
Hi all. Just wondering if we've ever considered installing an SSL certificate on gutenberg.org? It occurs to me that someone might consider their downloads from the site and what they are reading to be confidential information, and not want it sent in the clear. I don't think that it would be necessary to go so far as to make it the default, but having the option available would be nice. Would our web host, Ibiblio, have a problem with this? Other thoughts? Aaron

On 01/01/2012 06:35 PM, Aaron Cannon wrote:
Hi all.
Just wondering if we've ever considered installing an SSL certificate on gutenberg.org? It occurs to me that someone might consider their downloads from the site and what they are reading to be confidential information, and not want it sent in the clear. I don't think that it would be necessary to go so far as to make it the default, but having the option available would be nice.
Would our web host, Ibiblio, have a problem with this?
Other thoughts?
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia. -- Marcello Perathoner webmaster@gutenberg.org

On Sun, Jan 1, 2012 at 12:57 PM, Marcello Perathoner <marcello@perathoner.de> wrote:
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia.
I'm pretty sure we could get 18 people to pay $0.50 for a PositiveSSL cert ;-). http://www.namecheap.com/ssl-certificates/comodo/positivessl-certificate.asp...

On 01/01/2012 07:22 PM, Alex Buie wrote:
On Sun, Jan 1, 2012 at 12:57 PM, Marcello Perathoner <marcello@perathoner.de> wrote:
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia.
I'm pretty sure we could get 18 people to pay $0.50 for a PositiveSSL cert ;-). http://www.namecheap.com/ssl-certificates/comodo/positivessl-certificate.asp...
The idea here is to protect people's reading choices from government eavesdropping. That's a different class of security than to prevent your internet cafe neighbour from seing what you download. In the latter case a self-signed certificate would suffice. What we need is a worldwide recognized CA that does real checks, ie. paperwork, to determine the authenticity of the certificate request. Also, we need an EV certificate, eg. one that turns the browser bar green. EV certificates work for one subdomain only. So we'd need at least 2 of them. EV certificates at Verisign start at $998 / year. I'd appreciate if you stopped spamming the list with comments that only expose your personal naivete in real world security matters. -- Marcello Perathoner webmaster@gutenberg.org

On 1/1/2012 12:57 PM, Alex Buie wrote:
Also, pretty sure this is the only time I've ever mentioned anything security related on the list, so I won't, in fact, stop "spamming" the list, because I never was.
You have to cut Marcello some slack; while he is technically very astute, he has pretty much the same social skills as BowerBird.
There is absolutely no need for an EV cert for a _book downloading_ website. Maybe the entry level comodo cert isn't good enough in your opinion, but you certainly don't need anything more than a domain validated cert.
No, not even a domain validate cert is necessary. This is not a case where we want to assure people that they have arrived at the "true" Project Gutenberg web site. So long as PG does not ask for e-mail addresses, Social Security Numbers, credit card numbers or other forms of personally identifying information, no one should really care if the PG web site is spoofed. Sure, you could mount a denial of service attack that way, but there are other, much easier ways to do it. The problem presented here is that we want to protect people from eavesdroppers who are interested in knowing if you are downloading the Koran, the Bible, Mein Kampf, the Universal Declaration of the Rights of Man, or any other "subversive" material. In order to protect a public network connection from eavesdropping you need an encrypted channel typically using an uncompromised synchronous session key. It's hard to keep a synchronous key uncompromised, so the standard method is to generate a random, ephemeral session key, and deliver that session key using an asynchronous key exchange, which only requires that one party (in this case, the web server) maintain an uncompromised private key. A public key certificate is the standard way of distributing the public key associated with a private key. A /signed/ public key certificate is a way for some third party (the Certificate Authority) to say, "I stake my reputation on the fact that the assertions of fact contained in this certificate are true and have not been altered since I saw them." This certification depends entirely on the trustworthiness of the Certificate Authority. If the Certificate Authority cannot be trusted, while the certificate can still be used to encrypt the communication channel, the certification of other data in the certificate has virtually no worth. In fact, certification by a untrustworthy Certificate Authority may be worse than a self-signed certificate because it conveys a false sense of security. If you were to look at the contents of any of the really cheap certificates out there, I think you would find that every one of them contains a disclaimer to the effect that "FBN Security company makes no representations as to the validity of the data contained in this certificate. Proceed at your own risk." Government security organs are really good at compromising encrypted channels when they put their minds to it. If you /really/ wanted to be protected against government eavesdropping, you need a certificate signed by a company that goes to great lengths to protect its signing private key from any disclosure, including disclosure to /any/ government agency. Then, if you look at the certificate for the PG web site and it says "signed by the most ultra secure private key in the business," you can be pretty sure that the public key in the certificate belongs to PG -- assuming, of course, that /Project Gutenberg/ has gone to great lengths to protect /its/ private key. This kind of vigilance costs money. An alternative to a costly certificate might be a universally available CA certificate. This is what I mean: Project Gutenberg mints two certificates; one is a self-signed certificate whose Key Use is listed as Certificate Signer, the other is a certificate signed by the self-signed certificate, whose Key Use is for a web server. Every time you connect to the PG web site using https, you are presented with the second certificate. To make the browser's "Scary Message" go away, you would have to find and install the Project Gutenberg signing certificate. This certificate would be available from the Project Gutenberg web site, but it would also be "sowed" as widely as possible across the internet. Users concerned about surveillance would download the signing certificate from Project Gutenberg, but would also Google around for the certificate, and perhaps obtain it as well from peer-to-peer sites or social media. Only when you get five (or ten or fifteen...) matching certificates do you actually install it. This is very similar to the PGP trust model. Of course, it does rely on PG to be vigilant in protecting it's own private keys. I'd take the private key for the signing cert and put it in escrow in a Swiss bank vault, deleting it from all PG-controlled computers. Were I under surveillance by a hostile government (and I do not exclude my own) I would trust a cloud-based certificate chain far more than any inexpensive certificate, and perhaps even more than a Verisign Extended Validation certificate, which only requires that Verisign authenticate the certificate applicant’s domain ownership and organizational identity. What I really want to know is that Project Gutenberg is not going to hand over its private key when presented with a writ or subpoena.

