Questioning the conventional wisdom
This post is an attempt to provide a simple introduction to security certificates, as used on the web – also known as PKI (public key infrastructure) and X.509 (a series of standards).
Acknowledgement: The title of this post is shamelessly stolen from a suggestion in a thread at the opensuse forums.
Security certificates are part of what we use when sending encrypted data to a server (web server, mail server, etc).
The book “Evolution: A view from the 21st Century” (James Shapiro) is currently available free for Kindle, as reported on Jerry Coyne’s web site. Shapiro is known to have some very non-standard views on evolution, and I am interested in reading those.
This post is mainly a gripe about my experience with the Kindle software.
I don’t currently have a Kindle device, nor do I currently want one. So I thought I would read on the computer. I mostly use linux, but Amazon does not have Kindle software for linux. There is probably software for linux that does the trick – maybe even Okular that I have installed. But the free book offer from Amazon does not give me a way of downloading as a file. It requires that I have a registered Kindle or Kindle-for-PC software, and download with that.
My first step was to download the software on a Windows box (WinXP home). That gave me an installer executable.
The next step is to install. Typically, one needs to be an Administrator to install software in Windows. So I opened an Administrator command prompt to install from there. My normal Windows account is that of a limited user. Having started the Administrator command prompt, I proceeded to begin the installation.
Sigh – and here is the gripe. The software installed for the Administrative user only. It put the application on the Adminstrative user’s menu, and created a Kindle database in the Administrative users files.
Scrap that.
I logged out as limited user, and logged in as admin. I then changed my normal login to be an Administrator instead of a limited user. I then logged back in as the normal user. I then ran the installer again. This time it set things up for the normal user. I could now change my normal account back to a limited user account, logout, then login again. Starting the Kindle application now as a limited user, it seems to work. Perhaps I will run into problems later.
Sorry, Amazon, but that’s just the wrong way to do it. It should be possible to run the installer as an Administrator, yet have the software made available to a limited user. One of the reasons that Windows has virus problems, is that software developers pull the stupid trick of having software that only works for admins.
I considered titling this “It’s the repos, stupid,” but I wanted to get “linux” into the title.
We recently purchased a new computer for a family member who uses Windows. And it reminded me of why Windows has so many more security problems than linux.
We unpacked the computer. Then it was plugged in and the setup program was run. It created a user account, prompting for an account name. This account was automatically given administrative privileges. There was no prompt for setting up a limited user account. Admittedly, UAC (User Access Control) is in effect, but that is still less safe than using a non-administrative account. There was no prompt for a password. The setup program just assumed that login without password would be used.
After it was all setup, the Windows automatic updater kicked in. There were periodic messages that the updates would be installed at 3am. After a few days, the important updates seem to have all been installed.
This morning, I did a check. The computer was running an insecure version of the Adobe Acrobat reader, and was running an insecure version of flash. There had been no attempt to update those.
That’s the difference that the repos (software repositories) make for linux. If this had been a linux system that handles software updates, then flash and acroread (if installed) would have been updated by now. And, of course, with a linux system the user would have been setup as an ordinary (non-root) user and with a password.
That’s the security difference right there. A naive Windows user, not aware of current security problems, would have been left with an insecure setup that had insecure versions of important software (flash and Acrobat reader). By contrast, on linux a naive user would have a more secure setup with all software updated to versions that fix known security holes. An important part of the difference is that linux software is installed from the repos, so that there is a single place to check for updates.
Incidentally, on my dual boot systems it has seem that when I reboot to Windows the main program that I use is Adobe update. There has been a never ending stream of updates to flash. On linux, the flash updates come through without any special effort on my part. And when I notice them, I know it is time to reboot to windows and run Adobe update once again.
[See my crypto page for links to updated and newer information]
When installing opensuse 11.4, last March (2011), I decided to go with disk encryption (really, disk partition encryption). I have since done some experimentation with different ways of handling that. This post is for those readers who want to try something similar and are interested in a report on how it went.
A quick warning: as far as I know, linux does not provide a way of “encrypting on the fly”. If you switch to an encrypted partition, you will finish up with an empty partition. So do a good backup first, so that you can later restore the content from that backup.
Why encrypt?
