requires TLS which means that if it were HTTP 2.0 it would require the deployment of certificates everywhere. That's an added expense for a web site operator. Unless SSL certificates are suddenly free and trivial to deploy
Get the browser vendors to stop being idiots, and treat self-signed SSL connections as identical to plaintext connections.
Or even better get them to implement a notary model [ http://perspectives-project.org ] (as a default rather than an extension), that doesn't allow for a single insecure CA to break the security of the entire web.
The first step towards an alternative to the multiple- single- points- of- failure CA model is already underway: it's Trevor Perrin and Moxie Marlinspike's TACK project (currently an Internet Draft). TACK allows sites to cache certificate pins, typically after first contact, so that any site on the Internet can have the same protection that Google's properties have today by virtue of the hardcoded pins in Chrome.
As Moxie Marlinspike has said, on HN even, TACK is a sensible and achievable first step towards a substrate that we can build notaries or other trust models on top of. It doesn't require years of study and consideration; it merely extends something that browser vendors already do for their preferred sites.
Meanwhile, browsers can't simply treat sites under self-signed certificates as normal plaintext HTTP sites. The user reached the site through an HTTPS URL, which promised them security. When the browser detects and warns about a self-signed certificate, it is telling the user "this site is lying about its security". The simple way to understand this: start by asking what a browser should do when the Citibank Online Banking Login presents a broken cert, and then ask how the browser should know when it's OK for a site to present as merely "not encrypted" (ie, HN login) and when it's not OK (ie, online banking). It can't. The browser has to assume that HTTPS sites with broken certificates are sensitive.
Remember also, the "broken certificate" case is exactly what happens when an attacker intercepts a TLS connection for a MITM attack.
Meanwhile, browsers can't simply treat sites under self-signed certificates as normal plaintext HTTP sites. The user reached the site through an HTTPS URL, which promised them security.
The user reached the site by clicking on a link or bookmark, and doesn't know or care about http vs https.
start by asking what a browser should do when the Citibank Online Banking Login presents a broken cert
It should not show the green "Citigroup Inc (US)" at the left of the address bar.
If I go type "citicards.com" into the address bar, I end up redirected to a SSL site with an EV cert. If my DNS got hijacked, I would probably end up not redirected to the SSL site, rather than redirected to a site with a broken cert. So non-SSL sites are just as dangerous ad sites with bad certs, and should be presented the same way.
how the browser should know when it's OK for a site to present as merely "not encrypted" (ie, HN login) and when it's not OK (ie, online banking). It can't. The browser has to assume that HTTPS sites with broken certificates are sensitive.
The browser should visually distinguish sites that are safe for sensitive info from those that are not. Plaintext and self-signed SSL are both not safe. Site with "EV" certs are supposedly safe. Site with other CA-signed certs are also supposedly safe, but slightly less so.
So, show EV sites with the green name by the address bar, like recent browsers do now. Show sites with other CA-signed certs with the little lock icon, and maybe color it light green. Show plaintext and self-signed sites with nothing at all, and maybe color the address bar slightly red. But, do this identically for non-signed and self-signed sites.
Your HTTPS "session" with your bank isn't just one connection that can be checked a single time when you first connect; it's hundreds of individual HTTPS connections, each of which needs to be verified, or an attacker will just corrupt the least obvious connection and use that to break the security of the whole app.
Browsers already complain if a site mixes http and https, why can't they complain if security levels are mixed at all (plaintext, self-signed, normal-CA-signed, EV, TACK-pinned)?
Were I in charge, that's the detail I'd change. An "https" URL is actually requesting a certain quality of security service and should fail without trustworthy authentication, but using insecure TLS opportunistically (e.g., caching the result from a prior "Upgrade" header or OPTIONS request) for a "http" URL would be fine since cleartext would also have been fine.
I think this makes sense too, in the context of the security model we have now, but I'd rather see a better trust model that allows everything to be encrypted all the time safely. I think we'll have it eventually.
What's the status of implementations and/or toolsets for TACK? Can I test it on my clients' SSL websites? Are there settings in any popular webservers for activating TACK?
(Oddly, I care least about the browser for this particular question.)
I never thought about it from that angle. You are right, it makes no sense for browser vendors to display a big fat warning page because someone signed a certificate himself while they never let you know that 90% of the websites you use are transferred in plain-text over a wholly untrusted network.
Again: that big fat red warning is the only thing that happens when an attacker hijacks the DNS for Citibank.com at your ISP, redirects traffic to herself, and intercepts all the TLS online banking warnings. Without the big red warning, you might as well not have certificates at all, because nobody would ever notice MITM attacks on TLS. None of the cryptography in TLS works unless users can be assured that every single HTTPS request will generate a big red warning box if the certs don't check out.
I absolutely understand how confounding the self-signed certificate warning seems when viewed solely in the context of normal sites operating under normal conditions. But that warning box doesn't mean "this site could be a whole lot safer if it was just configured better!" It means what it says: "you are probably under active attack".
Yes, there's a Bayesian problem here: most of the time, you are not actually under attack, and the site operator is in fact just using a poor configuration. But the browser can't know that; it has to assume you're under attack, because there's no other signal available to it to determine otherwise.
Yeah, except, since as you say, "most of the time, you are not actually under attack", that's exactly what end-users think, and learn to ignore the warning regardless. So, while you may save some tech-savvy users, all your normal users will just click through. I've seen this happen first hand on multiple college campuses with dozens of users where I've been the IT Support/Network Admin. Too many false positives and you end up with security theatre instead of actual protection.
Which is why the warnings are getting steadily more annoying.
What's the alternative? There is no difference on the wire between a self-signed certificate for a site that simply doesn't care about certificates, and a self-signed certificate that is the sole marker of an attacker having hijacked the TLS connection of a site that very much does care about its security. A MITM attack looks identical on the wire to a self-signed cert.
