. How do I know this is indeed the real CRL? Also, browsers themselves don't have CRLs for the root certificates they ship with, so they are unable to revoke a certificate of a rogue CA if they need to.

But in reality, this entire system is flawed from the ground up. It's so flawed, it doesn't even make the slightest bit of sense. Imagine the following scenario where my boss asks me to inform him of all purchasing details for our web presence needs, and explain why they're needed.


<Me> Okay, we're going to need $35 a year to register all the domains we want for our company, such as company.com and company.net and so on.
<Him> Sure, that's fine, what else?
<Me> Then we're going to need $200 a year for each domain for certificates.
<Him> Why do we need these certificates?
<Me> To prove that we own the domain in question.
<Him> Prove it? Why?
<Me> Browsers like Internet Explorer and Firefox won't realize when they visit our domain that its really our domain, and not some hacker out there trying to impersonate us.
<Him> So if we don't buy these certificates, hackers will be able to get the domain names registered as their own instead of ours?
<Me> No, the domain names are protected by a central authority, they know that we own them, and we tell them to point the domains at our servers, but hackers in between our customer's browser and our server can hijack the connection and make believe they're us without a certificate.
<Him> I don't get it, why can't our customer's browser just check the domain registry and make sure the server they reach is the one we told the domain registry about? Why do we need to buy something from a 3rd party?


This seems strange to you? He's absolutely right. Why can't the hierarchy for domain management also distribute the public keys for our servers? The systems will need to be modified to combine several components and have encryption at each level, but does anything else make an ounce of sense?

Imagine you wanted to buy some property. You have your lawyer, accountant, realtor, and other people directly related to the purchase. After everything is taken care of, and you submit forms to city hall and everything else, you then go down to Joe's House of Fine Refrigerators and have him give you a signed deed that you indeed own the property in question. Makes a lot of sense, right?

Now you call a construction company down to work on your new property, say to merge it with the property next door to it. They want proof you own both properties before beginning. What do you do? You pull out your deed from Joe's House of Fine Refrigerators.

This is the exact state of internet security today. This problem is even pervasive down to every level of infrastructure we use.

Take cookies for example, the system it uses to match domain names runs completely counter to how the domain name system works. It's actually impossible for any browser to properly know for every set of domains in existence whether they're paired or not when it comes to handling cookies for them. It will either fail to submit cookies to some sites that it should, or submit cookies to some sites it shouldn't. Some browsers try to solve this problem with a massive hack, a list of domains that cookies should know are or aren't paired together, which is also incomplete, and needs never ending updates. Without the list, the only difference is that the browser is just wrong more often than without it.

Really, if the hackers were out there, we'd be in big trouble.

34 comments:

square5net said...

We are the best ppc services in Noida and we make sure that every penny you spend fetches you positive results. Pay per click (PPC) is a paid advertising model that comes under search engine marketing (SEM). With PPC, the advertiser only pays when people interact through impressions or clicks. SEM is the paid form of making a digital ad that appears on the result page of the search engine. Advertisers bid on keywords that are usually used by the users in order to search for something. PPC ServicesPPC Services greatest strength is that it creates an opportunity for the advertiser to showcase to their ads to the motivated customers who have the potential and will of making on the spot purchase.

MBBS in Philippines said...

UV GULLAS COLLEGE OF MEDICINE is one of Top Medical College in Philippines in Cebu city. International students have the oppertunity to study medicine in phillipines at affordable cost and world class University. The college has successful alumni who have achieved well in the fields of law, business, politics, academe, medicine, sports and other endeavors. At University of the Visayas, we prepare students for a global competition.

Direct MBBS Admissions Open: 2020-21
Mobile No: +91 90329 55688
Apply Now: https://www.careerplus.org.in/philippines-medical-college/uv-gullas-college-of-medicine

Doors and Shelters said...

Sobha Windsor - 3&4 BHK Apartment for sale Whitefield Bengaluru by Sobha Developers. Know more about the builders, construction status, offers, site visit

Solidwork Assignment Help said...

