Ivan Ristić

Hey there. First, I'm honored that you're paying enough attention to nit-pick on ambiguities in language. Sorry about the overloading of "broken" across multiple posts. I hope it's clear that I wasn't referring to the same degree of broken in each case. Since there isn't a formal definition of "broken", this is not too unusual :) Plus, blogging is pretty off the cuff anyway.

Anyway, to get more specific here, I'd say this new attack won't leave PKI significantly more broken than it already is. If RapidSSL and any other CAs that might be affected do their jobs relatively quickly, then this attack will probably never be used by a bad guy. If they do not, then the world will be a bit inconvenienced as browsers/OS vendors have to blacklist RapidSSL and get everyone to upgrade their browsers, but there's a fairly big window to do that, so in the worst case, this might be a bit like the fallout from the Kaminsky bug, where there might be some isolated attacks.

Plus, note that CAs can pretty easily identify and review certificate requests that are suspicious, that indicate someone tried to launch an attack to guess the issued serial numbers.

That's not to say that a bad guy couldn't come up with a rogue CA. Yes, it was already possible. It's just that somebody showed that, it could have been done more inexpensively.

I guess over the years I have come to take for granted that we're often going to deal with significant risk in our systems. How long did the real world go before a significant percent of email traffic got decent encryption? People just didn't care too much. PKI has had a host of issues like this that make it inflexible for a long time, yet the world doesn't seem to care enough to jump the hurdles to move to something better (i.e., something based on IBE).

So, there are probably several ways in which the internet is fundamentally broken, but to the average user, this typically nets out to a risk that is more than wholly acceptable.

Getting back to a rogue CA, anybody with enough money and a modicum of smarts can probably create one, even without the attack in question. As a result, if they used this in a highly targeted fashion, they might steal some money. But the more they use it, the more they're likely to get caught (perhaps by people like me who want to catalog all certificates people browse to, who might notice the anomaly, or perhaps by people on the finance side).

If the risk got too great, then everyone would probably switch to a hardcoded list of known CAs that the major CAs published, or something like that. It wouldn't be the end of the world.

So, yes, I think things are fundamentally broken, but at the same time, it's not the end of the world.

I hope that makes some sense...

John

Hi John,

Thanks for dropping by and taking the time to respond. I didn't think a response was necessary, however, as both of your posts made sense and were not contradictory. I used my tongue-in-cheek comment to touch upon the issue of too many people saying the Internet was broken, which is making the phrase increasingly meaningless. To paraphrase what you said earlier today, the Internet is broken, but no more than usual.