Obviously, we encrypt to protect data. In my case, the amount of sensitive data is minor, and most of it is already in encrypted files. It consists of website passwords, software activation keys, and similar kinds of data. I allow firefox to handle website passwords, but keep them encrypted. For other data and for the few user-unfriendly websites that insist firefox not keep their passwords, I have them in an encrypted file.
Gnome is software. It is the component of some linux and unix systems that provides a graphical desktop environment. It is one of several possible choices for a desktop GUI. Version 3 is the latest version, and some demo CD isos were recently made available for testing it.
People use computers in different ways. For some, the visual experience is all important. Others use the computer for other kinds of tasks such as logging into remote systems, editing text files, maintaining blogs, etc. If you are the “visual experience” kind of user, then this review is not for you. That’s not my cup of tea, and I am not a good judge of what makes for a good visual experience. So this review will be concerned mainly with usability for those who want a computer for tasks where there is considerable use of text.
Today, there was yet another reminder that there are problems with our current PKI system.
Background
For those not sure what I am talking about, “PKI” stands for “Public Key Infrastructure.” It is a term used to refer to the system of X.509 certificates, often called “security certificates” such as are used for web browsing and other functions.
The way it works, the “secure” web site uses encryption, and presents a certificate that is supposed to guarantee the authenticity of the site. A client, such as you when you are browsing, checks the validity of the certificate by verifying the signature that certifies the certificate. But, in order for that to work, you have to trust the signer of the certificate.
What has happened, in the recent event, is that supposedly trustworthy certifier Commodo has signed (perhaps been tricked into signing) some certificates that were created with fraudulent intent. So Mozilla has seen fit to work around this problem by releasing a new firefox version that specifically blacklists those fraudulent certificates.
The problem with PKI
The current PKI system is based on a hierarchical trust model. At my place of employment, a hierarchical model works well. I trust the top management. The top management delegates some trusted functions to lower level management. So if I see trust assigned properly by lower level management, I know that it was implicitly approved by top management.
The real world doesn’t work that way. There are no top authorities from whom trust can flow. But PKI assumes that there are, and in order for the web to work with current protocols, we pretty much agree to trust those at the top who have appointed themselves as trustworthy.
To see how the real world works, we need to get out of the computing world. We often need to document the validity of transactions such as applications for wedding licenses, loan applications, drivers license applications, etc. We document their validity by having them signed by several witnesses. Sometime, these witnesses are public notaries, though that is not always required. The “web of trust” used by PGP encryption is far closer to how we handle these trust questions in ordinary non-digital life.
An example
You buy something online at FlyByNight.Thieves.com, and pay for it with your VISA card. The site use the current PKI security. It turns out that you were ripped off by that site. So you complain to the CA (certification authority) that signed their certificate. But that CA tells you “tough; we only guarantee that the site really is FlyByNight.Thieves.com. We don’t guarantee that they are honest.”
That’s how it currently works. Here’s how it should work. Your bank provides you with your VISA card, and it also provides you with an electronic version of your VISA card. The electronic VISA card is a certificate, signed by your bank or by VISA international. When you go to purchase online, you use your electronic VISA card. You sign the transaction, using the public/private key pair provided with the electonic VISA (which makes forging an electronic card rather difficult). And you check that the merchant’s security certificate is also signed by VISA international. This checking would be done automatically by the software. Now, if you are ripped off, you go to your bank. They have certified the web site as trusted to accept VISA transactions. You have a trust relation with your bank, and the bank makes sure that you are not ripped off.
We cannot do that with the current PKI. For it would require that a web site have its certificate signed by VISA, by Discover Card, by American Express, by Master Card, and by similar groups. The current PKI system allows for only a single signature on a certificate (unlike the PGP encryption system, which allows multiple signers).
The current system does a reasonably good job of preventing “Man in the Middle” attacks. But we should expect more than that from an internet security system.
I’ve been busy over the last few days. Or at least that’s my excuse for not posting anything here. The new version of openSuSE came out last week, and I have been busy installing it on three systems, and configuring it. I first installed on an older (circa 2004) computer for testing. Once I had determined that it was reliable enough, I installed on my newer laptop, then on my desktop.
My overall impressions are good. For sure, there are some bugs – there always are. I was previously using version 11.3, which had its share of bugs too.
The Heretical Philosopher 