The DNS security mess D. J. Bernstein University of Illinois at - - PowerPoint PPT Presentation

The DNS security mess

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC:

This sounds simple but it has deep reaching consequences in both the protocol and the implementation—which is why it’s taken more than a year to choose a security model and design a solution. We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that before its use is commonplace on the Internet.

Before I start my talk, some comments on HTTPSEC. Warning: HTTPSEC ✻= HTTPS.

The DNS security mess

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC:

This sounds simple but it has deep reaching consequences in both the protocol and the implementation—which is why it’s taken more than a year to choose a security model and design a solution. We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that before its use is commonplace on the Internet.

Before I start my talk, some comments on HTTPSEC. Warning: HTTPSEC ✻= HTTPS. HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page.

The DNS security mess

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC:

This sounds simple but it has deep reaching consequences in both the protocol and the implementation—which is why it’s taken more than a year to choose a security model and design a solution. We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that before its use is commonplace on the Internet.

Before I start my talk, some comments on HTTPSEC. Warning: HTTPSEC ✻= HTTPS. HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page. Your computer is using a wireless network that also has many other computers. Some of those computers are controlled by attackers.

The DNS security mess

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC:

This sounds simple but it has deep reaching consequences in both the protocol and the implementation—which is why it’s taken more than a year to choose a security model and design a solution. We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that before its use is commonplace on the Internet.

Before I start my talk, some comments on HTTPSEC. Warning: HTTPSEC ✻= HTTPS. HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page. Your computer is using a wireless network that also has many other computers. Some of those computers are controlled by attackers. Or maybe you’re in Iran, and the network is the attacker.

DNS security mess Bernstein University of Illinois at Chicago & echnische Universiteit Eindhoven Vixie, 1995, on DNSSEC:

sounds simple but it has deep reaching consequences in both the protocol and the implementation—which is why it’s taken more ear to choose a security model and

• solution. We expect it to be another

re DNSSEC is in wide use on the edge, and at least a year after that use is commonplace on the Internet.

I start my talk, comments on HTTPSEC. rning: HTTPSEC ✻= HTTPS. HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page. Your computer is using a wireless network that also has many other computers. Some of those computers are controlled by attackers. Or maybe you’re in Iran, and the network is the attacker. Standard Confidentialit despite espionage. Integrity despite co Availabilit

security mess Illinois at Chicago & Universiteit Eindhoven 1995, on DNSSEC:

it has deep reaching the protocol and the is why it’s taken more a security model and expect it to be another in wide use on the ast a year after that commonplace on the Internet.

my talk,

• n HTTPSEC.

HTTPSEC ✻= HTTPS. HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page. Your computer is using a wireless network that also has many other computers. Some of those computers are controlled by attackers. Or maybe you’re in Iran, and the network is the attacker. Standard security goals: Confidentiality (p despite espionage. Integrity (authenticit despite corruption. Availability despite

Chicago & Eindhoven DNSSEC:

reaching and the taken more del and e another

• n the

after that the Internet.

HTTPSEC. ✻ HTTPS. HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page. Your computer is using a wireless network that also has many other computers. Some of those computers are controlled by attackers. Or maybe you’re in Iran, and the network is the attacker. Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage.

HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page. Your computer is using a wireless network that also has many other computers. Some of those computers are controlled by attackers. Or maybe you’re in Iran, and the network is the attacker. Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage.

HTTPSEC motivation You use HTTP all the time: e.g., http://nu.nl. Your computer requests a web page from the nu.nl server. The server sends a web page. Your computer is using a wireless network that also has many other computers. Some of those computers are controlled by attackers. Or maybe you’re in Iran, and the network is the attacker. Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage. HTTP provides none of this. By watching the network, attacker easily acquires data: the HTTP request, the web page. Attacker easily changes data. Attacker easily destroys data.

HTTPSEC motivation use HTTP all the time: http://nu.nl. computer requests a web from the nu.nl server. server sends a web page. computer is using wireless network that has many other computers.

• f those computers are

controlled by attackers. ybe you’re in Iran, and network is the attacker. Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage. HTTP provides none of this. By watching the network, attacker easily acquires data: the HTTP request, the web page. Attacker easily changes data. Attacker easily destroys data. HTTPSEC: HTTPSEC to “bolster HTTPSEC for the nu.nl to attach to the nu.nl These signatures “verification authenticit data” obtained

motivation all the time: http://nu.nl. requests a web nu.nl server. sends a web page. is using rk that

• ther computers.

computers are attackers. in Iran, and the attacker. Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage. HTTP provides none of this. By watching the network, attacker easily acquires data: the HTTP request, the web page. Attacker easily changes data. Attacker easily destroys data. HTTPSEC: “HTTP HTTPSEC modifies to “bolster online sec HTTPSEC provides for the nu.nl server to attach PGP signatures to the nu.nl HTTP These signatures allo “verification of the authenticity, and integrit data” obtained through

time: web server. page. computers. are and er. Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage. HTTP provides none of this. By watching the network, attacker easily acquires data: the HTTP request, the web page. Attacker easily changes data. Attacker easily destroys data. HTTPSEC: “HTTP Security HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP

Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage. HTTP provides none of this. By watching the network, attacker easily acquires data: the HTTP request, the web page. Attacker easily changes data. Attacker easily destroys data. HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP.

Standard security goals: Confidentiality (privacy etc.) despite espionage. Integrity (authenticity etc.) despite corruption. Availability despite sabotage. provides none of this. atching the network, er easily acquires data: HTTP request, the web page. er easily changes data. er easily destroys data. HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP. To verify your computer retrieve the from the

y goals: (privacy etc.) espionage. (authenticity etc.) rruption. despite sabotage. none of this. network, acquires data: request, the web page. changes data. destroys data. HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP. To verify these signatures, your computer needs retrieve the PGP public from the nu.nl admin.

etc.) etc.)

• tage.

this. data: eb page. data. data. HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP. To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin.

HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP. To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin.

HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP. To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin. What if the key is forged?

HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP. To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin. What if the key is forged? Answer: HTTPSEC provides a way for a trusted Netherlands government representative to PGP-sign the nu.nl public key.

HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP to “bolster online security”. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP. To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin. What if the key is forged? Answer: HTTPSEC provides a way for a trusted Netherlands government representative to PGP-sign the nu.nl public key. What if that key is forged? Answer: Internet Central Headquarters signed the Netherlands public key.

HTTPSEC: “HTTP Security” HTTPSEC modifies HTTP

• lster online security”.

HTTPSEC provides a way nu.nl server admin attach PGP signatures nu.nl HTTP responses. signatures allow verification of the origin, authenticity, and integrity of

• btained through HTTP.

To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin. What if the key is forged? Answer: HTTPSEC provides a way for a trusted Netherlands government representative to PGP-sign the nu.nl public key. What if that key is forged? Answer: Internet Central Headquarters signed the Netherlands public key. Internet was generated Hardware

• wned by

a well-kno Hardware signs data by 3 out held by V 3 VeriSign meet every they have

HTTP Security” difies HTTP

• nline security”.

rovides a way server admin signatures HTTP responses. signatures allow the origin, integrity of through HTTP. To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin. What if the key is forged? Answer: HTTPSEC provides a way for a trusted Netherlands government representative to PGP-sign the nu.nl public key. What if that key is forged? Answer: Internet Central Headquarters signed the Netherlands public key. Internet Central HQ was generated by an Hardware Security

• wned by VeriSign,

a well-known American Hardware Security signs data if autho by 3 out of 16 sma held by VeriSign T 3 VeriSign Trust Managers meet every week in they have to sign new

Security” ”. admin signatures

• nses.
• f

HTTP. To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin. What if the key is forged? Answer: HTTPSEC provides a way for a trusted Netherlands government representative to PGP-sign the nu.nl public key. What if that key is forged? Answer: Internet Central Headquarters signed the Netherlands public key. Internet Central HQ key was generated by an expensive Hardware Security Module

• wned by VeriSign,

a well-known American company Hardware Security Module signs data if authorized by 3 out of 16 smart cards held by VeriSign Trust Managers. 3 VeriSign Trust Managers meet every week in case they have to sign new data.

To verify these signatures, your computer needs to retrieve the PGP public key from the nu.nl admin. What if the key is forged? Answer: HTTPSEC provides a way for a trusted Netherlands government representative to PGP-sign the nu.nl public key. What if that key is forged? Answer: Internet Central Headquarters signed the Netherlands public key. Internet Central HQ key was generated by an expensive Hardware Security Module

• wned by VeriSign,

a well-known American company. Hardware Security Module signs data if authorized by 3 out of 16 smart cards held by VeriSign Trust Managers. 3 VeriSign Trust Managers meet every week in case they have to sign new data.

verify these signatures, computer needs to retrieve the PGP public key the nu.nl admin. if the key is forged? er: HTTPSEC provides a r a trusted Netherlands government representative to PGP-sign the nu.nl public key. if that key is forged? er: Internet Central Headquarters signed the Netherlands public key. Internet Central HQ key was generated by an expensive Hardware Security Module

• wned by VeriSign,

a well-known American company. Hardware Security Module signs data if authorized by 3 out of 16 smart cards held by VeriSign Trust Managers. 3 VeriSign Trust Managers meet every week in case they have to sign new data. If your computer software Internet Your computer the Netherlands and the signature PGP-verifies Next ste the nu.nl and the Finally PGP-verify HTTPSEC-signed

signatures, needs to public key admin. is forged? HTTPSEC provides a ed Netherlands resentative to nu.nl public key. is forged? Internet Central igned the public key. Internet Central HQ key was generated by an expensive Hardware Security Module

• wned by VeriSign,

a well-known American company. Hardware Security Module signs data if authorized by 3 out of 16 smart cards held by VeriSign Trust Managers. 3 VeriSign Trust Managers meet every week in case they have to sign new data. If your computer has software then it already Internet Central HQ Your computer retrieves the Netherlands public and the Internet Central signature of that public PGP-verifies this signature. Next step: retrieve the nu.nl admin’s and the Netherlands Finally PGP-verify HTTPSEC-signed

ey rovides a Netherlands to public key. rged? Internet Central HQ key was generated by an expensive Hardware Security Module

• wned by VeriSign,

a well-known American company. Hardware Security Module signs data if authorized by 3 out of 16 smart cards held by VeriSign Trust Managers. 3 VeriSign Trust Managers meet every week in case they have to sign new data. If your computer has HTTPSEC software then it already knows Internet Central HQ public k Your computer retrieves the Netherlands public key and the Internet Central HQ signature of that public key; PGP-verifies this signature. Next step: retrieve and verify the nu.nl admin’s public key and the Netherlands signature. Finally PGP-verify nu.nl’s HTTPSEC-signed responses.

Internet Central HQ key was generated by an expensive Hardware Security Module

• wned by VeriSign,

a well-known American company. Hardware Security Module signs data if authorized by 3 out of 16 smart cards held by VeriSign Trust Managers. 3 VeriSign Trust Managers meet every week in case they have to sign new data. If your computer has HTTPSEC software then it already knows the Internet Central HQ public key. Your computer retrieves the Netherlands public key and the Internet Central HQ signature of that public key; PGP-verifies this signature. Next step: retrieve and verify the nu.nl admin’s public key and the Netherlands signature. Finally PGP-verify nu.nl’s HTTPSEC-signed responses.

Internet Central HQ key generated by an expensive are Security Module by VeriSign, ell-known American company. are Security Module data if authorized

• ut of 16 smart cards

y VeriSign Trust Managers. eriSign Trust Managers very week in case have to sign new data. If your computer has HTTPSEC software then it already knows the Internet Central HQ public key. Your computer retrieves the Netherlands public key and the Internet Central HQ signature of that public key; PGP-verifies this signature. Next step: retrieve and verify the nu.nl admin’s public key and the Netherlands signature. Finally PGP-verify nu.nl’s HTTPSEC-signed responses. HTTPSEC Many Internet are extremely Can they The critical in HTTPSEC: PGP signatures “Per-query Signature saved; sent Hopefully sign each

HQ key y an expensive Security Module eriSign, American company. Security Module authorized smart cards Trust Managers. Managers in case sign new data. If your computer has HTTPSEC software then it already knows the Internet Central HQ public key. Your computer retrieves the Netherlands public key and the Internet Central HQ signature of that public key; PGP-verifies this signature. Next step: retrieve and verify the nu.nl admin’s public key and the Netherlands signature. Finally PGP-verify nu.nl’s HTTPSEC-signed responses. HTTPSEC performance Many Internet servers are extremely busy Can they afford crypto? The critical design in HTTPSEC: precompute PGP signatures of “Per-query crypto Signature is computed saved; sent to many Hopefully the admin sign each HTTP resp

ensive company. Managers. Managers data. If your computer has HTTPSEC software then it already knows the Internet Central HQ public key. Your computer retrieves the Netherlands public key and the Internet Central HQ signature of that public key; PGP-verifies this signature. Next step: retrieve and verify the nu.nl admin’s public key and the Netherlands signature. Finally PGP-verify nu.nl’s HTTPSEC-signed responses. HTTPSEC performance Many Internet servers are extremely busy. Can they afford crypto? The critical design decision in HTTPSEC: precompute PGP signatures of all data. “Per-query crypto is bad.” Signature is computed once; saved; sent to many clients. Hopefully the admin can affo sign each HTTP response once.

If your computer has HTTPSEC software then it already knows the Internet Central HQ public key. Your computer retrieves the Netherlands public key and the Internet Central HQ signature of that public key; PGP-verifies this signature. Next step: retrieve and verify the nu.nl admin’s public key and the Netherlands signature. Finally PGP-verify nu.nl’s HTTPSEC-signed responses. HTTPSEC performance Many Internet servers are extremely busy. Can they afford crypto? The critical design decision in HTTPSEC: precompute PGP signatures of all data. “Per-query crypto is bad.” Signature is computed once; saved; sent to many clients. Hopefully the admin can afford to sign each HTTP response once.

computer has HTTPSEC re then it already knows the Internet Central HQ public key. computer retrieves Netherlands public key the Internet Central HQ signature of that public key; PGP-verifies this signature. step: retrieve and verify nu.nl admin’s public key the Netherlands signature. PGP-verify nu.nl’s HTTPSEC-signed responses. HTTPSEC performance Many Internet servers are extremely busy. Can they afford crypto? The critical design decision in HTTPSEC: precompute PGP signatures of all data. “Per-query crypto is bad.” Signature is computed once; saved; sent to many clients. Hopefully the admin can afford to sign each HTTP response once. Clients don’t

• f verifying

HTTPSEC client-side precomputation choice of Many HTTPSEC 640-bit RSA, 768-bit RSA, 1024-bit signatures DSA, “10 verification

computer has HTTPSEC already knows the HQ public key. retrieves public key Central HQ t public key; this signature. ve and verify admin’s public key Netherlands signature. PGP-verify nu.nl’s HTTPSEC-signed responses. HTTPSEC performance Many Internet servers are extremely busy. Can they afford crypto? The critical design decision in HTTPSEC: precompute PGP signatures of all data. “Per-query crypto is bad.” Signature is computed once; saved; sent to many clients. Hopefully the admin can afford to sign each HTTP response once. Clients don’t share

• f verifying a signature.

HTTPSEC tries to client-side costs (and precomputation costs) choice of crypto primitive. Many HTTPSEC crypto 640-bit RSA, original 768-bit RSA, many 1024-bit RSA, current signatures from VeriSign DSA, “10 to 40 times verification” but fast

HTTPSEC knows the public key. HQ ey; signature. verify key signature. ’s

• nses.

