[MPI3 Fortran] Agenda for MPI3 Fortran Working group next week

Torsten Hoefler htor at cs.indiana.edu
Wed Jun 3 10:34:34 CDT 2009 

On Wed, Jun 03, 2009 at 02:35:17PM +0100, N.M. Maclaren wrote:
>> The CA for that SSL certificate is here -- it covers all sites run by   
>> the Indiana University Computer Science department (e.g., including   
>> the Open MPI SSL-enabled web sites):
>>
>>     http://www.cs.indiana.edu/Facilities/FAQ/Mail/csci.crt
>
> Thanks.  That's not actually the biggest problem.
I am sure you can call our sysadmins and confirm the validity of the
certificate fingerprint.

>> Install that CA and you should have no problems getting to the site.    
>> Or just install the Firefox exception and you should be fine, too.
>
> Aargh!  NO, you are NOT!  The whole SSL/https design is cretinous, and
> that is seriously dangerous if you ever use your browser for anything
> important.
I don't see your point at all. When you install an untrusted CAs
and you don't verify the identity (fingerprint), then it's certainly
your fault. I can see your point -- if you don't trust IU to not loose
their private key, then don't import their CA (I also do not trust them,
thus I don't import their CA -- I also deleted all other CAs from my
browser, see below). However, importing the certificate for the specific
domain (meetings.mpi-forum.org) will be safe since every sane browser
will insure to use this cert only with the specific domainname (and show
it to you in the address line every time it does so).

If you use a browser that does not bind imported certificates to domain
names, then it's your fault. If you use a browser that allows to sneak
through CA certificates without warning you (firefox warns) and/or you
don't read your browser's messages, then it's again your fault.

> The risk is that someone will hack that site, you will not hear about it
> (because it isn't an official site), and the bogus key will be used to
> get your credit card details.  That is why you should NEVER install an
> 'unofficial' key (EVEN one that you trust).
Yes, that's a valid issue, don't import the CA then. However, if your
browser allows SSL certificates to extract credit card data from your
computer, than it's your fault to use it. If your browser allows
meetings.mpi-forum.org to install keys for other domains, the you should
switch browsers (again, your fault).

Actually, the risk that someone 'cracks' one of your favorite
preinstalled CAs is much higher! Some CAs still use MD5 even though it
has been broken since 4 years! I've seen people generating a signed key
with a couple of ps3's at the 25c3. Details:
http://blogs.zdnet.com/security/?p=2339 and
http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt

> Note that "hacking that site" includes just getting hold of the private
> key and running a DNS spoofer that catches you, so the site owner changing
> key does NOT stop the insecurity - YOU have to cancel the key which, in
> turn, means that you have to hear of the compromise.
Again, don't use the CA, use the webpage cert instead. If you enter your
credit card data in a webpage that says meetings.mpi-forum.org and shows
your favorite bank webpage, then it's your fault.

>> Complain if you want to, but IMNSHO, IU has done a damn fine job of   
>> hosting both Open MPI and the MPI Forum (and absorbing all the   
>> associated costs).  Yes, I feel a little strongly about this issue.  
>> :-)
>
> All credit to them for that, but why https?  There are much simpler and
> better mechanisms.
I agree that HTTPS PKI is somewhat broken but it seems to have the best
effort/security ratio. It's just to establish some kind of
protection/encryption. I am very curious to hear your suggestion of a
better/safer system with a comparable effort (VPN is not an option
here).

Disclaimer: even though I am affiliated with IU, I am not involved in
the maintenance of any of the infrastructure. I am generally interested
in security though.

We should move this off the list (it's not an MPI Fortran issue). I'm
also available via phone to discuss this issue.

Thanks & All the Best,
  Torsten

-- 
 bash$ :(){ :|:&};: --------------------- http://www.unixer.de/ -----
Torsten Hoefler       | Postdoctoral Fellow
Open Systems Lab      | Indiana University    
150 S. Woodlawn Ave.  | Bloomington, IN, 474045, USA
Lindley Hall Room 135 | +01 (812) 855-3608

More information about the mpiwg-fortran mailing list