December 30, 2004

Netcraft breaks ranks and points the crooked black claw of doom at the SSL security model

In a show of remarkable adeptness, Netcraft have released an anti-phishing plugin for IE. Firefox is coming, so they say. This was exciting enough to make it on Slashdot, as David at Mozilla pointed out to me.

There are now dozens of plugins floating around designed to address phishing. (If that doesn't say this is a browser issue, I don't know what will. Yes, the phish are growing wings and trialling cell phones, pagers and any other thing they can get at, but the main casting action is still a browser game.) The trustbar one is my favourite, although it doesn't work on my Firefox.

So, what about Netcraft? Well, it's quite inspired. Netcraft have this big database of all the webservers in existance, and quite a few that are not. The plugin simply pops on over to the Netcraft database and asks for the vital stats on that website.

Well, hey ho! Why didn't we think of that?

There's a very good reason why not. Several in fact. Firstly, this puts Netcraft into your browser in an important position; if they succeed at this, then they have entre into the user's hearts and minds. That means some sort of advertising revenue model, etc etc, as clearly permitted in their licence. Or worse, like their own little spyware programs which may or may not be permitted under their Privacy clause.

(So one reason we didn't think of that is because we all hate advertising models ... just so we're clear on that point!)

But more interesting is that Netcraft is a player in the security industry. At least, they are a collector of CA and SSL statistics, and their reports sell for mighty big bucks. So one might expect them to pay attention to those suggestions that supported the SSL industry, like the ones that I frequently ... propose.

But, no. What they have done is completely bypassed the SSL security model and crafted a new one based on a database of known information. If one has followed the CA security debate, it bears a stunning similarity to the notions of what we'd do if we were attempting to fix the model. It's the endgame: to fix the revocation problem you add online checking which means you don't need the CAs any more.

Boom. If Netcraft succeeds in this approach (and there is no reason why others can't copy it!) then we don't need CAs any more. Well, that's not quite true, what this implies is that Netcraft just became a CA. But, they are a CA according to their rules, not those historical artifacts popularised by accounting entities such as WebTrust.

So it's another way to become a CA: give away the service for free, acquire the user base, and figure out how to charge for it later. A classic dotcom boom strategy, right? Bypass the browser policy completely because it is struggling under the weight of the WebTrust legacy, and the security wood can't be seen for the policy trees.

(Now, some will be scratching their heads about the apparent lack of a cert in the plugin. Don't worry, that's an implementation detail. They can add that later, for now they offer a free certificate service with no cert. Think of the upgrade potential here. The important thing is to see if this works as a *business* model first.)

So this takes aim at the very group that they sell reports to. Of course, the people who want to buy reports on certificate use are the CAs, and their various suppliers of CA toolkits.

That's why it's a significant event. (And another reason why we didn't think of it!)

Netcraft have obviously worked out several things: the CAs are powerless to do anything about phishing, and that's a much bigger revenue stream than a few boring reports. Further, the security model is stagnant at best and a crock at worst, so why not try something new? And, the browser manufacturers aren't playing their part, with narry a one admitting that the problem is in their patch. So their users are also vulnerable to a takeover by someone with some marketing and security sense.

Well done Netcraft, is all I can say! Which is to say that I have no idea whether the plugin itself will work as advertised. But the concept, now, that's grand!

Posted by iang at December 30, 2004 02:26 PM | TrackBack

I don't understand many of your comments here: why you say that they are like a CA, or bypassing the SSL security model. People will still be using SSL to connect to their web sites. This plug-in does not provide the security that SSL does.

You also exhibit a curious failure to critically analyze this product from the security perspective. I can't help thinking that your anti-CA bias has blinded you to any security flaws in this alternative.

I also wonder who is "we", as in "we didn't think of that". Are you royalty now?

Posted by: Cypherpunk at January 3, 2005 01:22 PM

To answer your questions in reverse order:

> Are you royalty now?

That was the inclusive us not the royal we! Sorry, it kinda slipped out. I have a bad habit of including everyone in the discussion, instead of blowing my own trumpet. I know that annoys people of your culture, and I'll try to remember to blow harder next time ;-)

> You also exhibit a curious failure to critically analyze this product from the security perspective.

Sorry, yes, to put that in further light, I skipped analysing it because it is obviously insecure. What is there to say?

> This plug-in does not provide the security that SSL does.

Correct. It provides something different.

> I can't help thinking that your anti-CA bias has blinded you to any security flaws in this alternative.

Right, either that, or your pro-CA bias has blinded you to any possibility that a non-CA approach might help. Or both :)

> People will still be using SSL to connect to their web sites.

I guess, yes, maybe. I don't see that as relevent, as SSL isn't protecting them anyway, because the attack totally bypasses SSL.

> or bypassing the SSL security model.

The SSL security model is supposed to address spoofing. That is, protect against an MITM that allows the attacker to glean information. Phishing is such an attack. Now, to use the SSL security model to address phishing, one would expand the use of certs to relate the server and client together, sans CA. E.g., caching and tracking. It's a pretty minor change, in tech terms, but it does take the shine of the CA concept, rather. Which is why it has failed to gain traction, I guess, because as you intimate there are a lot of people who can't bear to see the CA concept challenged.

Back to Netcraft. In its attempt to address the MITM of phishing, Netcraft doesn't do that, it creates (or reuses) a whole new infrastructure alongside SSL and uses that to make comments on whether the user is being spoofed or not. Hence, it bypasses SSL.

> they are like a CA

Because they are a central party to which you go to get an opinion from. I'm using the words in broad sweeping sense here. But, don't be fooled by the broad brush; if Netcraft wanted to be come even more like a CA, what would stop them?


Posted by: Iang at January 3, 2005 01:51 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.