Convergence.

[nobody]

Hello,

After I watched Moxies talk about Convergence for the second time in my
life:

https://www.youtube.com/watch?v=Z7Wl2FW2TcA
http://convergence.io/details.html

I just wondered... what is the pull back regarding Convergence to put it in
the webbrowsers by default?




Problems regarding Convergence from Slashdot:
So I hijack the router that website is using to access the internet. I
install some software on the
router to return a fake cert. I see the fake cert. All of the other
notaries see the fake cert. It this
is popular site the notaries might notice a cert change, but if its a
low volume site that the notaries
never go to. We all agree the fake cert is valid. How is this more
secure? Or I hack the router you
use to access the internet... all of the notaries you try to talk to I
redirect to me. I say every site is
valid regardless if it is or not. How is this more secure?
-->>
Presumably because the CA would be running its own notary (or notary
check), and thus is able to detect certificate variations?



Any thoughts, opinions about the topic?


Why couldn't Firefox have Convergence built-in to free us from the CA
system?


It's a very sad thing that Convergence isn't maintained nowadays...



Have a nice day.

[Daniel Veditz]

On 4/15/2014 7:43 AM, nobody wrote:
> I just wondered... what is the pull back regarding Convergence to put it in
> the webbrowsers by default?

The main issue is who are the notaries? If they're simply reflecting
back "Yup, I see this valid CA cert" then they aren't adding a whole lot
of value for the amount of risk they introduce, and if they're making
their own judgement about the validity of the certificates on some other
ground they just become a type of Certificate Authority themselves. Who
pays for that infrastructure, and what is their motive?

Firefox and Chrome are both working on implementing "key pinning" (and
participating in the standardization process for it) which won't "free
us from the CA system" but will at least ameliorate one of the worst
aspects which is that any two-bit CA anywhere in the world can issue a
certificate for any site, anywhere.

The IETF is working on standardizing "Certificate Transparency", Chrome
is implementing it, and at least one CA is participating. This again
doesn't free us from the CA system, but it does make the public
certificates auditable so that mis-issuance could theoretically be detected.

> Or I hack the router you
> use to access the internet... all of the notaries you try to talk to I
> redirect to me. I say every site is
> valid regardless if it is or not. How is this more secure?

I haven't looked at the technical details of convergence but presumably
it requires a secure connection to the notary or better that the notary
responses are signed by the notary. If the communication with the notary
is unreliable then it's no help at all.

The main practical problems with convergence are that it introduces a
dependency on traffic to a 3rd party which hurts privacy, reliability,
and performance. These are similar to the problems we have today with
OCSP revocation checking.

-Dan Veditz

[Aymeric Vitte]

I did not look again but as far as I remember the concepts of
convergence are not really applicable any longer, because they suppose
that there is a finite set of certificates used, and if you look at
sites like google, twitter, etc with some plugins to catch the
certificates, you will see that they keep their time changing
certificates, and for some they can issue them by themselves.

I don't know why they are doing this but then you have really no way to
know to whom you are talking to from the user perspective, http pinning
is more protecting the sites than the users.

I don't know about the "Certificate transparency" standard but I don't
see very well how this could help given the above remark.

Regards

Aymeric

--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security

[Phillip Hallam-Baker]

On Tue, Apr 15, 2014 at 7:08 PM, Daniel Veditz <dve...@mozilla.com> wrote:
> On 4/15/2014 7:43 AM, nobody wrote:
>>
>> I just wondered... what is the pull back regarding Convergence to put it
>> in
>> the webbrowsers by default?

Well one very big problem was that Peter was not prepared to do the
work of engaging in the standards area himself. Which is an almost
certain way to ensure that a proposal isn't going to thrive.

Another problem that most PKI alternatives suffer from is the
'hydrogen car' mentality. According to a popular Internet meme the
reason that we aren't driving hydrogen cars RIGHT NOW is that the evil
Detroit car companies are desperate to kill it at any cost. Now
imagine that you are a startup trying to build a hydrogen car, would
that be a productive mindset to base business assumptions on? I think
it is pretty clear that approaching the problem of building a hydrogen
car from the point of view that all advice from GM and Ford was
ill-intentioned attempts at sabotage would cut the startup off from
essential knowledge.

So Peter's approach of beginning his proposal with a canard against
existing CAs and refusing to correct the public impression he gave was
not a good start.

The DNSSEC crowd suffer from this as well. I keep telling them that
until they start signing the root with something more secure than
RSA1024 then all they are doing is an extended science project.
Unfortunately the only way I can get them to change is to raise this
issue at senior US policy levels which has the unfortunate side effect
of reinforcing the (entirely justified) belief that ICANN is just a US
govt. proxy.

> The main issue is who are the notaries? If they're simply reflecting back
> "Yup, I see this valid CA cert" then they aren't adding a whole lot of value
> for the amount of risk they introduce, and if they're making their own
> judgement about the validity of the certificates on some other ground they
> just become a type of Certificate Authority themselves. Who pays for that
> infrastructure, and what is their motive?

And that leads to the second problem of how reliable is that notary
infrastructure going to be.

