The coming Web security woes (News.com) [LWN.net]

The coming Web security woes (News.com)

Posted Jul 11, 2005 17:49 UTC (Mon) by corbet (editor, #1) [Link]

Data protection is a good thing, but that doesn't mean that every law which claims to mandate data protection is good.

For LWN to be able to comply with this law, we would have to collect postal addresses and phone numbers from our account holders. That is information we do not ask for now. As a result, should our system ever be compromised, there would be all that additional information which could be disclosed; the consequences of a compromise have just been made worse. This result does not seem desirable.

The coming Web security woes (News.com)

Posted Jul 11, 2005 19:04 UTC (Mon) by jwb (subscriber, #15467) [Link]

Maybe the days of manual website logins are done. I know I, for one, am tired after a decade of registering and logging in at whatever.com. I have a perfectly useful smartcard plugged into my desktop. Why can't SSL be used to automatically identify users without the hassle of manual login?

The coming Web security woes (News.com)

Posted Jul 11, 2005 20:18 UTC (Mon) by emkey (guest, #144) [Link]

Because it costs money and is a lot more complicated then many people seem to realize.

This sort of technology has been around for a long time. The fact that it isn't common should tell you something.

The coming Web security woes (News.com)

Posted Jul 11, 2005 20:34 UTC (Mon) by jwb (subscriber, #15467) [Link]

Yes, it tells me that various short-sighted businesses have attempted to corner the market by promoting an array of mutually-incompatible and slightly broken schemes. In the absence of vendor obstructionism, the technology works properly. I personally use my smartcard for authentication to hosts, mail servers, and web servers. This cost me about $15 for the card and reader. Amortized over all the services I use and the expected lifetime of the object, the cost is nothing.

I realize that such schemes do not fit in well with the current trends in web architecture, but this is a consequence of very bad design decisions which became calcified in the minds of developers. It's not a fundamental hurdle.

The coming Web security woes (News.com)

Posted Jul 11, 2005 20:47 UTC (Mon) by emkey (guest, #144) [Link]

Your cost is the tip of the iceberg. Infrastructure costs on the backend are large, and many of them are darned near impossible to avoid if you want to do things right.

I worked for a company that issued signed ECC (Electronic Curve Cryptography) keys back in the early oughts. They spent millions of dollars setting up the facilities. We had to have strict two man rule for all operations, guards, a very expensive security system, etc. And those costs keep going right up the line.

I won't argue that industry infighting has had no impact. However, the technology is very very complicated and the required physical and electronic security substantial.

Afterall, it does no good to have your nice shiny PK infrastructure in place only to have your root key or some other critical part of your infrastructre compromised.

The coming Web security woes (News.com)

Posted Jul 11, 2005 20:58 UTC (Mon) by jwb (subscriber, #15467) [Link]

You and I are talking about two totally different things. You are talking about a system where a web operator wants to issue keys that affirmatively identify a real person. I'm talking about services like LWN where I can be "jwb" and you can be "emkey" and we're all effectively anonymous. We just make up our credentials, and the only meaning of "emkey" is that all posts having that subscriber name came from people knowing the same password. In these cases it is sufficient for the user to have their own self-signed cert that the browser and web server use to automatically map the user agent to the correct server-side account.

The coming Web security woes (News.com)

Posted Jul 12, 2005 16:37 UTC (Tue) by bronson (subscriber, #4806) [Link]

That sounds easy to you? How would you post from a friend's computer or an internet cafe? How would you ensure that you didn't accidentally leave your "id" behind? How would you get a useful number of web browsers and web servers to support your scheme? It sounds like a huge amount of work to me.

The coming Web security woes (News.com)

Posted Jul 11, 2005 21:20 UTC (Mon) by man_ls (subscriber, #15091) [Link]

It's not that easy. Smartcards pose a wider set of problems than passwords do. Off the top of my head:

Responsibility: What do you do if you lose your card? What if it breaks down? Do you need to store a duplicate at a secure location? And once it breaks and you start using the duplicate, how do you get a new duplicate? Is there a central facility (the CA, for example) to take care of these details? How do I know they can be trusted? Do I have to pay them for their services? Am I tied to them forever, or can I change providers?

