Ivan Ristić

I've come to realise that our efforts to improve the state of security through focus on the software development life cycle (SDLC) are flawed. Although we may see some improvement in the short term (a span of a few years), such an effort is a waste of time as it cannot solve the problem. If you think it can then you are looking at the wrong problem. (Borrowing Mark Curphey's favourite line.) Underneath all our security issues lies our inability to write defect-free code. Solve that and we've solved the security issues. Focus on the security alone and we won't solve anything.

ComputerWeekly has just published my opinion on the forthcoming changes to the Computer Misuse Act (CMA). From the article:

The most recent changes to the Computer Misuse Act will give power to prosecute those who help or enable others to commit computer crime. While I am very supportive of this addition, I am also in great fear of this change and its consequences - the amendments are so vaguely worded that they will instantly turn security researchers into criminals once they come into force later this year.

If you are new to the story you'll find more facts in my previous post: Changes to British law target criminals, but affect the entire security industry.

The CMA seems to be intentionally written to be ambiguous in order to cover all sorts of activities, including the legitimate ones, leaving it to prosecutors to decide what is crime and what isn't. Frankly, I think that is ludicrous.

No one disputes that we need to be able to prosecute all criminal activities, but we shouldn't be destroying the innocent people's lifes in the process. Good intentions only count before laws are passed. Afterwards, laws just have lives of their own.

I am realising that, although the problem that many Firefox users have with self-signed certificates points to a failure in software design (this is not a stab at Firefox, rather a testament to how difficult it is to design software to suit a diverse user base), it really points to a failure of SSL. Why do we have such large numbers of self-signed certificates in the first place? Why isn't everyone using valid certificates?

SSL is a great security protocol and a great success overall. Consider the following:

1. Hybrid protocol that, when properly implemented, offers security and performance at the same time.
2. Future-friendly design that allows ciphers and hashing techniques to be replaced as they begin to age
3. Can be applied to any communication protocol (well, almost any; and the problem will eventually be fixed).
4. Free.
5. Rock solid, as the designs are in the public and they have been thoroughly reviewed.

The catch is in the "properly implemented" part. SSL can give you security but only if you can build on top of an existing trust relationship. Most people don't really think about the underlying trust foundation because this is something normally handled by browser vendors when they accept to trust the root certificates of the established certificate authorities. By the time you open a browser you already trust a few dozen entities. They, in turn, extend their trust to cover the web sites you are visiting and everything seems great. Except that there are a few rough edges:

1. Using valid certificates is an optional step in the configuration of any web server. It requires knowledge, time and effort, and many people can't be bothered. There's also the overhead of required regular maintenance.
2. The cost model falls apart for very small entities, mostly because of the administrative overhead, but also also because of the additional cost of the certificate itself.

At first I thought the best thing to do would be to relax handling of invalid SSL certificates in browsers. After all—I thought—we don't really trust; most people don't check certificates anyway. We really care about transport security and not having our credit card details snapped while in transit. My idea was to simply ignore the fact that a certificate is self-signed. Perhaps use different colours to show the difference. I felt pretty good about that until I realised that would allow for unrestricted exploitation through man-in-the-middle (MITM) attacks. You see, the problem is that it is impossible to differentiate between a self-signed certificate and a MITM attack. It's not a problem of SSL or even the implementation. Oh, well, back to the drawing board. (Bruce Schneier recently wrote about MITM attacks: his post has a couple of very interesting stories and workarounds.)

The only thing I can think of that would help is raising awareness, and browser vendors seem to be doing that at the moment. Yes, there's a number of angry people, but I trust all the vendors will do the right thing—eventually. We should just be patient and wait for it to happen, while continuing to remind the vendors that security matters.

Edward Tufte seems to be universally admired for his work on information visualisation. I've seen quite a few positive comments about his work over the years, the latest being Richard Bejtlich's, where he describes the experience of attending Edward's one-day class ("the best single day class ever"). Compelled by the positive feedback from so many different sources I bought the four main books (I would have attended the training, but Tufte does not teach in Europe), and event went through a bit of trouble to get them: Amazon.co.uk didn't sell them, so I bought them in the US and carried them with me back to Britain. (We are talking hardcover books of large format printed on heavy paper, not your average paperback.)

You may be surprised to learn that the books have been sitting on a shelf, virtually untouched, ever since. Why? Because they are plain dull. The production quality is very high: the paper looks expensive and the illustrations look like a lot of thought went into them. I am sure the information contained in the books is very valuable too. But, for me at least, whenever I open one of the books I feel like I've been instantly teleported to a very boring university lecture.

It's ironic that books on information visualisation fail so dramatically. I am sure there are people who are enjoying these books, but that's the case with me. If you are considering buying one of Tufte's books do make sure to browse through them first. They are not everyone's cup of tea.

I don't have a habit of discussing topics outside security and open source on this blog, so why am I mentioning Tufte? There's an important lesson here for everyone in the business of making anything that's supposed to be used on regular basis. (Personally, I am interested in security products, web application firewalls especially.) How our products perform is important, but not nearly as important as how they are perceived by users. A less capable and interesting product will be more useful than a more capable but boring one, purely because the former is going to be used; the latter is just going to be gathering dust.

My blog post Firefox 3 improves handling of invalid SSL certificates is proving to be very popular. It touched a nerve, and the comments of unhappy Firefox users keep piling on. Although I suspect a large part of the problem stems from bugs (if you read the comments you will find the reports of clearly unintended behaviour), there is a bigger problem between Firefox and its user base: it is one of security versus usability.

Who knows better: developers, or users?

It's not a problem specific to Firefox, nor a problem that only exists in the security sphere. In fact, once you become aware of the existence of the problem and start looking around, you will find it in virtually every aspect of technology. GNOME, for example, is famous for dumbing down the user interface and forcing its users to behave in a certain way.

It's not surprising that, with two opposing sides, there are two schools of thought. Implementing either approach is easy—and that's what many applications do—but that only results in unhappy users. Finding a way to make products usable, yet secure (or feature-full, outside security) is the real challenge. How do we educate the innocent yet enable the proficient?

Speaking of implementation, the answer may be in making applications capable of adapting to user needs. A system-wide setting could tell applications whether a user prefers to have decisions made for him. Alternatively, an application-specific flag could be set during installation. Having just two settings is probably not feasible, but there should be an easy way for advanced users to ask applications to show them everything.

But it may be that, in order to really solve the problem, we need to make a further step back and examine the way we develop applications. I think the majority of applications are still built by technical people, pushed by business people with features (not security or usability) in mind. Happy users are productive users, but very few companies seem to recognise this fact.

You may have noticed, from the appearance of another graphic element in the right hand area, that this blog has been short-listed for the ComputingWeekly IT security blog award. It is a pleasure to be in the company of my colleague Anton Chuvakin. This is one of those things that feeds the ego of every blogger and keeps him running.

If you like this blog I would appreciate if you could spend a moment to cast your vote.

P.S. Now would probably be a good time to dust off my virtual notebook and post all those thoughts I've been postponing for one reason or another!