Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
Experiencing technical difficulties since 1999

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.



Web Of Trust

Authenticating yourself using the Internet
  [vote for,

It will take a few paragraphs to get to the Idea; please be patient. But for something of a partial synopsis, see the first annotation and the 3rd link.

I've been doing some web-site development in my spare time, and have decided that most of the site will be accessed via the "https" protocol. The ordinary "http" protocol is occasionally exploited by hackers, to redirect traffic from one web site to another, which does bad things like feed viruses to your computer. A web site with beefed-up security, such as by using the https protocol, is harder to hack that way.

One aspect of that increased security is that the site needs something called an "SSL Certificate" (see link); otherwise the browser won't connect to the site using the https protocol.

There are various ways to obtain an SSL Certificate. Organizations such as Network Solutions, known as "Certificate Authorities", will be happy to sell you one. But first you have to provide them with a bunch of information so that they can verify you are who you claim to be (that's probably where most of the purchase price goes, the work they do to verify your information).

The SSL Certificate that you obtain from the Certificate Authority ("CA") will be "signed" by that company. Your browser probably includes a "root certificate" provided by that company; the "signing" process links your SSL Certificate (and many others that they sell) to theirs. So when the browser encounters your site and your site responds by presenting its certificate, the browser can see the connection between it and the root certificate, and "know" that the CA that provided the root certificate verified you, and therefore any web pages the browser loads almost certainly actually came from your site.

There have been a few cases in which the CA company has been hacked, and its root certificate "key" stolen. The key is secret and used to create the root certificate that the CA provided to the browser. The hacker can use it to create equivalent root certificates --and linked web-site-specific SSL Certificates-- that your browser will accept without question. Lots of certificates need to be revoked, and recreated from scratch, when that happens. Still, this is a rarer thing than the ordinary site-hacking described in the first paragraph above.

The process of creating an SSL Certificate is fairly simple, so you could create your own "self-signed" certificate. MORE, you can act as your own Certificate Authority, and create a "root key" and a "root certificate", and then use it to sign your ordinary SSL Certificate. But in neither case is such a certificate linked to a widely-recognized CA, so no browser will automatically accept it --the browser-users have to each one specifically tell the browser to accept it.

Why should they?

Is there any way that someone with a self-signed certificate can create a Web Of Trust such that you could be reasonably sure that "someone" sending that certificate to your browser was actually the site-owner?

That's where this Idea comes into play. Part of it relates to something already known, "digital signatures" (see link), and "public key cryptography". You use a special program to create a public key (which you make public) and a private key (which you keep secret). Someone wanting to communicate with you securely would encrypt the message with your public key, but it can only be decrypted with the private key, and only you are the one who has that.

It works in reverse; you can encrypt a public message with the private key, and only YOUR public key can decrypt it, so anyone decrypting the message will know it came from you.

The digital signature is a variation on that theme. A public file, like an SSL Certificate, can be linked to a "signature file" which you created with your private key, and only your public key can prove that the signature file is associated with the public file --which means the public file came from you only.

"However!" you say, "a hacker pretending to be you can also create a public key and put your name on it --so the verification problem remains!"

NOT SO FAST! Here is where we can actually use the Internet as a Web Of Trust. Think about how many nooks and crannies you regularly visit, and how many of those are places where you signed up to become a member (perhaps including the HalfBakery here).

Suppose you put certain data, like your public key, and your SSL Certificate, and your associated digital signature file, in multiple places on the Web (also include a file listing all those places). They will be the SAME files in all those places, obviously. A hacker trying to compromise your dot-com web site would have to also compromise all those other sites, or at least all your accounts at those other sites, in order to replace the critical files so that they were as alike afterward, as before the hack.

Since accomplishing that is highly improbable/impractical (unless you did something truly dumb, like use the exact same password everywhere), the net result is that anyone can verify that your SSL Certificate came from you only, and would then have a reason to tell the browser to accept the certificate.

I'll probably be posting my public key in an annotation here....

Vernon, Aug 26 2014

SSL Certificate http://www.networks...an-ssl-certificate/
As mentioned in the main text. [Vernon, Aug 26 2014]

Digital Signatures https://www.gnupg.o...en/manual/x135.html
As mentioned in the main text. [Vernon, Aug 26 2014]

My public key at another site http://www.nemitz.net/vernon/vnemitz.gpg
So, the more web sites where I can post the same "public key data", the less likely some hacker can pretend to be me. [Vernon, Aug 26 2014]

Another place to compare my key http://vernonnemitz...ticle/web-of-trust/
In general, the more sites the better, but probably more than 5 is overkill. This location is the 3rd.... [Vernon, Aug 26 2014]

A fourth place http://slashdot.org.../my-public-key-data
Now to think of a 5th place.... [Vernon, Aug 26 2014]

Innocentive trust challenge https://www.innocen...r/challenge/9933314
[bungston, Aug 26 2014]

trust cloud https://trustcloud.com
[theircompetitor, Aug 26 2014]


       You could copy and paste the following "stuff" into an ordinary text editor. For posting here, because of a limit of 30 consecutive characters, most of the lines of data (originally 64 characters each) have been broken up into groups of 25, 25, and 14 characters, separated by spaces. The original line-lengths need to be reconstructed (remove the spaces). Note the last two lines of data are not 64 characters long; an "=" sign is the last character of the first of them and another "=" sign is the first character of the second. Afterward, save the file as "vernonpublic.key" You won't be able to use it AS my public key, but you can compare it to the actual key-file that you can download (see 3rd link), and see that the data is the same.   

