Hacker News new | ask | show | jobs
by Splendor 4436 days ago
Let me get this straight. Sites across the internet are (hopefully) revoking their CAs and issuing new ones to address Heartbleed but Mr. Langley is suggesting that we shouldn't check for revoked CAs because it might not do anything and it's slow?

Sorry, but after the last few weeks I'll happily accept a little slowness for the security revocation checking provides in the cases where it does work, even if it's not 100% of the cases.
2 comments
ars 4436 days ago
I guess you didn't read the article? He's saying there are no cases where it works. Making it completely pointless.
link
millerc 4436 days ago
> That's why I claim that online revocation checking is useless - because it doesn't stop attacks.

Doesn't mean there are "no" cases where it works. It just means any attacker dedicated enough can work around the CRLs.

I don't see any reason why one should throw the baby with the water. In this case, I just see Chrome guilty of FUD and hiding behind an intractable problem to justify their incorrect position.

See http://en.wikipedia.org/wiki/Two_Generals'_Problem if you want to convince yourself the problem is intractable.

link
Splendor 4436 days ago
I did read the article.

> "In order to end on a positive note, I'll mention a case where online revocation checking does work..."

link
lallysingh 4436 days ago
Funny how you didn't quote the actual case mentioned, just the text ahead of it. Ctrl-F'ing a little quick, eh?
link
ars 4436 days ago
That's even more proof you didn't read it. How does enabling it in chrome make any difference to code signing?
link
Splendor 4436 days ago
Does enabling revocation checking make me less safe?
link
tptacek 4436 days ago
Yes! It involves you reporting all the sites you visit to a CA!
link
Splendor 4436 days ago
I guess I knew that but hadn't grasped the security problem this presents. You've changed my mind. Thank you.
link
takeda 4436 days ago
Well, his argument is also that the attacker can easily circumvent it, which is true, but it is still makes it slightly harder to do, because the attacker needs to remember it.
link
mpyne 4436 days ago
Well, this is what "security theater" is. If you said that exact thing in the context of a TSA screening program there would be no one here going "yes, that makes perfect sense", and it's even easier for network attackers; they have to fix their attack scripts once and they work for good until the next countermeasure.
link