October 30, 2020

Usable security irony

I visited Usable Security (the web page for the 2007 Usability Security workshop) today to look up a reference, except the link I followed was actually the SSL version of the page. Guess what?

Secure Connection Failed

usablesecurity.org uses an invalid security certificate.
The certificate expired on 12/29/08 12:21 AM.

(Error code: sec_error_expired_certificate)

  • This could be a problem with the server’s configuration, or it could be someone trying to impersonate the server.
  • If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

How many other web sites out there have the same problem? Using SSL, all the time, is clearly a good thing from a security perspective. There’s a performance issue, of course, but then there’s this usability problem from the server admin’s perspective.

Comments

  1. Using SSL all the time is a good thing? I don’t buy it.

    If that were the case, there would be a hugely more developed SSL certification infrastructure with much more lax requirements, so that every blog and homepage could get up and running with minimal fuss. The laxity in requirements and abundance of amateur websites with valid SSL certificates would mean that phishers and other malicious sites could acquire or hijack a secure endpoint at will. There would then be little to distinguish between a secure site with solid reasons to be secure (such as a banking site), versus a man in the middle attack. Assuming the same browser technology, both would appear as encrypted connections.

    If one were to take half of SSL, such as encryption without authentication, then I can see a more solid case. Encrypted streams everywhere would make lots of sniffing attacks a lot more difficult, while reserving authentication to where it’s really needed, and more importantly, where it needs to be visibly different.

    • Anonymous says:

      No need for infrastructure, just sign your own certificate.

    • John Millington says:

      Authentication doesn’t need to be reserved to special situations, it just needs to be presented better by the browsers. There’s nothing wrong with a self-signed cert as long as the meaning is very clearly shown to the user (i.e. “somebody, you’re not sure sure who and have no reason to believe them, says you’re talking to Foo Inc”). And the browsers need to be improved in that regard anyway, since the meaning of the famous-CA-signed certs are actually pretty vague right now too. The padlock icon just doesn’t mean anything that any normal user really understands.

      In my opinion, the only real downside to “use SSL for everything” is that it means even fewer things could be stored in shared caches, but in practice we’re not doing nearly as much of that we could anyway, so the efficiency loss wouldn’t be missed.

  2. Anonymous says:

    Given that SSL certificates are a pointless scam anyhow. There is no irony here at all. The “usable security” in SSL is merely the link encryption and nothing else.

  3. John Millington says:

    The usability problem is that the CAs are only certifying for a year. For some reason (and I think we all know what that reason is 😉 this has become the “normal” and accepted thing to do with X.509.

    Now look at your OpenPGP certs. It’s very common for both keys and signatures to not have any expiration at all (which is probably a bad idea, but not as bad as lasting for only 1 year) or in some cases a really long duration like 10 years. The accepted practices and defaults are just .. more sensible.

  4. Yeah, the interfaces in current web browsers for displaying SSL information really suck. Jennifer Sobey, Paul Van Oorschot, and I have recently reported on some work-in-progress research that reviews the problem in various browsers and discusses possible solutions. Have a look at
    http://www.andrewpatrick.ca/security-and-privacy/new-research-report-browser-interfaces-and-ssl-certificates

  5. Bryan Feir says:

    Really, in order for certificates to truly indicate trust, we don’t need expiration dates so much as we need explicit revocation methods. Of course, the CA makes a lot more money if they enforce expiration dates and don’t necessarily look too closely at who actually sent them the request.

  6. Anonymous says:

    ….is a cost centre, not a profit centre. InfoSec is percieved by business as a money sink and something you react to, not pre-empt.