Liability: What if the card leaks the private key in certain conditions by mistake? Who is responsible for the possible damages (which can be huge if you authenticate to, say, your stock broker or your bank)? Is it legally binding, like manually signing a document? If so, shouldn't I treat it like my credit card and carry it around? (and otherwise, who is going to take the risk of accepting a money transfer?) How do I cancel it if it gets stolen? And shouldn't I have a second, low security card for sites like LWN where I keep no money?

Identity: is it legal to keep or correlate data about you and your smartcard? To sell, lease, lose or steal this data? Is it a crime to steal the smartcard, or to use it to impersonate you? Do you have to notify anyone if you lose it, or you want to change smartcard provider? How do I carry my identity from one card to the next? What if you want to identify yourself with the card, where is the link from your identity to the authentication? Do you want such a link to exist, so that you can e.g. vote?

In the end it's too much hassle. I think that something like Apple's keychain or KDE's kwallet, or even Firefox's master password are far more useful for low-security logins; but they are not portable, so you can feel the pain if you go to an internet cafe. And of course they are mutually incompatible, losing a bit of their usefulness (which lies in taking care of passwords altogether).

Maybe if you can use the smartcard to authenticate to a local facility, which then authenticates to the remote site using a password, so it's only you and your machine...

The coming Web security woes (News.com)

Posted Jul 11, 2005 21:33 UTC (Mon) by jwb (subscriber, #15467) [Link]

Nothing happens if you lose your card that wouldn't have happened if you had forgotten your password or lost access to your email. And there needn't be any such thing as a smartcard "provider". This is one of the vendor fictions that's been hampering smartcard adoptions for the last 20 years. You can buy effectively blank smartcards very cheaply. Then you put your own certs and keys on the card.

Remember, a smartcard isn't anything more than a tiny computer with a serial port. You can do WHATEVER you want with it. All the crap that has been piled onto the idea of a smartcard by the businesses chasing the technology can be ignored.

In your rant above you can replace "smartcard" with "email address" and have precisely the same argument. Anyway I'm not limiting myself to smartcards here, you could just as easily have your cert and key on your PC's disk. And if you are worried about correlation your browser can generate a brand-spanking-new self-signed cert for every domain.

The coming Web security woes (News.com)

Posted Jul 11, 2005 21:52 UTC (Mon) by emkey (guest, #144) [Link]

And how many non technical people can deal with all those comlexities?

Again, if this stuff were simple we'd be using it by now. You've made some good points, but to me it still comes down to cost and complexity.

The coming Web security woes (News.com)

Posted Jul 11, 2005 22:02 UTC (Mon) by man_ls (subscriber, #15091) [Link]

Yeah, exactly my point. Should have made it explicit, and less "ranty".

The coming Web security woes (News.com)

Posted Jul 12, 2005 0:05 UTC (Tue) by rqosa (guest, #24136) [Link]

> if this stuff were simple we'd be using it by now.

Some of us are using it, in the form of ssh public key authentication. I can't even remember my passwords on the ssh servers I use anymore.

There's also OpenPGP, which is similar.

For some reason, though, it seems that almost no websites support public key authentication yet.

The coming Web security woes (News.com)

Posted Jul 12, 2005 0:39 UTC (Tue) by dlang (subscriber, #313) [Link]

and this approach opens all those machines up to a transitive trust attack.

This is exactly the attack that was used to comprimise the supercomputer clusters last year. The attacker breaks into one machine that you use and then uses the trust embodied by your SSH keys to roam around all the other machines that you have access to with your credentials.

SSH transitive trust attack

Posted Jul 12, 2005 1:54 UTC (Tue) by dskoll (subscriber, #1630) [Link]

and this approach opens all those machines up to a transitive trust attack.

Presumably, you encrypt your SSH keys with a passphrase. And newer versions of SSH store hashes of hostnames in the "known hosts" file, making this kind of attack a lot harder.

SSH transitive trust attack

Posted Jul 12, 2005 2:02 UTC (Tue) by emkey (guest, #144) [Link]

Lets just say that there are still ways around that. And yes, I know of at least one which I won't mention here in public.

Anyone who doesn't authenticate to each and every system they connect to by means of some form of password (preferably a one time password) is very very foolish in my opinion if they don't think they are seriously compromising their security.

Takes me back to the days when sun shipped all their systems with /etc/hosts.equiv files that had nothing but a single plus and users created .rhosts files that included every system they logged into or from.

