The road to a secure web is fraught with difficulties both in technology and practice.
Speaking at RSA Conference in San Francisco, Andy Ellis, chief security officer at Akamai said that while it appears that getting HTTPS turned on and achieving privacy is almost within our grasp, it is not as there is still confusion between secrecy and privacy
In his talk, titled “the long road to a secure web”, Ellis said that what is holding us back on HTTPS everywhere is the “loose tie” connection between HTTPS and TLS, and loose between IP and TLS where you are not sure whether to trust a client or server.
He said: “It is not just a certificate authority problem, it is a browser problem as there needs to be a root of trust, and you can be trusted for everything or nothing. With TLS proxy, we saw this with Superfish and what happened was if you had gone to valid website a proxy presented a valid certificate, and the user certificate store was compromised to add a new CA and saw DNS lookup and create a certificate for the entry and satisfied it.”
Ellis said that the “sin of Superfish was in not running a proxy”, as a request that was unsecure was made and no one would have known about it.
Looking to the future, Ellis said that we do need to get to TLS as it is not a waste and it is necessary, but it is not sufficient. “We spent the past 20 years ignoring crypto and believe backwards compability has gone away and 15 years ago we believed in SSL 2.0, but we have got to bite the bullet and on SSL 3.0 and TLS 1 too,” he said.
“If we are writing new software we need to understand that all encryption is bad and it is just a matter of when. If we are not prepared to add in new encryption and get rid of what we support today, and if it is not part of problem be prepared to eiminate it.”
Ellis concluded by saying strategically, security is not privacy, just as you cannot listen to what someone is saying it doesnt mean you don’t who is speaking and what about.
“If you design a system,.what are your actual goals,” he said. “I recommend you look at the safety analysis world and understand what is your unacceptable loss?”