> Firefox and Chrome are both working on implementing "key pinning" (and
> participating in the standardization process for it) which won't "free us
> from the CA system" but will at least ameliorate one of the worst aspects
> which is that any two-bit CA anywhere in the world can issue a certificate
> for any site, anywhere.

And don't forget that we should deploy CAA as part of that solution.

I am also working on ways of bringing the key pinning information into
the DNS space so that we can get a 'secure on first use'. That is the
reason I am interested in DNS Encryption. It is a change to the DNS
ecosystem which will break the ludicrous practice of taking DNS
service from the resolver advertised in DHCP. Which opens up the
opportunity for ditching a bunch of legacy DNS stupid (500 byte
message limit for instance).

> The IETF is working on standardizing "Certificate Transparency", Chrome is
> implementing it, and at least one CA is participating. This again doesn't
> free us from the CA system, but it does make the public certificates
> auditable so that mis-issuance could theoretically be detected.

There is certainly a lot of functional overlap. I think that CT has
pretty much addressed the major use case used to justify Convergence.
But it does not meet the real goal of Convergence





--
Website: http://hallambaker.com/

[Phillip Hallam-Baker]

Sorry, I got Peter and Moxie mixed up there, Jet lag.

Sovereign keys and Convergence both suffered from the assumption that
you can change the internet by just throwing a project over the wall
and waiting for people to implement. The details are slightly
different though.

--
Website: http://hallambaker.com/

[fhw...@gmail.com]

I didn't watch the video but I did read what's on the website. My take is that the solution proposed is merely ok. It's not great but it's not terrible either.

Where I would say the idea falls short is in the problem statement. While CA's do make for easy targets of criticism for their central role in establishing security and privacy, their centralization is not the biggest problem we face--certainly not in 2014. It would have been an easier argument to make in 2011(?) but today we know more about the threat landscape out on the Internet. 

A simple analogy to Convergence is getting the current time. If you see a bank clock that says it's 7:45 do you necessarily believe it? Maybe you know it's always a little fast and -2 minutes is more accurate. What if a minute later it says 53:AA? Maybe you could spend the next 5 minutes searching for other clocks but that doesn't necessarily get you a better result. And probably you aren't running around town trying to get the most accurate time anyway, so who really cares? 

Again, while the idea itself has merit I don't think pursuing it's standardization and implementation really get us any closer to where we want to be. 

  Original Message  
From: Daniel Veditz
Sent: Tuesday, April 15, 2014 11:09 AM
To: nobody; pri...@lists.mozilla.org; dev-se...@lists.mozilla.org; dev-tech...@lists.mozilla.org; dev-secur...@lists.mozilla.org; wish...@lists.mozilla.org; addons-user...@lists.mozilla.org; in...@convergence.io
Subject: Re: Convergence.

On 4/15/2014 7:43 AM, nobody wrote:
> I just wondered... what is the pull back regarding Convergence to put it in
> the webbrowsers by default?

The main issue is who are the notaries? If they're simply reflecting
back "Yup, I see this valid CA cert" then they aren't adding a whole lot
of value for the amount of risk they introduce, and if they're making
their own judgement about the validity of the certificates on some other
ground they just become a type of Certificate Authority themselves. Who
pays for that infrastructure, and what is their motive?

Firefox and Chrome are both working on implementing "key pinning" (and
participating in the standardization process for it) which won't "free
us from the CA system" but will at least ameliorate one of the worst
aspects which is that any two-bit CA anywhere in the world can issue a
certificate for any site, anywhere.

The IETF is working on standardizing "Certificate Transparency", Chrome
is implementing it, and at least one CA is participating. This again
doesn't free us from the CA system, but it does make the public
certificates auditable so that mis-issuance could theoretically be detected.

> Or I hack the router you
> use to access the internet... all of the notaries you try to talk to I
> redirect to me. I say every site is
> valid regardless if it is or not. How is this more secure?

I haven't looked at the technical details of convergence but presumably
it requires a secure connection to the notary or better that the notary
responses are signed by the notary. If the communication with the notary
is unreliable then it's no help at all.

The main practical problems with convergence are that it introduces a
dependency on traffic to a 3rd party which hurts privacy, reliability,
and performance. These are similar to the problems we have today with
OCSP revocation checking.

-Dan Veditz
_______________________________________________

dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

[Phillip Hallam-Baker]

Rather than argue over convergence, much better to consider what next
gen crypto looks like.

All these projects became possible because of the expiry of the Surety
patent on catenate certificates (chained hash function notaries).


Bitcoin demonstrates the sort of thing that is made possible if there
is a timestamp notary that cannot feasibly default. What it does not
do is to achieve that goal. The blockchain is horribly inefficient
currently burning through electricity at a rate of a quarter billion
dollars a year (and that can increase) while genuine bitcoin commerce
transactions are a few tens of millions.

But imagine what we could do if we had twenty notaries and each one
included the outputs of the others every hour. It would be impossible
for one notary to defect without all the others defecting. We could
achieve what the bitcoin notary does for less than a million bucks a
year.