SSH transitive trust attack

Posted Jul 14, 2005 12:29 UTC (Thu) by nix (subscriber, #2304) [Link]

Lets just say that there are still ways around that. And yes, I know of at least one which I won't mention here in public.

That's more than mildly reminiscent of `the lurkers support me in e-mail'. (Obviously if a keylogger is running on your machine, your passphrase is toast!)

SSH transitive trust attack

Posted Jul 14, 2005 13:57 UTC (Thu) by emkey (guest, #144) [Link]

No, it is very much reminiscent of somebody (me) who doesn't want to give out sensitive information. And thats all I can say alas.

Transitive Trust is Red Herring

Posted Jul 12, 2005 2:03 UTC (Tue) by AnswerGuy (subscriber, #1256) [Link]

My knee jerk thought is that the users of ssh who had their keys used to attack lots of other systems should have been using ssh-agent.

However, that would lead to an escalation of "yeah! but ..." (but the compromised machine could have the keys snooped out of ssh-agent's memory or the pass phrases sniffed by a keyboard sniffer or a trojan copy of ssh or ssh-add or ... ad nauseum.

My point is that we are inevitably trusting some devices in any authentication scheme. I've heard of crackers who've employed intelligent keyboards as hardware keyloggers. Have you cracked open the case of your keyboard recently? Do you have a tamperproof seal on it? There's certainly room to slip in an extra couple of chips, connected in-line with the cable and capable of storing millions of keystrokes. I'd bet a reasonable skilled electronics hack could make something that would be installable within a few minutes and it could possibly include its own encrypted BlueTooth (so the attacker could fetch the stored keystrokes from several cubicles away, possibly even through a sealed window from anywhere in line of sight).

So the assertion that something like ssh or PGP or smart cards makes one "more vulnerable" is simply a red herring. Poor usage procedures might make that the case in some situations, but even the best practices cannot eliminate this "transitive trust."

JimD

Transitive Trust is Red Herring

Posted Jul 12, 2005 2:32 UTC (Tue) by dlang (subscriber, #313) [Link]

one final point on transitive trust, the attacks useing it are real, takeing place today against people who are saying 'I'm useing SSH so of course I'm safe', we aren't talking about a possible future escalation, we are talking about the here and now (IIRC the comprimise of the Debian servers last year was the same thing)

as for your argument about not trusting your keyboard, etc.

that is exactly why a smartcard needs to be fully self contained and not trust the system it's plugged into.

it doesn't nessasarily require any special reader, you could make one that plugged into a PCMCIA/USB/Compact Flash/etc slot (USB is close enough to universal that it's probably the best option right now)

the key is how it's used.

it needs to avoid exposing it's shared secrets to the host machine (you need to allow a host machine to load the key into it, but after that you shouldn't be able to read it back out)

it needs to limit how much it can be used (to keep an attacker from trying to query every possible challange-response pair from it). This could be as simple as limiting it to X authentications/second, or as complex as requiring the user to authorize the smartcard to respond each and every time (say a fingerprint reader on the card, remember you can't trust the computer to not tamper (or copy) with any user input before giving it to you)

and the interface for the device can also be very simple, you just need to feed it a couple pieces of data (the minimum being the challange from the remote site, but adding the userid the challange is for and what the site is claiming to be would allow for multiple usrid's per smartcard and logging in the smartcard which could be useful) and respond with the appropriate response. you could make it look like any sort of device that you want (a serial port or modem would be trivial to get the right interface to for example, and would take advantage of common OS drivers to support it)

the real complication is in handleing the public info and maintaining it on all the servers (which includes key renewal, revocation, etc)

Transitive Trust is Red Herring

Posted Jul 12, 2005 4:03 UTC (Tue) by rqosa (guest, #24136) [Link]

> IIRC the comprimise of the Debian servers last year was the same thing

According to Martin Schulze, the Debian break-in was done using a sniffed password.

The coming Web security woes (News.com)

Posted Jul 12, 2005 3:55 UTC (Tue) by rqosa (guest, #24136) [Link]

Simply breaking into a ssh server shouldn't be sufficient to get people's private keys, because there's never any need to store private keys on a machine with sshd running (or any outward-facing open ports) or transmit them over a network; if someone does that, it's their own fault.

Also, there's the possibility of using different keys for each server one connects to.

