[LINK] certificates

Craig Sanders cas at taz.net.au
Sun Jan 14 18:09:43 AEDT 2007

On Sun, Jan 14, 2007 at 05:29:30PM +1100, Danny Yee wrote:
> The biggest problem is that users simply ignore both ssl encryption
> and the existence of certificates, signed or otherwise.  

sort of.

yes, most users do ignore them.  and they're ignorant.  and negligent.

however, that's greatly exacerbated by the fact that NONE of the online
banks even support the use of client certificates, so even those who
know about them and want to use them CAN'T.

it's a bit much to put ALL the blame on the users for not using a
feature that isn't even available to them.

so, yes - users ARE to blame.  so are the banks.

> I don't know what can be done about this.

banks can start by providing the client-certificate feature as an option
and eventually move to requiring it (which would, of course, mean no
logging on at internet cafes or other public terminals. incovenient for
some, but a good thing security-wise).

> A smaller problem is that it's trivial to get a signed certificate
> that verifies that www.westpac-ultrasecure.com really does belong to
> "WP Inc" or some other such entity.  Maybe there should be some kind
> of certification restricted to Australian financial institutions
> and managed by ASIC or the RBA.  (Of course this won't help with
> transations with merchants.)  But how useful this would be given the
> bigger problem of user blindness I don't know.

wouldn't make much difference. a CA (certificate authority) is a CA
- there's no way for a browser to know that a particular web site is
a banking site and SHOULD have a cert signed by a special banking CA
managed by ASIC or the RBA or whoever.

as far as the user is concerned, their browser only pops up a warning if
the site's certificate :

 - has expired
 - is signed by an unknown (and thus untrusted) CA
 - is a self-signed certificate
 - doesn't match the site's details (i.e. domain name)

if it is signed by a known CA then it's just accepted without any
warning or even dialog box. so we're back to the fact that the
commercial CAs can't be trusted as there are numerous instances of them
signing certificates without bothering to verify identity and even, on
some occasions, signing bogus certs for well-known organisations (e.g.
in one well-known incident a few years ago, one CA signed a certificate
for someone claiming to represent Microsoft Corporation)


craig sanders <cas at taz.net.au>           (part time cyborg)

More information about the Link mailing list