LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Default "secrets"

Default "secrets"

Posted Jan 7, 2011 1:11 UTC (Fri) by djao (guest, #4263)
In reply to: Default "secrets" by iabervon
Parent article: Default "secrets"

As a minimum, browsers should identify that a device is using a PKI-issued cert for a private identity, and simply tell users that this can't possibly provide any meaningful security.

Your complaint, while valid, misses the biggest issue. It's a bit like ticketing a drunk driver for a seatbelt violation.

The biggest problem is that browsers are totally and utterly dependent on certificates for authentication. The widespread incorrect belief in the need for certificates represents the single biggest factor in perpetuating exactly the sort of insecure situations that this very article is about.

Do you trust SSH? As others here have pointed out, SSH (in its default configuration) uses no certificates. The program simply caches the key the first time it is used, and warns the user if the key ever changes. The SSH authentication model is nowadays called TOFU or "trust on first use." For someone setting up a wireless router, trust-on-first-use is perfectly fine. A user, even an unskilled one, is generally aware of the fact that they are setting up a router for the first time, and that they might have to click on boxes to accept a key.

There are many other wireless hardware devices with security implications (such as bluetooth keyboards) that already use TOFU authentication with great success. All the posters here who are complaining that it can't be done, that it would generate hundreds of support calls, are simply ignoring the fact that it not only can be done, but already is being done with no problems.

The fault in this case lies squarely with the browser manufacturers, for not supporting TOFU, and more generally for providing no authentication mechanisms whatsoever other than certificates. (Yes, a skilled user can achieve the equivalent of TOFU in Firefox. It takes five mouse clicks worth of scary dialog boxes. This doesn't count as support.) Secondary blame belongs to the companies that generate certificates, for lobbying browsers to require certificates in order to preserve their lucrative protection racket.

(Log in to post comments)

Default "secrets" and Trust On First Use

Posted Jan 7, 2011 17:49 UTC (Fri) by scripter (subscriber, #2654) [Link]

TOFU might be a step in the right direction, but it's not going to eliminate scary certificate warning support calls when someone changes out their router for a different model.

Default "secrets" and Trust On First Use

Posted Jan 7, 2011 19:05 UTC (Fri) by iabervon (subscriber, #722) [Link]

Depends; if the big warning is: "This is not your usual router!" the user is going to say, "Well, that's good, because I got a new one." Car companies don't get support calls when people buy new cars and their old car keys don't work any more. It comes back to the fact that browsers give misleading messages about security concerns, based on the assumption that your router is either a bank or someone pretending to be a bank. If they had suitable behavior for talking to network hardware, it would be easy to have a big warning that is either really scary or comforting depending on whether you know that you changed out your router. I mean, if someone else has swapped your router for a different one without your knowledge, your computer probably ought to give you a big scary warning; just because the attacker who has hijacked your connection to your router is using a router you might have bought doesn't make it any better.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds