viernes, 17 de julio de 2015

HTTPS is Not Security

This is from http://arstechnica.co.uk/security/2015/06/wikipedia-goes-all-https-starting-immediately/ which quotes the Wikipedia group:
We believe encryption makes the web stronger for everyone. In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world. Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens.
That belief that "encryption makes the web stronger for everyone" is founded on what, exactly? The answer is Nothing whatsoever.

The Internet has a single point of failure, which is the Common Name or CN record, in the DNS. HTTPS relies on the integrity of the DNS to identify the network route to the SSL root certificate servers, but the DNS is not itself secure. The public keys and common names of the root servers are embedded in the executable programs of web browsers and other client programs, and the only authentication of these executables is via cryptographic checksums which are distributed, yes you guessed right, by HTTPS.  Therefore SSL root certificate server access is unauthenticated, and so the entire certificate chain is vulnerable.

End of story.

No hay comentarios:

Publicar un comentario