HTTPSEC performance Many Internet servers are extremely busy. Can they afford crypto? The critical design decision in HTTPSEC: precompute PGP signatures of all data. “Per-query crypto is bad.” Signature is computed once; saved; sent to many clients. Hopefully the admin can afford to sign each HTTP response once. Clients don’t share the work

• f verifying a signature.

HTTPSEC tries to reduce client-side costs (and precomputation costs) through choice of crypto primitive. Many HTTPSEC crypto options: 640-bit RSA, original specs; 768-bit RSA, many docs; 1024-bit RSA, current signatures from VeriSign etc.; DSA, “10 to 40 times as slow verification” but faster for signing.

HTTPSEC performance Many Internet servers are extremely busy. Can they afford crypto? The critical design decision in HTTPSEC: precompute PGP signatures of all data. “Per-query crypto is bad.” Signature is computed once; saved; sent to many clients. Hopefully the admin can afford to sign each HTTP response once. Clients don’t share the work

• f verifying a signature.

HTTPSEC tries to reduce client-side costs (and precomputation costs) through choice of crypto primitive. Many HTTPSEC crypto options: 640-bit RSA, original specs; 768-bit RSA, many docs; 1024-bit RSA, current signatures from VeriSign etc.; DSA, “10 to 40 times as slow for verification” but faster for signing.

HTTPSEC performance Internet servers extremely busy. they afford crypto? critical design decision HTTPSEC: precompute signatures of all data. er-query crypto is bad.” Signature is computed once; sent to many clients. efully the admin can afford to each HTTP response once. Clients don’t share the work

• f verifying a signature.

HTTPSEC tries to reduce client-side costs (and precomputation costs) through choice of crypto primitive. Many HTTPSEC crypto options: 640-bit RSA, original specs; 768-bit RSA, many docs; 1024-bit RSA, current signatures from VeriSign etc.; DSA, “10 to 40 times as slow for verification” but faster for signing. HTTPSEC choices s for no reason fear of overload. HTTPSEC to survive and even for reason More complexit ✮ including Author of HTTP server: implementing is just staggering.”

rmance servers busy. crypto? design decision recompute

• f all data.

crypto is bad.” computed once; many clients. admin can afford to response once. Clients don’t share the work

• f verifying a signature.

HTTPSEC tries to reduce client-side costs (and precomputation costs) through choice of crypto primitive. Many HTTPSEC crypto options: 640-bit RSA, original specs; 768-bit RSA, many docs; 1024-bit RSA, current signatures from VeriSign etc.; DSA, “10 to 40 times as slow for verification” but faster for signing. HTTPSEC made b choices such as 640-bit for no reason other fear of overload. HTTPSEC needed to survive the inevitable and even more complexit for reasons I’ll explain. More complexity ✮ including security holes. Author of one very HTTP server: “The implementing every is just staggering.”

decision data.

• nce;

clients. afford to

• nce.

Clients don’t share the work

• f verifying a signature.

HTTPSEC tries to reduce client-side costs (and precomputation costs) through choice of crypto primitive. Many HTTPSEC crypto options: 640-bit RSA, original specs; 768-bit RSA, many docs; 1024-bit RSA, current signatures from VeriSign etc.; DSA, “10 to 40 times as slow for verification” but faster for signing. HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.”

Clients don’t share the work

• f verifying a signature.

HTTPSEC tries to reduce client-side costs (and precomputation costs) through choice of crypto primitive. Many HTTPSEC crypto options: 640-bit RSA, original specs; 768-bit RSA, many docs; 1024-bit RSA, current signatures from VeriSign etc.; DSA, “10 to 40 times as slow for verification” but faster for signing. HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.”

Clients don’t share the work verifying a signature. HTTPSEC tries to reduce client-side costs (and recomputation costs) through

• f crypto primitive.

HTTPSEC crypto options: 640-bit RSA, original specs; 768-bit RSA, many docs; 1024-bit RSA, current signatures from VeriSign etc.; “10 to 40 times as slow for verification” but faster for signing. HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.” HTTPSEC How do requests without

re the work signature. to reduce (and costs) through primitive. crypto options: riginal specs; many docs; current VeriSign etc.; times as slow for faster for signing. HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.” HTTPSEC confidentialit How do you encrypt requests and responses without per-client

rk through

• ptions:

ecs; etc.; slow for signing. HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.” HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto?

HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.” HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto?

HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.” HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto? Answer: You can’t, and HTTPSEC doesn’t even try. The HTTPSEC RFC says “Due to a deliberate design choice, HTTPSEC does not provide confidentiality.”

HTTPSEC made breakable choices such as 640-bit RSA for no reason other than fear of overload. HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.” HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto? Answer: You can’t, and HTTPSEC doesn’t even try. The HTTPSEC RFC says “Due to a deliberate design choice, HTTPSEC does not provide confidentiality.” This is very strange, but not the worst part of HTTPSEC.

HTTPSEC made breakable choices such as 640-bit RSA reason other than

• verload.

HTTPSEC needed more options survive the inevitable breaks; even more complexity sons I’ll explain. complexity ✮ more bugs, including security holes. r of one very popular server: “The effort of implementing everything correctly staggering.” HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto? Answer: You can’t, and HTTPSEC doesn’t even try. The HTTPSEC RFC says “Due to a deliberate design choice, HTTPSEC does not provide confidentiality.” This is very strange, but not the worst part of HTTPSEC. The HTTPSEC When nu.nl receives http://nu.nl/economie/ it looks fo /var/www/economie/index.html

• n its local

An HTTPSEC http://nu.nl/economie/ index.html.httpsec-pgp Server admin index.html.httpsec-pgp with a signature

made breakable 640-bit RSA

• ther than

needed more options inevitable breaks; complexity explain. ✮ more bugs, y holes. very popular “The effort of everything correctly staggering.” HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto? Answer: You can’t, and HTTPSEC doesn’t even try. The HTTPSEC RFC says “Due to a deliberate design choice, HTTPSEC does not provide confidentiality.” This is very strange, but not the worst part of HTTPSEC. The HTTPSEC da When nu.nl HTTP receives a request http://nu.nl/economie/ it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client http://nu.nl/economie/ index.html.httpsec-pgp Server admin has created index.html.httpsec-pgp with a signature of

able RSA

• ptions

reaks; ✮ bugs, r

• f

correctly HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto? Answer: You can’t, and HTTPSEC doesn’t even try. The HTTPSEC RFC says “Due to a deliberate design choice, HTTPSEC does not provide confidentiality.” This is very strange, but not the worst part of HTTPSEC. The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html

HTTPSEC confidentiality How do you encrypt requests and responses without per-client crypto? Answer: You can’t, and HTTPSEC doesn’t even try. The HTTPSEC RFC says “Due to a deliberate design choice, HTTPSEC does not provide confidentiality.” This is very strange, but not the worst part of HTTPSEC. The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html.

HTTPSEC confidentiality do you encrypt requests and responses without per-client crypto? er: You can’t, HTTPSEC doesn’t even try. HTTPSEC RFC says to a deliberate design choice, HTTPSEC does not rovide confidentiality.” very strange, but the worst part of HTTPSEC. The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html. There ar

• f softwa

admins manage e.g., wiki-creation

confidentiality encrypt responses er-client crypto? can’t, doesn’t even try. RFC says erate design HTTPSEC does not confidentiality.” strange, but rt of HTTPSEC. The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html. There are hundreds

• f software tools to

admins manage web e.g., wiki-creation

even try. design not HTTPSEC. The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html. There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools.

The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html. There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools.

The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html. There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools. When these tools create index.html, do they also create index.html.httpsec-pgp?

The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html. There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools. When these tools create index.html, do they also create index.html.httpsec-pgp? What about dynamic data?

The HTTPSEC data model When nu.nl HTTP server receives a request for http://nu.nl/economie/, it looks for a file /var/www/economie/index.html

• n its local disk.

An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. Server admin has created index.html.httpsec-pgp with a signature of index.html. There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools. When these tools create index.html, do they also create index.html.httpsec-pgp? What about dynamic data? HTTPSEC purists say “Answers should always be static”.

HTTPSEC data model nu.nl HTTP server receives a request for http://nu.nl/economie/,

• ks for a file

/var/www/economie/index.html local disk. HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. admin has created index.html.httpsec-pgp signature of index.html. There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools. When these tools create index.html, do they also create index.html.httpsec-pgp? What about dynamic data? HTTPSEC purists say “Answers should always be static”. What ab Are the signatures Can an attack

• bsolete

If clocks then signatures include expiration But frequent is an administra HTTPSEC admin screws expire; every refuses to

data model HTTP server request for http://nu.nl/economie/, /var/www/economie/index.html client also asks for http://nu.nl/economie/ index.html.httpsec-pgp. has created index.html.httpsec-pgp

• f index.html.

There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools. When these tools create index.html, do they also create index.html.httpsec-pgp? What about dynamic data? HTTPSEC purists say “Answers should always be static”. What about old data? Are the signatures Can an attacker repla

• bsolete signed data?

If clocks are synchronized then signatures can include expiration But frequent re-signing is an administrativ HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC refuses to load the

del server , /var/www/economie/index.html asks for . index.html. There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools. When these tools create index.html, do they also create index.html.httpsec-pgp? What about dynamic data? HTTPSEC purists say “Answers should always be static”. What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

There are hundreds (thousands?)

• f software tools to help

admins manage web sites: e.g., wiki-creation tools. When these tools create index.html, do they also create index.html.httpsec-pgp? What about dynamic data? HTTPSEC purists say “Answers should always be static”. What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

are hundreds (thousands?) ware tools to help admins manage web sites: wiki-creation tools. these tools create index.html, they also create index.html.httpsec-pgp? about dynamic data? HTTPSEC purists say “Answers always be static”. What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC 2010.09.02: 2010.10.07:

hundreds (thousands?) to help web sites: wiki-creation tools.

• ls create

create index.html.httpsec-pgp? dynamic data? purists say “Answers static”. What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC suicide 2010.09.02: US government. 2010.10.07: Belgian

(thousands?) ? data? Answers What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government.

What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government.

What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org.

What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.”

What about old data? Are the signatures still valid? Can an attacker replay

• bsolete signed data?

If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes”

about old data? the signatures still valid? an attacker replay

• bsolete signed data?

cks are synchronized signatures can include expiration times. frequent re-signing administrative disaster. HTTPSEC suicide: screws up; signatures expire; every HTTPSEC client refuses to load the page. HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What ab

data? signatures still valid? replay data? synchronized can expiration times.

• signing

tive disaster. suicide: up; signatures HTTPSEC client the page. HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What about nonexistent

valid? disaster. signatures client HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What about nonexistent files?

HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What about nonexistent files?

HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.?

HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.? Crazy! Obvious approach: “We sign each page that exists, and don’t sign anything else.”

HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.? Crazy! Obvious approach: “We sign each page that exists, and don’t sign anything else.” User asks for nonexistent page. Receives unsigned answer saying the page doesn’t exist. Has no choice but to trust it.

HTTPSEC suicide examples: 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org. 2012.02.28: “Last night I unable to check the weather forecast, because fine folks at NOAA.gov weather.gov broke their HTTPSEC.” 2012.02.28, HTTPSEC-REF tech-support rep: “httpsec- accept-expired yes” What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.? Crazy! Obvious approach: “We sign each page that exists, and don’t sign anything else.” User asks for nonexistent page. Receives unsigned answer saying the page doesn’t exist. Has no choice but to trust it. User asks Receives a response saying the Has no choice Clearly a Sometimes This is not

suicide examples: government. Belgian government. httpsec-ref.org. Last night I check the forecast, because at NOAA.gov broke their HTTPSEC-REF rep: “httpsec- yes” What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.? Crazy! Obvious approach: “We sign each page that exists, and don’t sign anything else.” User asks for nonexistent page. Receives unsigned answer saying the page doesn’t exist. Has no choice but to trust it. User asks for nu.nl/economie Receives unsigned a response forged b saying the page do Has no choice but Clearly a violation Sometimes a violation This is not a good

examples: government. government. httpsec-ref.org. I because NOAA.gov their HTTPSEC-REF httpsec- What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.? Crazy! Obvious approach: “We sign each page that exists, and don’t sign anything else.” User asks for nonexistent page. Receives unsigned answer saying the page doesn’t exist. Has no choice but to trust it. User asks for nu.nl/economie Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availabilit Sometimes a violation of integrit This is not a good approach.

What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.? Crazy! Obvious approach: “We sign each page that exists, and don’t sign anything else.” User asks for nonexistent page. Receives unsigned answer saying the page doesn’t exist. Has no choice but to trust it. User asks for nu.nl/economie. Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availability. Sometimes a violation of integrity. This is not a good approach.

What about nonexistent files? Does the server admin precompute PGP signatures on “aaaaa does not exist”, “aaaab does not exist”, etc.? Crazy! Obvious approach: “We sign each page that exists, and don’t sign anything else.” User asks for nonexistent page. Receives unsigned answer saying the page doesn’t exist. Has no choice but to trust it. User asks for nu.nl/economie. Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availability. Sometimes a violation of integrity. This is not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns “There are no pages between clegg.com/nick and clegg.com/start” + signature.

about nonexistent files? the server admin recompute PGP signatures on does not exist”, does not exist”, etc.? Obvious approach: sign each page that exists, don’t sign anything else.” asks for nonexistent page. Receives unsigned answer the page doesn’t exist. choice but to trust it. User asks for nu.nl/economie. Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availability. Sometimes a violation of integrity. This is not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns “There are no pages between clegg.com/nick and clegg.com/start” + signature. Try clegg.com/foo After several all clegg.com alan, alvis calendar jennifer wiki.

nonexistent files? admin signatures on not exist”, not exist”, etc.? approach: page that exists, anything else.” nonexistent page. unsigned answer doesn’t exist. but to trust it. User asks for nu.nl/economie. Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availability. Sometimes a violation of integrity. This is not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns “There are no pages between clegg.com/nick and clegg.com/start” + signature. Try clegg.com/foo After several queries all clegg.com names: alan, alvis, andrew calendar, home, imogene jennifer, mail, nick wiki.

files? signatures on etc.? exists, else.” page. exist. it. User asks for nu.nl/economie. Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availability. Sometimes a violation of integrity. This is not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns “There are no pages between clegg.com/nick and clegg.com/start” + signature. Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian calendar, home, imogene, jennifer, mail, nick, start wiki.

User asks for nu.nl/economie. Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availability. Sometimes a violation of integrity. This is not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns “There are no pages between clegg.com/nick and clegg.com/start” + signature. Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki.

User asks for nu.nl/economie. Receives unsigned answer, a response forged by attacker, saying the page doesn’t exist. Has no choice but to trust it. Clearly a violation of availability. Sometimes a violation of integrity. This is not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns “There are no pages between clegg.com/nick and clegg.com/start” + signature. Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC.

asks for nu.nl/economie. Receives unsigned answer,

• nse forged by attacker,

the page doesn’t exist. choice but to trust it. a violation of availability. Sometimes a violation of integrity. not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns are no pages between clegg.com/nick and clegg.com/start” + signature. Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC. Summary: all ♥ names

• n an NHTTPS

(with signatures that there using ♥ HTTPSEC

nu.nl/economie. unsigned answer, rged by attacker, doesn’t exist. but to trust it. violation of availability. violation of integrity.

• d approach.

“NHTTPSEC”. e.g. clegg.com/nonex query returns pages between and clegg.com/start” + signature. Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC. Summary: Attacker all ♥ names of pages

• n an NHTTPSEC

(with signatures gua that there are no mo using ♥ HTTPSEC

nu.nl/economie. attacker, exist. it. availability. integrity. roach. “NHTTPSEC”. e.g. returns between signature. Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC. Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries.

Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC. Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries.

Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC. Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries. This is not a good approach.

Try clegg.com/foo etc. After several queries have all clegg.com names: alan, alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, wiki. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC. Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries. This is not a good approach. HTTPSEC purists disagree: “It is part of the design philosophy of the Web that the data in it is public.” But this notion is so extreme that it became an HTTPSEC public-relations problem.

clegg.com/foo etc. several queries have clegg.com names: alvis, andrew, brian, calendar, home, imogene, jennifer, mail, nick, start, clegg.com administrator disabled HTTP directory indexing then leaked the same data talling HTTPSEC the default NHTTPSEC. Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries. This is not a good approach. HTTPSEC purists disagree: “It is part of the design philosophy of the Web that the data in it is public.” But this notion is so extreme that it became an HTTPSEC public-relations problem. New HTTPSEC

• 1. “NHTTPSEC3”

Use a “one-w such as (iterated Reveal hashes instead of “There hashes ✿ ✿ ✿ ✿ ✿ ✿

clegg.com/foo etc. queries have names: andrew, brian, , imogene, , nick, start, administrator directory indexing ed the same data HTTPSEC NHTTPSEC. Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries. This is not a good approach. HTTPSEC purists disagree: “It is part of the design philosophy of the Web that the data in it is public.” But this notion is so extreme that it became an HTTPSEC public-relations problem. New HTTPSEC app

• 1. “NHTTPSEC3”

Use a “one-way hash such as (iterated salted) Reveal hashes of names instead of revealing “There are no names hashes between ✿ ✿ ✿ ✿ ✿ ✿

brian, , start, administrator indexing same data NHTTPSEC. Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries. This is not a good approach. HTTPSEC purists disagree: “It is part of the design philosophy of the Web that the data in it is public.” But this notion is so extreme that it became an HTTPSEC public-relations problem. New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿

Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries. This is not a good approach. HTTPSEC purists disagree: “It is part of the design philosophy of the Web that the data in it is public.” But this notion is so extreme that it became an HTTPSEC public-relations problem. New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

Summary: Attacker learns all ♥ names of pages

• n an NHTTPSEC server

(with signatures guaranteeing that there are no more) using ♥ HTTPSEC queries. This is not a good approach. HTTPSEC purists disagree: “It is part of the design philosophy of the Web that the data in it is public.” But this notion is so extreme that it became an HTTPSEC public-relations problem. New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

• 2. Marketing:

Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.”

Summary: Attacker learns ♥ names of pages NHTTPSEC server signatures guaranteeing there are no more) ♥ HTTPSEC queries. not a good approach. HTTPSEC purists disagree: part of the design philosophy of the Web the data in it is public.” this notion is so extreme became an HTTPSEC public-relations problem. New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

• 2. Marketing:

Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.” Reality: by abusing computes for many quickly discovers (and kno

ttacker learns ♥ pages EC server guaranteeing no more) ♥ HTTPSEC queries.

• d approach.

purists disagree: design e Web it is public.” is so extreme an HTTPSEC problem. New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

• 2. Marketing:

Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.” Reality: Attacker grabs by abusing NHTTPSEC3; computes the same for many different quickly discovers almost (and knows # missing

♥ ranteeing ♥ queries. roach. e: public.” xtreme HTTPSEC New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

• 2. Marketing:

Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.” Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guess quickly discovers almost all names (and knows # missing name

New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

• 2. Marketing:

Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.” Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guesses; quickly discovers almost all names (and knows # missing names).

New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

• 2. Marketing:

Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.” Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guesses; quickly discovers almost all names (and knows # missing names). HTTPSEC purists: “You could have sent all the same guesses as queries to the server.”

New HTTPSEC approach:

• 1. “NHTTPSEC3” technology:

Use a “one-way hash function” such as (iterated salted) SHA-1. Reveal hashes of names instead of revealing names. “There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ”

• 2. Marketing:

Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.” Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guesses; quickly discovers almost all names (and knows # missing names). HTTPSEC purists: “You could have sent all the same guesses as queries to the server.” 4Mbps flood of queries is under 5000 noisy guesses/sec. NHTTPSEC3 allows typical attackers 10000000 to 10000000000 silent guesses/sec.

HTTPSEC approach: “NHTTPSEC3” technology: “one-way hash function” as (iterated salted) SHA-1. Reveal hashes of names

• f revealing names.

are no names with between ✿ ✿ ✿ and ✿ ✿ ✿ ” rketing: Pretend that NHTTPSEC3 is damaging than NSEC. NHTTPSEC3 does not allow enumeration of the site.” Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guesses; quickly discovers almost all names (and knows # missing names). HTTPSEC purists: “You could have sent all the same guesses as queries to the server.” 4Mbps flood of queries is under 5000 noisy guesses/sec. NHTTPSEC3 allows typical attackers 10000000 to 10000000000 silent guesses/sec. Another Each HTTPSEC is another Often your

• f keys from

Could be HTTPSEC by accepting and sending through Much low

approach: “NHTTPSEC3” technology: hash function” salted) SHA-1.

• f names

revealing names. names with ✿ ✿ ✿ and ✿ ✿ ✿ ” NHTTPSEC3 is than NSEC. does not allow the site.” Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guesses; quickly discovers almost all names (and knows # missing names). HTTPSEC purists: “You could have sent all the same guesses as queries to the server.” 4Mbps flood of queries is under 5000 noisy guesses/sec. NHTTPSEC3 allows typical attackers 10000000 to 10000000000 silent guesses/sec. Another HTTPSEC Each HTTPSEC k is another file to retrieve. Often your browser

• f keys from several

Could be a serious HTTPSEC speeds by accepting requests and sending responses through UDP pack Much lower overhead

roach: technology: function” SHA-1. names. with ✿ ✿ ✿ ✿ ✿ ✿ ” NHTTPSEC3 is NSEC. allow Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guesses; quickly discovers almost all names (and knows # missing names). HTTPSEC purists: “You could have sent all the same guesses as queries to the server.” 4Mbps flood of queries is under 5000 noisy guesses/sec. NHTTPSEC3 allows typical attackers 10000000 to 10000000000 silent guesses/sec. Another HTTPSEC optimization Each HTTPSEC key/signature is another file to retrieve. Often your browser needs a chain

• f keys from several servers.

Could be a serious slowdown. HTTPSEC speeds this up by accepting requests and sending responses through UDP packets. Much lower overhead than TCP

Reality: Attacker grabs the hashes by abusing NHTTPSEC3; computes the same hash function for many different name guesses; quickly discovers almost all names (and knows # missing names). HTTPSEC purists: “You could have sent all the same guesses as queries to the server.” 4Mbps flood of queries is under 5000 noisy guesses/sec. NHTTPSEC3 allows typical attackers 10000000 to 10000000000 silent guesses/sec. Another HTTPSEC optimization Each HTTPSEC key/signature is another file to retrieve. Often your browser needs a chain

• f keys from several servers.

Could be a serious slowdown. HTTPSEC speeds this up by accepting requests and sending responses through UDP packets. Much lower overhead than TCP.

y: Attacker grabs the hashes using NHTTPSEC3; computes the same hash function any different name guesses; quickly discovers almost all names knows # missing names). HTTPSEC purists: “You could sent all the same guesses queries to the server.” flood of queries is 5000 noisy guesses/sec. NHTTPSEC3 allows typical ers 10000000 to 10000000000 silent guesses/sec. Another HTTPSEC optimization Each HTTPSEC key/signature is another file to retrieve. Often your browser needs a chain

• f keys from several servers.

Could be a serious slowdown. HTTPSEC speeds this up by accepting requests and sending responses through UDP packets. Much lower overhead than TCP. The bad HTTPSEC much, much, than HTTPSEC Attacker UDP request victim’s to many The HTTPSEC blast the much larger taking victim

er grabs the hashes NHTTPSEC3; same hash function different name guesses; almost all names missing names). purists: “You could same guesses server.” queries is noisy guesses/sec. allows typical 10000000 to silent guesses/sec. Another HTTPSEC optimization Each HTTPSEC key/signature is another file to retrieve. Often your browser needs a chain

• f keys from several servers.

