Wednesday, April 7, 2010

The root of a problem?

It was probably just as well that I'd dialed down the percentage of coffee relative to milk in this morning's first mug. Because there are few things that will get an open source geek's blood moving like the news that their window to the online world (a.k.a. the Firefox web browser) carries a fundamental security flaw. As it turns out, all was actually in order, save for some paper-trail housekeeping. (See Kathleen Wilson's note about 3/4 of the way through this thread.)

(A definition of "root certificates" for non-admins: Ever notice that when you're logging into your bank's website or buying something from an online store, how the first part of the web address switches from "http://" to "https://"? That extra "s" means that your browser and the server it's talking to are communicating by encrypting their communication so that no one in the middle can intercept data such as account numbers, passwords, etc. But before your browser pulls out its Magic Decoder Ring, it needs to know that the server it's talking to is legit. That's where security certificates come in, and trust me when I say that they don't exactly come in Cracker Jack boxes. A "root certificate," is the Momma--heck, make that Ancestral Matriarch--of the certificates used by thousands of descendants. So you can probably imagine the theft, fraud and outright mayhem that could occur if millions of copies of a web browser accepted an ersatz Matriarch--or, more aptly, her descendants--as The Real Deal.)

Thankfully, the scare was just a scare. But it started me thinking about how--at this level at least--we might just be making a mistake by modeling browser security on very human notions of trust. Actually, less-than-human notions of trust. Trust is, so I imagine, a shades-of-grey matter for most personalities. But it's binary (figuratively as well as literally) for most computerized systems. "Binary" as in: Oh, your certificate isn't vouched-for? No trust for you! In real-world terms, it's the difference between a bored/rushed TSA employee ticking off a checklist and a one-on-one chat with a trained El Al agent. (Disclaimer: El Al's history of racial profiling is most emphatically not endorsed here. Why (apart from the obvious human rights dimensions)? Because race just boils down to a checkbox on a list, and thus gives the agent an excuse not to use her/his think-meat. Which in security is always, always A Heinously Bad Thing.)

Conventional wisdom says that the human personality is the proverbial weak link in the security chain. Ironically, though, it can also be the strongest--but only if the humans in question are trained and allowed to use all their senses. Including, as appropriate, the somewhat nebulous gut sense. Fuzzy logic isn't yet mainstream enough to be to reliably help your browser decide which websites to trust. But today's scare over the legitimacy of root certificates, I think, highlights the weakness in the binary nature of the trust/distrust model of browser security. Do I have an alternative suggestion? Not really. I can only hope that the incident sparks more discussion--and, ultimately, more alternatives--from the security/cryptography community.