Version: GnuPG v1

       mQGNBFP0m3QBDAC9ggIDfVLDZ WNjqlaF3zsb9yn2kF6ekG5P0a 5ZSCcX1KtwEOsQ
RtlVzB2eFi5cGBrNlHO/6kvyw o0rogHgUPzQAasLELcMBHALjg F4Gk83PKjdgQGN
e7wqS+0Zux1x0Vgqp7Fg4OHot 1FvHtsWkUrNjC0KMlspvNxm5g Oh8ohv8weLqaNX
Ewkg0GFTj0OLMTW3vCIApabkT Z23PA4BAdRRtMSKzyXIfwkiVz ZwB4BqHnShhD8G
orfXOuc++M4gYH+1c5VYwLrtH TgqwaNkaV/yqa6C+fFA+Dww3P N79oetfc2ugaUT
uV/RBGydyBJQ3o7TT2z92UJ4O 5Js9P1XChF8DmwgbxAv52pRVl pwEL1ByB0PQghW
uzjWZmxMfQcW0Uvy4WHeFy2ay N1qgXCXPVw/XuRqIlsKrXAiSp 1oYzRci6wKrJ4d
LsUViFcZVN7jMoh+KMuvQ2kGc c37CJe8rEr/dWHPoHANL7V6MK DKlvbTjr9/VA8P
DY8+p/yyQ8gN+l0AEQEAAbQ8V mVybm9uIE5lbWl0eiAoQWZpY2 lvbmFkbyBvZiBN
0iFtl0s7eCrL4wiPuRnLFzhW+ JTvMIgtItFlEvVIhY9sKqk6R2 liI/vbAwyztfGw
YZZPIJClNT4XL9qhvAIcUVSte flUUVn6fTmKleI7/fiYbYD2ZI 0dKsUTGucoiG4Y
xbmE+V2W+OyNZmnMkovQrTb9H 16eLOT1PMa0zEDKZ+MfNv2KO0 SdMzqZS6RIn7Qu
kosiQR3lh6wmYtoPTg3iX46X3 0yTQMxxOPrM7JcJdUQX4LdaKL I1ecXNA4jtzs2E
SeBy9alFtpmcjznhrq7P9PXQ+ WawgRuyON7Xsvdx+aKmhmZfsO /GdYYD0pGYkYRv
NW3vwY0XHlkKD/pwC4QfFE/TQ O0CB8fOH+gajQwUQ5Uk9ztc6m 6GFE//quVmGujE
VRTa8wZEpfEX6cI6PXeUqNcJr RFGCBDn0HNce7oUlAacAKn43b F8tfwmevu5JrnT
UKLWnKm2HznB3KmZiQHeGNWIV FdctKqGkvuh9jcARqhpJ8cYZ6 YAMWI=
Vernon, Aug 26 2014

       //Why should they?//

Because, if they want to be truly secure online, then people should take more responsibility for their own security rather than blithely accepting the assurances of an anonymous third party about what is genuine & what is not. Education about internet security & a bit of personal research is the answer, not more certifications, which just complicate the picture. And yes, that will slow things down a bit. More haste, less speed my precious!
DrBob, Aug 26 2014

       / people should take more responsibility for their own security / Fine if you live in a village of 40. Difficult if you are dealing with the world.   

       Vernon, there is an open innocentive contest looking for this sort of thing. I have linked it.   

       Maybe to liven this up you should hybridize it with a new religion, or religionoid ethos like Veganisms or liberal humanism. I read that part of the attraction of Christianity early on was that it occurred at a time when there was more trade and commerce between cities, and if you were visiting a strange city where you knew no-one, you could at least stay with / trade with a fellow Christian. The same principle now.
bungston, Aug 26 2014

       So your certificate would contain a list of sites in your web of trust?
4and20, Aug 26 2014

       I was very patient.   

       I heard of SSL Certificates and Authentication before.   

       But what's a 'website'?
pashute, Aug 26 2014

       So what if a hacker creates a bunch of accounts at random web locations and uploads their public key to each of those. How does the user know that the public key at halfbakery is your real one, not the one posed to facebook?
scad mientist, Aug 26 2014

       // A hacker trying to compromise your dot-com web site would have to also compromise all those other sites, or at least all your accounts at those other sites,   

       How would a hacker (or anyone else) know which accounts at those other sites were yours?
tatterdemalion, Aug 26 2014

       Really far to easy to spoof.
WcW, Aug 26 2014

       [DrBob], I get the impression that you are talking sideways to what the main text is actually about.   

