Notes from the 2011 Key Management Summit – Dan Boneh’s keynote
Dan Boneh gave the second keynote at the 2011 Key Management Summit. The title of his talk was "Social Keys: New Directions in Public Key Management." If you've never heard a presentation that Boneh gives, you're missing a lot. He seems to cover lots of interesting material, and you feel very smart for a few days afterwards because you're able to amaze and astound people with your deep and profound knowledge of information security. So although Boneh only talked about Social Keys for a few minutes, nobody seemed to mind because the other material was so interesting.
The part that I found the most intereresting was the discussion of man-in-the-middle attacks against https. Although the https protocol was designed to prevent MITM attacks, web browsers don't have a user interface that really lets users know that they're being hit by a MITM attack, which means that it's really not that hard to actually carry one out.
It seems that researchers were curious about how frequent MITM attacks against https really are. After all, if it's feasible to carry them out, we should expect to see hackers doing it. I found the results of the research somewhat surprising. Apparently MITM attacks rarely, if ever, happen on the Internet, but they happen very frequently inside businesses. It's probably the case that the MITM attacks that actually happen are just your corporate IT department doing something for what's probably a good reason, but it also means that you can't expect secure connections to actually be secure if you're doing them from work.
Boneh also talked about some of the problems with validating certificates, particularly with using OCSP. In addition to the practical issues that essentially make it impossible to actually use OCSP, Boneh mentioned how OCSP can actually provide an easy way to bypass the privacy that the supposedly private modes of web browsers give you. This is because web browsers apparently cache OCSP responses, and this cache is available outside of the private browsing mode. So even if you can't tell if someone went to the web site https://www.example.com, you'll be able to see that the browser did an OCSP call to validate the certificate used by example.com, which is close enough for most purposes.
The discussion of Social Keys was fairly straightforward. If you're a user of social media sites, just include a URL to your public key in your public profile on one or more of the sites. It's a clever idea, but I doubt many people will actually use it. But that's because very few people will actually use public keys, so there are very few people who will need a way to get their public key to other people.