The coming Web security woes (News.com)

Posted Jul 12, 2005 5:04 UTC (Tue) by dlang (subscriber, #313) [Link]

you could use different keys for each server, but more important then that is to use different passphrases for each key, and now you're back to remembering a different password (passphrase) for each server, which is not practical for most people.

transitive trust attacks don't come from attacking the server, they come from attacking the client machine, gaining control of that machine and then accessing the machines that trust it (sometimes accessing them directly, frequently accesing them through the first comprimised machine)

the server being accessed through SSH only knows that the connection is comeing from machine A, it doesn't have any idea if it is joe user or henry hacker that's makeing that connection, the server is trusting the security of machine A to enforce that.

when people don't lock things down by IP as well you don't even know that the connection is comeing from machine A, you just know it's comeing from someone who has access to the cert, this could be joe user on his laptop, or it could be henry hacker who installed a keystroke logger on Joe's machine to get his passphrase and copies his keys while he was in there.

David Lang

The coming Web security woes (News.com)

Posted Jul 12, 2005 6:18 UTC (Tue) by rqosa (guest, #24136) [Link]

> transitive trust attacks don't come from attacking the server, they come from attacking the client machine, gaining control of that machine and then accessing the machines that trust it

But attacking a client machine, which presumably has no outward-facing open ports, is more difficult than attacking a server, and once a client machine has been compromised it could have a keystroke logger installed so a transitive trust attack could be done even if the user is using plain old passwords for authentication. OTOH, there's one-time passwords...

The coming Web security woes (News.com)

Posted Jul 12, 2005 13:51 UTC (Tue) by emkey (guest, #144) [Link]

Even one time passwords will not fully protect you.

The wider your trust boundary, the better the odds of compromise. The more critical/sensitive the application, the smaller that trust boundary should be.

ssh is a great tool. However, it is not magic. It is only as good as the underlying protocols and codebase allow it to be.

The coming Web security woes (News.com)

Posted Jul 11, 2005 23:38 UTC (Mon) by dlang (subscriber, #313) [Link]

if you load your own cert onto a smartcard how can anyone you connect to verify that it's not forged? (if they just store the cert itself then how can you update it when it expires?, if they don't how can they tell the difference between you updateing it when it's going to expire and a bad guy makeing up his own?)

and what it the standard protocol that lets a smart card communicate to a website? (I honestly don't know of any such protocol in anything resembling wide deployment)

don't think that something like a USB key holding your private cert will do the job, the bad guy can just snag a copy of the cert when it's accessed by the local system, you need a true smart card that is handed a challange, computes the response, and hands it back so that the authentication info never leaves the smartcard itself.

yes you can do 'low security' smartcards that don't take care of everything that's been listed, but at that point you have a placebo that makes people feel good, but really doesn't provide the advertised protection.

The coming Web security woes (News.com)

Posted Jul 12, 2005 2:43 UTC (Tue) by jwb (subscriber, #15467) [Link]

if you load your own cert onto a smartcard how can anyone you connect to verify that it's not forged?

The same way I know you are "dlang" and you know I'm "jwb". That is to say, you don't know. Remember, we're talking about slashdot and lwn here, not your bank account. On this site we're all anonymous, so "forged" has no meaning whatsoever.

and what it the standard protocol that lets a smart card communicate to a website? (I honestly don't know of any such protocol in anything resembling wide deployment)

SSL. I understand it is extremely common.

yes you can do 'low security' smartcards that don't take care of everything that's been listed, but at that point you have a placebo that makes people feel good, but really doesn't provide the advertised protection.

That's uninformed FUD.

The coming Web security woes (News.com)

Posted Jul 12, 2005 16:57 UTC (Tue) by bronson (subscriber, #4806) [Link]

Can you point to the section of RFC 2246 that talks about SSL's smart card challenge/response protocol? I must have missed that.

I also agree with dlang that poor smart cards will actually make security *worse* instead of better. Bruce Schneier has written more skillfully on this topic than I could hope to. Unfortunately I can't find the article right now... Maybe it was in Secrets & Lies?

The coming Web security woes (News.com)

Posted Jul 12, 2005 17:05 UTC (Tue) by jwb (subscriber, #15467) [Link]

SSL is agnostic regarding the type of cryptographic device being used at each end. The standard which allows a smartcard to take part in an SSL connection is called PKCS #11.

And, trying to bring the discussion back into the wind, I would like to point out that this topic does not involve security. We are (were) talking about means by which a website like LWN could hand out accounts without collecting email address information about the account holders, thereby avoiding the consequences of the proposed law mentioned in the article.

