[EXT] RE: Widespread Firefox issues
valdis.kletnieks at vt.edu
Sat May 4 15:55:59 UTC 2019
On Sat, 04 May 2019 13:02:56 -0000, Charles Bronson said:
> On Fri, 03 May 2019 21:14:53 -0600, "Keith Medcalf" said:
>> HTTPS: has nothing to do with the website being "secure". https: means that
>> transport layer security (encryption) is in effect. https: is a PRIVACY
>> measure, not a SECURITY measure.
> I may be wrong and if so, I am happy to be corrected, but I don't think that
> statement is entirely true. The certificate not only encrypts the connection,
> it also verifies that you are connecting to the server you intend to. That second
> component is a security measure.
Actually, the identity component of a certificate does *not* verify you
connected to the server you *intended*. It verifies that the server you actually
connected to is the one that the connection was directed to, and that you
didn't get MITM'ed. That's important, but not what most people think it means.
In particular, it does *not* protect against typo squatters that get hits when
you accidentally try to go to faceebook.com. Also, when a user enters
cnn.com, they *intend* to visit cnn.com, and aren't thinking about the *other*
38 sites that get contacted (as reported by the IPvFoo extension). Did I
*intend* to go to a125375509.cdn.optimizely.com - one of the sites that ends up
getting called when I visit cnn.com?
So while there's a useful security guarantee provided by the proof-of-identity,
it's *NOT* what people usually think it is.
Additionally, the first component is also a security measure as well.
Googling for "3 pillars of security" shows that they're "confidentiality,
integrity, and availability".
In what world are the "privacy" provisions of TLS *not* part of
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 832 bytes
Desc: not available
More information about the NANOG