Financial Cryptography

Facebook goes HTTPS-always - victory after a long hard decade

In news that might bemuse, Facebook is in the process of turning on SSL for all time. In this it is following google and others. In that, they, meaning google and Co., are following yet others including EFF, Mozilla and a bunch of others.

Those, they are following Tyler, Amir, Ahmad and yours truly.

We have been pushing for the use of all-authenticated web pages for around 8 years now. The reason is complicated and it is *nothing to do with wifi* but it's ok to use that excuse if that is easier to explain. It is really all about phishing which causes an MITM against a web-user (SSL or not). The reason is this: if we have SSL always on then we can rely on a whole bunch of other protections to lock in the user: pinning and client certificates spring to mind, but also never forget that the CA was supposed to show the user she was on their own bank, not somewhere else.

But, without SSL always on, solutions were complicated, impossible, or easily tricked. So a deep analysis concluded, back in the mid 2000s that we had to move the net across to all-SSL, only SSL for any user-interactions sites. (Which since then has become all of them -- remember that surfing in a basic read-only mode was possible in those days...)

A project was born. Slowly, TLS/SNI was advanced. Browsers experimented with new/old SSL display ideas. All browsers upgraded to SSL v3 then to TLS. Servers followed suite, s.l.o.w.l.y.... SSL v2 got turned off, painfully. Various projects sprung up to report on SSL weaknesses, although they don't report on the absence of SSL, the greatest weakness of them all... OK, small baby steps, let's not rush it. Indeed - the reason my long-suffering readers have to deal with this site in SSL is because of that project. We eat my dogfood.

And, finally, some leaders started doing more widespread SSL.

( For those old timers who remember - this is how it was supposed to be. SSL was supposed to be always on. But back in 1995, it was discovered to be too expensive, so the business folks split the website and broke the security model (again!). Now, there is no such excuse, and google reports somewhere that there was no hit to its performance. 15 years later :) )

This is good news - we have reached a major milestone. I'll leave you with this one thought.

This response all started with phishing. Which started in 2001, and got really going by 2003. Now, if we call Facebook the midpoint of the response ("before FB, you were early, after, you're a laggard!"), we can conclude that the Internet's security lifecycle, or the OODA loop, is a decade long.

This observation I especially leave there for those thinking about starting a little cyber war.

More STOP PRESS: A Ratings Agency has been brought to task!

In another outstanding development in the new normal of the post-GFC world, a bad actor has been brought to task:

The ruling in the Federal Court of Australia on November 5th held Standard & Poor’s (S&P) jointly liable with ABN AMRO, a bank, for the losses suffered by local councils that had invested in credit derivatives that were designed to pay a high rate of interest yet were also meant to be very safe.

What in effect does this mean? If you put your name on something as good, then you have to carry the consequences of it being bad. And the courts will hold you to it, or, they did in this case. As shareholders held Deloitte accountable in at least one Auditor case recently.

This is one of the essential, unavoidable causes of the GFC (marks I and II) -- that powerful players may take the upside of profitable participation in risky trades, but declare themselves non-liable for the downsides.

Was, in this case, S&P just caught out by a statistical bad apple, or was it raking it in? The Economist goes on to report:

The derivatives in question were “constant proportion debt obligations” (CPDOs). These instruments make even the most ardent fans of complex financial engineering blush: they are designed to add leverage when they take losses in order to make up the shortfall. S&P’s models, which the court said blindly adopted inputs provided by ABN AMRO, gave the notes a AAA rating, judging they had about as much chance of going bust as the American government.

That's a slam dunk. Adding that local councils are unsophisticated investors (and generally can't tell their elbow from their posterior) it is no surprise that they routinely invest in AAA ratings, and only AAA ratings. Hence, they rely on AAA.

Hence, S&P must be held liable for their good word on the meaning of AAA, assuming of course that the Economists' reporting is fair representation of the evidence presented.

Further, as S&P clearly did not do the diligence due to a statement with the gravitas of "as safe as the American government," the question of gross or criminal negligence looms large.