The coming Web security woes (News.com)

Posted Jul 12, 2005 18:39 UTC (Tue) by man_ls (subscriber, #15091) [Link]

We are (were) talking about means by which a website like LWN could hand out accounts without collecting email address information about the account holders

To be honest, I missed that part. I thought you just didn't want to have to remember and manage all those passwords, and you wanted to use your smartcard to authenticate. Ok, this changes the scope of the problem significantly.

From the point of view of a site like LWN, it's probably easy to just store tokens (in this case cryptographic keys) associated to usernames. But frankly, what is the point? Passwords are just as good for tokens, username + password works just as well; the email address bit is just for verification and notification. So, keep it as it is now, and just discard the email address once the verification is complete. No notification for you US citizens.

The coming Web security woes (News.com)

Posted Jul 12, 2005 9:29 UTC (Tue) by tgb (guest, #745) [Link]

don't think that something like a USB key holding your private cert will do the job, the bad guy can just snag a copy of the cert when it's accessed by the local system, you need a true smart card [...]

There have been devices available for several years which are the same dimensions as a USB flash memory device, but actually contain what amounts to a smartcard and reader rolled up into one. Aladdin make the eToken range, I think there was an Italian company called Eutronics who made something similar, but I can't find them right now.

Because these are the same technology as smartcards, there's no risk of "the bad guy [snagging] a copy of the cert when it's accessed by the local system", because the cert isn't accessed by the local system, all the work happens on-board the device.

The coming Web security woes (News.com)

Posted Jul 12, 2005 1:24 UTC (Tue) by bk (guest, #25617) [Link]

The number of people with smartcard readers installed on all their computers/laptops/pdas/cellphones is vanishingly small. Virtually zero, I'd wager.

The coming Web security woes (News.com)

Posted Jul 12, 2005 2:27 UTC (Tue) by jwb (subscriber, #15467) [Link]

The number of people with smartcard readers in their phone or PDA is pretty nearly 100% worldwide. Any GSM phone or GPRS PDA has one.

The coming Web security woes (News.com)

Posted Jul 12, 2005 17:00 UTC (Tue) by bronson (subscriber, #4806) [Link]

I don't understand the point of your comment... Do you advocate browsing the internet from your phone? Or somehow connecting your phone's smart card reader to the computer?

The coming Web security woes (News.com)

Posted Jul 12, 2005 17:14 UTC (Tue) by jwb (subscriber, #15467) [Link]

I don't *advocate* many things, but it is convenient that many phones now include: a smartcard reader, a smartcard, a gprs internet connection, a bluetooth serial port, and a keypad. Also, many people carry their phones with them at all times.

I have done a bit of work on the problem of using a bluetooth phone as a smartcard reader with pin pad for completing 3rd-party internet payments. I think the subject holds a lot of promise, and someday could free us from the tyranny of credit card number theft.

The coming Web security woes (News.com)

Posted Jul 11, 2005 18:13 UTC (Mon) by farnz (subscriber, #17727) [Link]

The unreasonable side of this law is forcing sites to collect extra information about their registered users. I am based in the UK, which has strong data protection laws compared to the US, and I'm not happy about the idea of being forced to disclose my phone number and postal address to a US site, just to register with them.

I would have no problems with this proposed law required sites to use whatever contact methods they already had on file (so e-mail in the case of LWN and Slashdot, postal mail in the case of PayPal, and so on), or if it imposed penalties and disclosure requirements similar to the Data Protection Act over here (must take care of data, jail time for not doing so, must correct it upon request, and must supply a copy within 40 days of a valid request).

The coming Web security woes (News.com)

Posted Jul 11, 2005 19:07 UTC (Mon) by iabervon (subscriber, #722) [Link]

I'm worried about it helping identity theives. Right now, identity theives can't get any useful personal information about me from cracking most of the sites where I have accounts, because I didn't provide any. This law, according to the article, would require me to provide sites with my contact information in order for them to be able to register me, and they would have to retain this information so that they can tell me if they lose it.

A more sensible law would be based on the information the site collects: if they collect credit card numbers, they have to cover credit reports; if they collect contact information, they have to use it. The strongest form of data protection is to not have the data in the first place, and this law seems to threaten that. A good data protection law would get the small sites to avoid having personal information, so that people wouldn't have to care if the data got out.