       [bungston], I saw that challenge some days ago, and perhaps it was in the back of my mind when I came up with this. But I have to revisit it to see how well this notion answers the challenge. Thanks for reminding me.   

       [4and20], no, the certificate is a separate thing from the list. The purpose of the list is to let you know of places where you can compare certain data items to be sure they are all the same. The certificate itself might be one of those data items (along with the separate digital signature file).   

       [scad mientist], you have an interesting point that doesn't seem quite finished (at least in terms of what you actually stated). The hacker creates data for a bunch of sites, OK. Then the hacker compromises your web site and changes the list to point at the sites where the hacker had previously stashed data. OK, that could be a problem.   

       However, there is a "time" thing that is a relevant factor, not previously mentioned with respect to this Idea (and possibly should be added to the main text). How long have you had a PRESENCE at the sites where you posted data? (It doesn't mater if the data is recent, so long as your membership at those sites has been sufficiently long.) Compare that to the places where the hacker created accounts in your name! This Idea can note that if "your" presence at the listed sites is too recent, then "your" presence there is not trustworthy enough.   

       [tatterdemalion], some of the answer to your question is above, but a couple other things can be noted. For example, someone else could legitimately have the same name as yourself. But your list of sites that you joined isn't necessarily going to be the same list as the other person --and even if it was, the SITE would require the two of you to use some sort of different names. In such cases it would be necessary for your list-of-sites to note any name-variation that you use at each site (not necessarily the same thing as a pseudonym or anonymous handle; you probably wouldn't post your data at a site where you prefer to be anonymous).   

       Second, any Person A could create a list of sites that s/he joined, and post that list on those sites, thereby preparing a future Web Of Trust for something that in the future might require some trust by some non-acquaintance Person B. The average Person A is NOT right now a target for the typical hacker, in terms of things like SSL Certificates. Note that the main text here talks about a web site that I'm working on --it isn't ready to "go live" --and therefore it isn't ready to be hacked yet! So, why should some hacker NOW start preparing to hack it, without even knowing whether or not it will offer anything a hacker would consider valuable enough to go to the trouble of hacking it?   

       [WcW], details, please?
Vernon, Aug 27 2014

       How do we know you wrote this, and not some Vernon in the middle?   

       And isn't there some HB directive at sneaking a virus in here? It quite clearly says "flU" in the middle of line 13
not_morrison_rm, Aug 27 2014

       Why would a site admin permit the use of a site for this purpose? If I run a site I'm not going to let people post their keys there so I can be hit with traffic that has nothing to do with my site.   

       And I still don't get the trust part of this. So you have a list of sites you created accounts and posted your keys - why can't I just steal your list and say I'm you, and you're the one hacking me?
tatterdemalion, Aug 27 2014

       [not_morrison_rm], consider that I've posted not just my key, but also the main text or the gist of it in some of those other places (need to do another at the nemitz.net site). Only someone who has access to my accounts at multiple sites can do that. That fact, for anyone who can post stuff at multiple sites, is the main thing from which a certain amount of trust can be deduced regarding that person's identity.   

       A computer virus consist of code that is designed and expected to be run by a computer. That differs from data --such as an encryption key-- which is expected to be processed by a computer running code that is different from the data.   

       [tatterdemalion], a site admin that allows members to post personal stuff is different from a site admin that doesn't allow members to post stuff. How many sites are YOU a member of, where you can post personal stuff (especially if you have a personal page at the site, like you do here at the HalfBakery)? I do think that in general a site admin is going to approve of ways to increase trust of and among site-members. While I understand your point about site traffic, keep in mind that many sites that allow personal data to be posted also build advertisements into all pages displayed, so in terms of wanting more eyes to see the ads, site-admins would approve of more reasons for more people to visit their sites. (The HB is an exception, ad-free because its hosting is donated.) There are also the facts that we are not talking about huge blocks of data-transfer here, in a world of ever-increasing data-transmission speeds and terabyte hard drives.   

       Did you not see the "time" thing described in the 5th paragraph of my previous anno? Anyone investigating sites where I've posted my key can see from the date on my personal-page here that I've been a member of the HalfBakery since at least 2000 (14 years), that I've been a member of Slashdot since at least 2004 (earliest personal-journal entry), that my wordpress.com blog articles date back to 2009, and so on. If you steal my list and claim to be me, will the place where you can post that claim have an equivalent age-of-use ASSOCIATED WITH MY NAME, while I can go to my personal pages at other sites, with their supporting ages-of-use, and post a counterclaim (that the claim at the site you control is a lie), at each one of them? For other people to beileve your claim that I'm hacking you, you have to convince them that I have hacked my way into multiple sites (some of which might be controlled by major corporations having a major interest in the security of its users, like Facebook and Google+), and NOT the single site with the new account, where you posted your claim!
Vernon, Aug 27 2014

       // Did you not see the "time" thing described in the 5th paragraph of my previous anno?   

       Yes, I couldn't make any sense out of that either.
tatterdemalion, Aug 27 2014

       Well, perhaps the "time" thing is more clearly explained in the last paragraph of my immediately-preceding anno?
Vernon, Aug 27 2014


back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle