Great essay exploring what the Internet's "threat model" actually is, and what it is presumed to be by SSL and other common security measures.
A threat model looks at the application – at what
we are trying to protect. In this case, we know
that the actual threat that SSL was built for was
the sniffer of credit card numbers. But, he, the
sniffer, is not considered, what's replaced his
role is some theoretical bogey man. The bogey
man can do anything that we know how to protect
against, and not the things we can't protect
against…SSL was put together as a "perfect" protocol to
solve a "convenient" threat model from the
(admittedly persuasive and pervasive) knowledge
of the times. And, it took little or no account
of the needs of the application…That's why, for example, the protocol finishes its
security job close to the borders of the comms.
That's why CA-signed certs were chosen, because
they solved something that could be solved, with
no particular analysis as to whether anyone would
bother to attack that weak link. That's why, for
example, it's a channel security product, and not
a page (credit card number) protection product.
And, for example, the digsig creates a chain
instead of affirming an intent.
(via Oblomovka)