Could be a serious slowdown. HTTPSEC speeds this up by accepting requests and sending responses through UDP packets. Much lower overhead than TCP. The bad news: HTTPSEC responses much, much, much than HTTPSEC reques Attacker forges many UDP request packets victim’s IP address to many HTTPSEC The HTTPSEC servers blast the victim with much larger volume taking victim off the

the hashes function guesses; all names names). could guesses guesses/sec. ypical guesses/sec. Another HTTPSEC optimization Each HTTPSEC key/signature is another file to retrieve. Often your browser needs a chain

• f keys from several servers.

Could be a serious slowdown. HTTPSEC speeds this up by accepting requests and sending responses through UDP packets. Much lower overhead than TCP. The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet.

Another HTTPSEC optimization Each HTTPSEC key/signature is another file to retrieve. Often your browser needs a chain

• f keys from several servers.

Could be a serious slowdown. HTTPSEC speeds this up by accepting requests and sending responses through UDP packets. Much lower overhead than TCP. The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet.

Another HTTPSEC optimization HTTPSEC key/signature another file to retrieve. your browser needs a chain eys from several servers. be a serious slowdown. HTTPSEC speeds this up accepting requests sending responses through UDP packets. lower overhead than TCP. The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet. The RFC provides against denial

HTTPSEC optimization key/signature retrieve. wser needs a chain several servers. serious slowdown. eeds this up requests

• nses

ckets.

• verhead than TCP.

The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet. The RFC says “HT provides no protection against denial of service

ization ey/signature a chain servers. wn. TCP. The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet. The RFC says “HTTPSEC provides no protection against denial of service attacks.”

The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet. The RFC says “HTTPSEC provides no protection against denial of service attacks.”

The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet. The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

The bad news: HTTPSEC responses are much, much, much larger than HTTPSEC requests. Attacker forges many UDP request packets from victim’s IP address to many HTTPSEC servers. The HTTPSEC servers blast the victim with much larger volume of data, taking victim off the Internet. The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume?

bad news: HTTPSEC responses are much, much larger HTTPSEC requests. er forges many request packets from victim’s IP address many HTTPSEC servers. HTTPSEC servers the victim with larger volume of data, victim off the Internet. The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume? The worst

• nses are

much larger requests. many packets from address HTTPSEC servers. servers with volume of data, the Internet. The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume? The worst part of

servers. data, Internet. The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume? The worst part of HTTPSEC

The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume? The worst part of HTTPSEC

The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume? The worst part of HTTPSEC The data signed by HTTPSEC doesn’t actually include the web pages that the browser shows to the user.

The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume? The worst part of HTTPSEC The data signed by HTTPSEC doesn’t actually include the web pages that the browser shows to the user. HTTPSEC signs only routing information: specifically, 30x HTTP redirects.

The RFC says “HTTPSEC provides no protection against denial of service attacks.” The RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, the worst DDoS amplifier

• n the Internet.”

Exericse: investigate

• ther types of DoS attacks.

e.g. HTTPSEC advertising says zero server-CPU-time cost. How much server CPU time can attackers actually consume? The worst part of HTTPSEC The data signed by HTTPSEC doesn’t actually include the web pages that the browser shows to the user. HTTPSEC signs only routing information: specifically, 30x HTTP redirects. The HTTPSEC excuse for this: signing redirects is simpler than signing the final web page.

RFC says “HTTPSEC rovides no protection against denial of service attacks.” RFC doesn’t say “HTTPSEC is a pool of remote-controlled attack drones, rst DDoS amplifier Internet.” Exericse: investigate types of DoS attacks. HTTPSEC advertising says server-CPU-time cost. much server CPU time attackers actually consume? The worst part of HTTPSEC The data signed by HTTPSEC doesn’t actually include the web pages that the browser shows to the user. HTTPSEC signs only routing information: specifically, 30x HTTP redirects. The HTTPSEC excuse for this: signing redirects is simpler than signing the final web page.

$ telnet Trying 173.194.66.102... Connected Escape character GET / HTTP/1.1 Host: google.com HTTP/1.1 Location: ...

HTTPSEC

• n the “

✦ www.google.com

“HTTPSEC rotection service attacks.” esn’t say pool of remote-controlled attack drones, amplifier investigate DoS attacks. advertising says server-CPU-time cost. server CPU time actually consume? The worst part of HTTPSEC The data signed by HTTPSEC doesn’t actually include the web pages that the browser shows to the user. HTTPSEC signs only routing information: specifically, 30x HTTP redirects. The HTTPSEC excuse for this: signing redirects is simpler than signing the final web page.

$ telnet google.com Trying 173.194.66.102... Connected to google.com. Escape character GET / HTTP/1.1 Host: google.com HTTP/1.1 301 Moved Location: http://www.google.com/ ...

HTTPSEC allows

• n the “google.com ✦

www.google.com”

attacks.” drones, attacks. advertising says cost. time consume? The worst part of HTTPSEC The data signed by HTTPSEC doesn’t actually include the web pages that the browser shows to the user. HTTPSEC signs only routing information: specifically, 30x HTTP redirects. The HTTPSEC excuse for this: signing redirects is simpler than signing the final web page.

$ telnet google.com 80 Trying 173.194.66.102... Connected to google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ ...

HTTPSEC allows a signature

• n the “google.com ✦

www.google.com” redirect.

The worst part of HTTPSEC The data signed by HTTPSEC doesn’t actually include the web pages that the browser shows to the user. HTTPSEC signs only routing information: specifically, 30x HTTP redirects. The HTTPSEC excuse for this: signing redirects is simpler than signing the final web page.

$ telnet google.com 80 Trying 173.194.66.102... Connected to google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ ...

HTTPSEC allows a signature

• n the “google.com ✦

www.google.com” redirect.

• rst part of HTTPSEC

data signed by HTTPSEC esn’t actually include eb pages that rowser shows to the user. HTTPSEC signs only routing information: ecifically, 30x HTTP redirects. HTTPSEC excuse for this: redirects simpler than the final web page.

$ telnet google.com 80 Trying 173.194.66.102... Connected to google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ ...

HTTPSEC allows a signature

• n the “google.com ✦

www.google.com” redirect.

$ telnet Trying 173.194.67.104... Connected Escape character GET / HTTP/1.1 Host: www.google.com HTTP/1.1 Location: ...

HTTPSEC

• n the “

✦ www.google.nl

• f HTTPSEC

by HTTPSEC include that ws to the user.

• nly

rmation: HTTP redirects. excuse for this: web page.

$ telnet google.com 80 Trying 173.194.66.102... Connected to google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ ...

HTTPSEC allows a signature

• n the “google.com ✦

www.google.com” redirect.

$ telnet www.google.com Trying 173.194.67.104... Connected to www.google.com. Escape character GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/ ...

HTTPSEC allows

• n the “www.google.com ✦

www.google.nl”

HTTPSEC HTTPSEC user. redirects. this: page.

$ telnet google.com 80 Trying 173.194.66.102... Connected to google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ ...

HTTPSEC allows a signature

• n the “google.com ✦

www.google.com” redirect.

$ telnet www.google.com 80 Trying 173.194.67.104... Connected to www.google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/ ...

HTTPSEC allows a signature

• n the “www.google.com ✦

www.google.nl” redirect.

$ telnet google.com 80 Trying 173.194.66.102... Connected to google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ ...

HTTPSEC allows a signature

• n the “google.com ✦

www.google.com” redirect.

$ telnet www.google.com 80 Trying 173.194.67.104... Connected to www.google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/ ...

HTTPSEC allows a signature

• n the “www.google.com ✦

www.google.nl” redirect.

telnet google.com 80 173.194.66.102... Connected to google.com. character is ’^]’. HTTP/1.1 google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/

HTTPSEC allows a signature “google.com ✦ www.google.com” redirect.

$ telnet www.google.com 80 Trying 173.194.67.104... Connected to www.google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/ ...

HTTPSEC allows a signature

• n the “www.google.com ✦

www.google.nl” redirect.

$ telnet Trying 173.194.66.94... Connected Escape character GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 ...

The resp Google w HTTPSEC HTTPSEC

google.com 80 173.194.66.102... google.com. is ’^]’. Moved Permanently http://www.google.com/

ws a signature google.com ✦ ” redirect.

$ telnet www.google.com 80 Trying 173.194.67.104... Connected to www.google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/ ...

HTTPSEC allows a signature

• n the “www.google.com ✦

www.google.nl” redirect.

$ telnet www.google.nl Trying 173.194.66.94... Connected to www.google.nl. Escape character GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains Google web page. HTTPSEC does not HTTPSEC signs only

’^]’. Permanently http://www.google.com/

signature ✦ redirect.

$ telnet www.google.com 80 Trying 173.194.67.104... Connected to www.google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/ ...

HTTPSEC allows a signature

• n the “www.google.com ✦

www.google.nl” redirect.

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this HTTPSEC signs only redirects.

$ telnet www.google.com 80 Trying 173.194.67.104... Connected to www.google.com. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/ ...

HTTPSEC allows a signature

• n the “www.google.com ✦

www.google.nl” redirect.

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects.

telnet www.google.com 80 173.194.67.104... Connected to www.google.com. character is ’^]’. HTTP/1.1 www.google.com HTTP/1.1 302 Found Location: http://www.google.nl/

HTTPSEC allows a signature “www.google.com ✦ www.google.nl” redirect.

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects. “You ma and you’re

www.google.com 80 173.194.67.104... www.google.com. is ’^]’. www.google.com Found http://www.google.nl/

ws a signature www.google.com ✦ ” redirect.

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects. “You may say this and you’re not the

80 www.google.com. ’^]’. http://www.google.nl/

signature ✦ redirect.

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects. “You may say this is stupid, and you’re not the only one.”

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects. “You may say this is stupid, and you’re not the only one.”

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects. “You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page.

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects. “You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page. If final web page is signed, what is the security benefit of signing the redirects? Attacker can’t forge the page.

$ telnet www.google.nl 80 Trying 173.194.66.94... Connected to www.google.nl. Escape character is ’^]’. GET / HTTP/1.1 Host: www.google.nl HTTP/1.1 200 OK ...

The response contains the actual Google web page. HTTPSEC does not sign this. HTTPSEC signs only redirects. “You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page. If final web page is signed, what is the security benefit of signing the redirects? Attacker can’t forge the page. Redirects can benefit from availability and confidentiality, but HTTPSEC doesn’t provide availability and confidentiality.

telnet www.google.nl 80 173.194.66.94... Connected to www.google.nl. character is ’^]’. HTTP/1.1 www.google.nl HTTP/1.1 200 OK

response contains the actual

• gle web page.

HTTPSEC does not sign this. HTTPSEC signs only redirects. “You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page. If final web page is signed, what is the security benefit of signing the redirects? Attacker can’t forge the page. Redirects can benefit from availability and confidentiality, but HTTPSEC doesn’t provide availability and confidentiality. HTTPSEC After yea ❃100 people, tens of millions regulations from government direct pa please install

www.google.nl 80 173.194.66.94... www.google.nl. is ’^]’. www.google.nl

• ntains the actual

page. not sign this.

• nly redirects.

“You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page. If final web page is signed, what is the security benefit of signing the redirects? Attacker can’t forge the page. Redirects can benefit from availability and confidentiality, but HTTPSEC doesn’t provide availability and confidentiality. HTTPSEC vs. HTTPS After years of development ❃100 people, grants tens of millions of regulations requiring from government agencies, direct payments to please install HTTPSEC:

80 www.google.nl. ’^]’.

actual this. redirects. “You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page. If final web page is signed, what is the security benefit of signing the redirects? Attacker can’t forge the page. Redirects can benefit from availability and confidentiality, but HTTPSEC doesn’t provide availability and confidentiality. HTTPSEC vs. HTTPS After years of development b ❃100 people, grants totalling tens of millions of EUR, U.S. regulations requiring HTTPSEC from government agencies, and direct payments to admins to please install HTTPSEC:

“You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page. If final web page is signed, what is the security benefit of signing the redirects? Attacker can’t forge the page. Redirects can benefit from availability and confidentiality, but HTTPSEC doesn’t provide availability and confidentiality. HTTPSEC vs. HTTPS After years of development by ❃100 people, grants totalling tens of millions of EUR, U.S. regulations requiring HTTPSEC from government agencies, and direct payments to admins to please install HTTPSEC:

“You may say this is stupid, and you’re not the only one.” If final web page isn’t signed, what is the security benefit of signing the redirects? Attacker simply forges the page. If final web page is signed, what is the security benefit of signing the redirects? Attacker can’t forge the page. Redirects can benefit from availability and confidentiality, but HTTPSEC doesn’t provide availability and confidentiality. HTTPSEC vs. HTTPS After years of development by ❃100 people, grants totalling tens of millions of EUR, U.S. regulations requiring HTTPSEC from government agencies, and direct payments to admins to please install HTTPSEC: HTTPSEC is running on a few thousand Internet servers. Network World, 2013.01.29: “HTTPSEC adoption stalls

• utside of federal government”

may say this is stupid,

• u’re not the only one.”

final web page isn’t signed, is the security benefit of the redirects? er simply forges the page. final web page is signed, is the security benefit of the redirects? er can’t forge the page. Redirects can benefit from availability and confidentiality, HTTPSEC doesn’t provide availability and confidentiality. HTTPSEC vs. HTTPS After years of development by ❃100 people, grants totalling tens of millions of EUR, U.S. regulations requiring HTTPSEC from government agencies, and direct payments to admins to please install HTTPSEC: HTTPSEC is running on a few thousand Internet servers. Network World, 2013.01.29: “HTTPSEC adoption stalls

• utside of federal government”

There’s comp HTTPS and confidentialit for the complete HTTPS web tools HTTPS doesn’t have with nonexistent tries to avoid isn’t a huge

this is stupid, the only one.” isn’t signed, security benefit of redirects? forges the page. is signed, security benefit of redirects? forge the page. enefit from confidentiality,

• esn’t provide

confidentiality. HTTPSEC vs. HTTPS After years of development by ❃100 people, grants totalling tens of millions of EUR, U.S. regulations requiring HTTPSEC from government agencies, and direct payments to admins to please install HTTPSEC: HTTPSEC is running on a few thousand Internet servers. Network World, 2013.01.29: “HTTPSEC adoption stalls

• utside of federal government”

There’s competition: HTTPS aims for integrit and confidentiality for the complete w HTTPS works with web tools and dynamic HTTPS doesn’t allo doesn’t have any p with nonexistent files; tries to avoid leaking isn’t a huge DDoS

stupid,

• ne.”

signed, enefit of page. signed, enefit of page. confidentiality, rovide confidentiality. HTTPSEC vs. HTTPS After years of development by ❃100 people, grants totalling tens of millions of EUR, U.S. regulations requiring HTTPSEC from government agencies, and direct payments to admins to please install HTTPSEC: HTTPSEC is running on a few thousand Internet servers. Network World, 2013.01.29: “HTTPSEC adoption stalls

• utside of federal government”

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier.

HTTPSEC vs. HTTPS After years of development by ❃100 people, grants totalling tens of millions of EUR, U.S. regulations requiring HTTPSEC from government agencies, and direct payments to admins to please install HTTPSEC: HTTPSEC is running on a few thousand Internet servers. Network World, 2013.01.29: “HTTPSEC adoption stalls

• utside of federal government”

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier.

HTTPSEC vs. HTTPS years of development by ❃ people, grants totalling

• f millions of EUR, U.S.

regulations requiring HTTPSEC government agencies, and payments to admins to install HTTPSEC: HTTPSEC is running on a few thousand Internet servers. rk World, 2013.01.29: “HTTPSEC adoption stalls

• utside of federal government”

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the say about “HTTPS to be const

HTTPS development by ❃ grants totalling

• f EUR, U.S.

requiring HTTPSEC government agencies, and to admins to HTTPSEC: running on a few Internet servers. 2013.01.29: adoption stalls federal government” There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC say about HTTPS: “HTTPS requires to be constantly online.”

development by ❃ totalling U.S. HTTPSEC agencies, and to few 2013.01.29: stalls government” There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.”

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.”

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what?

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.”

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what?

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.”

There’s competition: HTTPS! HTTPS aims for integrity and confidentiality for the complete web pages. HTTPS works with existing web tools and dynamic data. HTTPS doesn’t allow replays; doesn’t have any problems with nonexistent files; tries to avoid leaking data; isn’t a huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean?

There’s competition: HTTPS! HTTPS aims for integrity confidentiality complete web pages. HTTPS works with existing

• ls and dynamic data.

HTTPS doesn’t allow replays; esn’t have any problems nonexistent files; to avoid leaking data; huge DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean? “If the site signed data laptop to which gives which verifies then the HTTPS

etition: HTTPS! r integrity confidentiality web pages. with existing dynamic data. allow replays; any problems files; leaking data; DDoS amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean? “If the site owner copies signed data from his laptop to an untrusted which gives it to y which verifies the signed then the server can’t HTTPS lets the server

HTTPS! pages. existing data. replays; data; amplifier. What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change HTTPS lets the server change

What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.”

What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.” Yes, of course, but why is the site owner putting his data on an untrusted server?

What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.” Yes, of course, but why is the site owner putting his data on an untrusted server? “HTTPS destroys the caching

• layer. This Matters.”

What the HTTPSEC proponents say about HTTPS: “HTTPS requires keys to be constantly online.” Yes, it does; so what? “HTTPS requires servers to use per-query crypto.” Yes, it does; so what? “HTTPS protects only the channel, not the data. It doesn’t provide end-to-end security.” Huh? What does this mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.” Yes, of course, but why is the site owner putting his data on an untrusted server? “HTTPS destroys the caching

• layer. This Matters.”

Yeah, sure it does. Film at 11: Internet Destroyed By HTTPS.

the HTTPSEC proponents

• ut HTTPS:

“HTTPS requires keys constantly online.” does; so what? “HTTPS requires servers per-query crypto.” does; so what? “HTTPS protects only the channel, not the data. It doesn’t rovide end-to-end security.” What does this mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.” Yes, of course, but why is the site owner putting his data on an untrusted server? “HTTPS destroys the caching

• layer. This Matters.”

Yeah, sure it does. Film at 11: Internet Destroyed By HTTPS. The DNS I’ve been data sent including google.com ✦ www.google.com ✦ www.google.nl www.google.nl But there many mo Domain

HTTPSEC proponents HTTPS: requires keys

• nline.”

what? requires servers crypto.” what? ts only the

• data. It doesn’t

end-to-end security.” es this mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.” Yes, of course, but why is the site owner putting his data on an untrusted server? “HTTPS destroys the caching

• layer. This Matters.”

Yeah, sure it does. Film at 11: Internet Destroyed By HTTPS. The DNS security I’ve been describing data sent to your b including two HTTP google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl w But there are actually many more redirection Domain Name System

• nents

doesn’t y.” mean? “If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.” Yes, of course, but why is the site owner putting his data on an untrusted server? “HTTPS destroys the caching

• layer. This Matters.”

Yeah, sure it does. Film at 11: Internet Destroyed By HTTPS. The DNS security mess I’ve been describing data sent to your browser, including two HTTP redirects: google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl web page But there are actually many more redirection steps: Domain Name System lookups.

“If the site owner copies PGP- signed data from his trusted laptop to an untrusted server, which gives it to your browser, which verifies the signed data, then the server can’t change it. HTTPS lets the server change it.” Yes, of course, but why is the site owner putting his data on an untrusted server? “HTTPS destroys the caching

• layer. This Matters.”

Yeah, sure it does. Film at 11: Internet Destroyed By HTTPS. The DNS security mess I’ve been describing data sent to your browser, including two HTTP redirects: google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl web page But there are actually many more redirection steps: Domain Name System lookups.

site owner copies PGP- data from his trusted to an untrusted server, gives it to your browser, verifies the signed data, the server can’t change it. HTTPS lets the server change it.”

• f course, but why is the

wner putting his data on untrusted server? “HTTPS destroys the caching This Matters.” sure it does. Film at 11: Internet Destroyed By HTTPS. The DNS security mess I’ve been describing data sent to your browser, including two HTTP redirects: google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl web page But there are actually many more redirection steps: Domain Name System lookups. com NS google.com google.com google.com ✦ www.google.com 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl www.google.nl www.google.nl

wner copies PGP- his trusted untrusted server, your browser, the signed data, can’t change it. server change it.” but why is the putting his data on server? ys the caching Matters.”

• es. Film at 11:

ed By HTTPS. The DNS security mess I’ve been describing data sent to your browser, including two HTTP redirects: google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl web page But there are actually many more redirection steps: Domain Name System lookups. com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A www.google.nl w

PGP- trusted server, wser, data, change it. change it.” the data on caching at 11: TPS. The DNS security mess I’ve been describing data sent to your browser, including two HTTP redirects: google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl web page But there are actually many more redirection steps: Domain Name System lookups. com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com A 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A 74.125.132.94 www.google.nl web page

The DNS security mess I’ve been describing data sent to your browser, including two HTTP redirects: google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl web page But there are actually many more redirection steps: Domain Name System lookups. com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com A 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A 74.125.132.94 www.google.nl web page

DNS security mess een describing sent to your browser, including two HTTP redirects: google.com ✦ www.google.com www.google.com ✦ www.google.nl www.google.nl web page there are actually more redirection steps: Domain Name System lookups. com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com A 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A 74.125.132.94 www.google.nl web page DNSSEC in very much HTTPSEC All the p are shared including almost all cryptographically

security mess ing

• ur browser,

HTTP redirects: ✦ www.google.com ✦ web page actually redirection steps: System lookups. com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com A 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A 74.125.132.94 www.google.nl web page DNSSEC signs DNS in very much the same HTTPSEC signs HTTP All the problems of are shared by DNSS including lack of deplo almost all DNS pack cryptographically unp

redirects: ✦ www.google.com ✦ steps:

• kups.

com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com A 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A 74.125.132.94 www.google.nl web page DNSSEC signs DNS redirects in very much the same way that HTTPSEC signs HTTP redirects. All the problems of HTTPSEC are shared by DNSSEC, including lack of deployment: almost all DNS packets are cryptographically unprotected.

com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com A 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A 74.125.132.94 www.google.nl web page DNSSEC signs DNS redirects in very much the same way that HTTPSEC signs HTTP redirects. All the problems of HTTPSEC are shared by DNSSEC, including lack of deployment: almost all DNS packets are cryptographically unprotected.

com NS 192.5.6.30 google.com NS 216.239.34.10 google.com A 74.125.136.100 google.com ✦ www.google.com www.google.com A 173.194.66.99 www.google.com ✦ www.google.nl nl NS 192.5.4.1 google.nl NS 216.239.34.10 www.google.nl A 74.125.132.94 www.google.nl web page DNSSEC signs DNS redirects in very much the same way that HTTPSEC signs HTTP redirects. All the problems of HTTPSEC are shared by DNSSEC, including lack of deployment: almost all DNS packets are cryptographically unprotected. Actually, HTTPSEC is an imaginary imitation of DNSSEC, not a real proposal. But DNSSEC is a real proposal, and has all of these problems.