"What's the alternative? There is no difference on the wire between a self-signed certificate for a site that simply doesn't care about certificates, and a self-signed certificate that is the sole marker of an attacker having hijacked the TLS connection of a site that very much does care about its security. A MITM attack looks identical on the wire to a self-signed cert."
How about adding another signal? It sounds like you're arguing with the sea, expecting normals to change.
Use the recent https-only header that says "if you ever see an insecure connection to this site, it's a bug", and pre-populate the list.
Stop assuming that users will eventually get it, and design a better product.
How does HSTS (the "https-only header") help with self-signed certificates? HSTS doesn't mean "this site won't work if its certificate is self-signed".
It doesn't matter. The ONLY thing HSTS does is tell the browser to make future requests over HTTPS. If an HSTS site switches to a self-signed cert between my visits, the browser will still get warn me, because the new cert is suspicious.
I don't understand this comment so I'll just repeat: a TLS connection that uses a self-signed certificate by design and a MITM attack against a site look identical on the wire.
So do an unencrypted normal site and an unencrypted attack site (like my spam folder is full of links to).
Most self-signed sites are fine, but because a few are MITM attacks, they should all throw big warnings (which users will learn to ignore, because of poor signal-to-noise).
Most unencrypted sites are fine, but because a few are attack sites, ....
The criteria for a user to enter sensitive info should not be "the connection is encrypted" or even "the connection is encrypted and goes to the server it says it does", but "I know the real-world identity of who I'm talking to".
The criteria to warn the user against entering sensitive info should be the negation of that; "I don't know the real-world identity of who I'm talking to".
The means of warning the user, should be such that the user does not need to act when not trying to enter sensitive info. So rather than pop-ups or interstitials that have to be dismissed -- and that the user can learn to dismiss -- there should be some persistent UI cue (like the green "Citigroup Inc (US)" beside the address bar) that the user can check when needed.
Browser: "Bad cert! The world's gonna end!"
User: "That's just a discussion forum, I don't care."
Browser: "Bad cert! The world's gonna end!"
User: "That's Joe's blog, I don't care."
Browser: "Bad cert! The world's gonna end!"
User: "yeah yeah, that's nice"
Browser: "Bad cert! The world's gonna end!"
User: "Would you shut up already!"
User: "...Why is my bank account empty!?"
I don't understand why you keep saying "attack site". The problem the self-signed cert warning addresses isn't malicious sites; it's attackers who intercept TLS connections to online banks and swap out the Verisign certificate with a self-signed certificate.
The warning isn't about the site; it's about the connection.
> it's attackers who intercept TLS connections to online
> banks and swap out the Verisign certificate with a self-
> signed certificate
How is a MITM attack with a self-signed certificate any different than redirecting a user to a HTTP site instead of an HTTPS site? Do you really think that 'Joe Sixpack' knows the difference between http and https the way that you do?
You're saying that users can distinguish between the following possibilities:
- A site is over http, so it's insecure (and no big red warning).
- A site is over possibly compromised https with a big red warning, so it's insecure.
- A site is over verified https with a big green "everything is ok" light, so it's secure.
You seem to think that the average user knows that HTTPS needs a "red light/green light" system, but HTTP does not (because it's inherently insecure). I posit that the average user doesn't 'get' the difference between http with no warning and https with a green light. Why not have a system that is simple for the end-user? E.g.:
- green light == secure
- no green light == insecure
- no need to differentiate between http/https for
the average end-user
I'm really having trouble following your argument here. The only reason the user wouldn't know who he's talking to is shenanigans. You're complaining about the shenanigans alert.
The suggestion is to tell people "you are safe if there is a green padlock in the address bar", and only display the padlock if the certificate is signed by a trusted authority.
Again, apart from the fact that the absence of a green padlock is an insufficient alarm for "your site is being hijacked by a MITM attacker", a session with a web application consists of many hundreds of individual connections.
Yes. Of course we still need the certificate system and the big fat warning boxes.
But you didn't address the problem here. You are essentially arguing we should keep the steel-bolted doors, and I agree, but that doesn't exclude us from doing something about all the traffic that doesn't even have padlocks.
The core issue is that encryption is useless without authentication. A MITM could just replace the original self-signed certificate with his own and read the decrypted plaintext while proxying the request so the user doesn't notice.
Yes; more importantly, a MITM can replace a validly signed certificate with a self-signed certificate. If browsers are lax about self-signed certificates, all TLS connections are weakened, not just the ones that "opt out" of "good" certificates.
we're now moving to a "if its self signed, you can't access the site, you can't bypass the check even".
wait wait wait what?
I am currently in a space where we have to deal with self-signed certificates all the time. I fully accept that people like me will have to deal with more hassles from this so that people don't get their paypal accounts hijacked as easily. But I've yet to find out that I simply cannot connect to a site with a self-signed certificate.
I work for some of the said vendor (and I'm being vague on purpose here). I took part of the discussion. I made the same point you did. People don't care. The argument was quickly dismissed by a "go get a cert for free at startssl". Seriously.
I think the Internet is a social change, and transforms people into idiots indeed. People in groups have always been more stupid than single persons. And Internet makes us all one freaking huge group of people.
Apparently if you don't share the popular idea you must be destroyed (you'll see this happen often in HN comments too).
Otherwise, here's another project, that works on the same principles as perspectives, but has a better back-end (albeit WAY less marketing) IMO http://web.monkeysphere.info/
Get the browser vendors to stop being idiots, and treat self-signed SSL connections as identical to plaintext connections.
Or even better get them to implement a notary model [ http://perspectives-project.org ] (as a default rather than an extension), that doesn't allow for a single insecure CA to break the security of the entire web.