Are you scared of Perdisco Assignments given by professors? We understand that it is a very tough student and students need to have plenty of knowledge as well as experience to get good marks in their Perdisco Assignments. To make things easier for students we provide Perdisco Assignment Help to all our students. To avail us just visit Assignment Help and let us complete our assignments in just 4 simple steps. We will make sure that you get good marks on your assignments without burning your pocket money. So avail the best and cheapest Perdisco Assignment Help today.

Alice Perrir said...


I need a Statistics Homework Help expert to handle my assignment on median regression. This model is just the same, and the quantile regression, which is estimating the median. The assignment requires you to fit the model in STATA. I hope that you are in a position to solve it. I won't accept anything other than a grade A. I will also need Statistics Assignment Help in other topics but first finish this one.

Alice Perrir said...

I have just gone through your website and I am highly convinced that you can offer quality economics homework help. I have seen several samples and the quality looks good. If the samples are done by you then I am more than willing to hire you for my assignment. I just hope that anytime I contact you for an economics assignment help you will be available to help because some of these assignments are always very urgent.

Alice Perrir said...

I am happy that many students have received the right Math assignment help through you. I am in my third year in college and I have not had a chance to get such help. Since I have come across your post, I hope I will find the right Math homework help through you. My only obstacle would be finances. I hope that you are pocket friendly or should I call it student-friendly

Alice Perrir said...

I have a ledger posting assignment involving several entries. I am currently fishing for the best Accounting Homework Help tutor to help me with the task and from what I have read, you guys don’t seem too bad at your job except for the few flaws. I may consider taking Accounting Assignment Help from here and hopefully I will be back with positive feedback.

Quickbooks error said...

hen QB error 3371 occur then an error message comes up which states: "Could not initialize license properties." When you click OK on then another dialogue box appears which shows the message: Quickbooks fatal Error, now again you click on OK then it will just close the Windows.
Quickbooks Error 3371

Sarah Wilson said...

Just what I was looking for. I am struggling with my accounting assignment. I want an Accounting Assignment Help tutor to offer me two services. One is to complete my accounting assignments and the other is to provide me with online classes. I believe you are experienced enough to offer both Accounting Homework Help and online classes. I know you charge assignments based on the bulk. Tell me how much you charge for the online classes per hour.

Sarah Wilson said...

As much as there are discouragements, it is true that mathematics is hard. Like in my case, I was never discouraged by anyone about math but I still find it very hard and that is why I am requesting your Math assignment help. I am tired of struggling with mathematics and spending sleepless nights trying to solve sums that I still don’t get right. Having gone through your Math homework help, I am sure that I will get the right help through you. Please tell me what I need to be able to hire you.

Sarah Wilson said...

I have submitted my assignment to your website without any challenges. The economics assignmenthelp expert handling my assignment has already contacted me and I am certain that my work is underway. I am just hoping that I will get quality economics homework help. I have a lot of hopes in you and I am just hoping that you will not disappoint me.

Sarah Wilson said...

How much do you charge for a Statistics Assignment Help task? Take, for my case, where I need you to provide me with the Statistics Homework Help on plotting a scatter plot with a regression line? How much should that cost? Do you charge on the basis of the workload or have a constant payment?

Digital Vishnu said...

This is incredibly useful information!! Excellent work. All is very fascinating to learn and simple to grasp. Thanks for sharing such great info. Keep Post These kinds of Articles in the future.

Digital Marketing Course in Coimbatore
Digital Marketing Course Training in Tirupur
Digital Marketing Course Training in Madurai
Digital Marketing Course Training in Theni
Digital Marketing Training in Coimbatore

bamgosoo said...


Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though.

Try to check my webpage :: 대구오피
(jk)

Jennifer Winget said...

what is cloud computing - Cloud Computing Models · Infrastructure as a Service (IaaS) · Platform as a Service (PaaS) · Software as a Service (SaaS). Learn types of cloud computing. For more visit thewebseeker

MBBS in Philippines said...

Wisdom Overseasis authorized India's Exclusive Partner of Southwestern University PHINMA, the Philippines established its strong trust in the minds of all the Indian medical aspirants and their parents. Under the excellent leadership of the founder Director Mr. Thummala Ravikanth, Wisdom meritoriously won the hearts of thousands of future doctors and was praised as the “Top Medical Career Growth Specialists" among Overseas Medical Education Consultants in India.

Southwestern University PHINMAglobally recognized university in Cebu City, the Philippines facilitating educational service from 1946. With the sole aim of serving the world by providing an accessible, affordable, and high-quality education to all the local and foreign students. SWU PHINMA is undergoing continuous changes and shaping itself as the best leader with major improvements in academics, technology, and infrastructure also in improving the quality of student life.

Easy Loan Mart said...

Hi....
IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. ... Fragmentation is necessary for data transmission, as every network has a unique limit for the size of datagrams that it can process.
You are also read more Get Instant Loan

luwandee said...

토토사이트 Enjoyed every bit of your blog post.Thanks Again. Great.

luwandee said...

온라인카지노 Just wish to state your own post is really amazing. The actual clarity inside your publish is actually just nice as well as we could presume you're a specialist about this topic.

Easy Loan Mart said...

Hi....
IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. ... Fragmentation is necessary for data transmission, as every network has a unique limit for the size of datagrams that it can process.
You are also read more Cheap Business Loans

Look at my page: said...

Write more, thats all I have to say. Literally, 스포츠토토티비 iit seems aas though yyou relied on the video to make your point. You obviopusly know what youre talking about, why throw aaway your intelligence oon just posting videos to your blog when you could be giving us something enlightening too read?

Look at my page: said...

Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am 스포츠토토티비 sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained!

Look at my page: said...

Thanks for sharing the informative post. 토토365프로 If you are looking the Linksys extender setup guidelines . so, we have a best technical expert for handlings your quires. for more information gets touch with us

Look at my page: said...

I was able to find good information from your content. 카지노사이트홈

Look at my page: said...

Your style is really unique in comparison to other people I have read stuff from. Many thanks for posting when you have the opportunity, Guess I’ll just bookmark this web site.|
온라인카지노사이트

izspa said...

It's obviously true that back rubs are reviving and discharge the poisons in the body. Yet, not just this back rubs additionally discharge endorphins in your cerebrum that you cheerful and make it simpler for you talk and cooperate with your accomplice. Since a back rub is additionally extremely cozy it fabricates a passionate associate between the accomplices getting the back rub.

Visit Body massage near me

spa69 said...

Spa69 is top most Body To Body Massage service provider which is kept privacy of customer in a good manner to give best top most types massages by expert therapists.

Visit female to male spa near me

lishasingh said...

Who knew that something as simple as getting a massage could be so effective at reducing stress? In fact, according to research conducted by the American Psychological Association (APA), going for body massages b2b spa massage in bangalore once per week results in feeling more relaxed and less stressed.

lipikabri said...

. Beyond the ambience and the facilities we offer guests in our Massage Parlour in hyderabad, you'll be thrilled by b2b spa massage in hyderabad our massage therapists, who clearly excel at handing their best massages to their clients here at Body to Body Massage Parlour in south hyderabad

isha spa said...

Skin well being requires sustenance sometimes. Standard spa treatment prompts the shining and sound skin. That is most likely the motivation behind why body spa is so well known among ladies.

Visit b2b spa near me

Escort in Hyderabad said...

To have a great birthday celebration and other bachelor parties at the close of the week, choose the best Hyderabad Agency that brings out the world of hyderabad girls to the main customer. It's a social service that allows people who want to unwind and forget about the significant tension and suffering in their lives. It provides a variety of traditional hot Hyderabad girls and Commercial Enterprise men to relax and enjoy their weekend.

Visit http://www.hyderabadgirls.net/

Sophia Kelly said...

We are really grateful for your blog post. You will find a lot of approaches after visiting your post. I was exactly searching for. Thanks for such post and please keep it up.

for More Details Click Here:- Download AOL Desktop Gold

ANKIT said...

I am Stella , Digital Marketing Manager at WordPress Migration Help based in USA. At WordPress Migration Help we create amazing WordPress Websites. You are the right place to develop a WordPress Website and wordPress Custom Theme Development Services. We can customize WordPress theme at affordable price.


WordPress theme conversion