If a government agency wanted to read the encrypted traffic to and from gutenberg.org, would an EV certificate be significantly harder to compromise than a cheap domain verified cert? As far as I know, there is no cryptographic difference between the two types of certs. The only difference is in the price and the steps you have to go through to prove your identity when acquiring the certificate. Yes, the address bar does turn green with the more expensive certs, but is that really meaningful to end users? Or, putting the question another way, how many users would be alarmed if they visited our "secure site" and their address bar didn't turn green? I suspect few to none, but that's just a guess. So, if there's no cryptographic difference between the two cert types, and if most users wouldn't notice anyway, why pay more? What am I missing? Aaron On 1/1/12, Marcello Perathoner <marcello@perathoner.de> wrote:
On 01/01/2012 07:22 PM, Alex Buie wrote:
On Sun, Jan 1, 2012 at 12:57 PM, Marcello Perathoner <marcello@perathoner.de> wrote:
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia.
I'm pretty sure we could get 18 people to pay $0.50 for a PositiveSSL cert ;-). http://www.namecheap.com/ssl-certificates/comodo/positivessl-certificate.asp...
The idea here is to protect people's reading choices from government eavesdropping. That's a different class of security than to prevent your internet cafe neighbour from seing what you download. In the latter case a self-signed certificate would suffice.
What we need is a worldwide recognized CA that does real checks, ie. paperwork, to determine the authenticity of the certificate request. Also, we need an EV certificate, eg. one that turns the browser bar green. EV certificates work for one subdomain only. So we'd need at least 2 of them.
EV certificates at Verisign start at $998 / year.
I'd appreciate if you stopped spamming the list with comments that only expose your personal naivete in real world security matters.
-- Marcello Perathoner webmaster@gutenberg.org _______________________________________________ gutvol-d mailing list gutvol-d@lists.pglaf.org http://lists.pglaf.org/mailman/listinfo/gutvol-d

On 01/01/2012 09:09 PM, Aaron Cannon wrote:
If a government agency wanted to read the encrypted traffic to and from gutenberg.org, would an EV certificate be significantly harder to compromise than a cheap domain verified cert? As far as I know, there is no cryptographic difference between the two types of certs. The only difference is in the price and the steps you have to go through to prove your identity when acquiring the certificate.
The difference is in the chain of trust. While there never can be 100% certainty, the shorter the chain is, and the stronger the links are, the greater the chance you will get away with it. And that can be a matter of live and death in some jurisdictions. If you need a high degree of certainty that you are indeed connected to the real PG site, you should not trust any browser bar colors, you should examine the certificate's chain of trust. Now if we get a certificate from Verisign the chain will be: - browser-installed Verisign certificate - Verisign Inc. - Project Gutenberg A user in (let's say) Iran, will have the certainty that no authority outside the US is in the chain of trust. That's enough security for an Iranian that wants to download Karl Marx. (It may not be enough for an US citizen wanting to download Karl Marx because US officials may very well have colluded with Verisign and tampered with the DNS system.) If instead we buy a certificate from discounter X: - the chain will be longer and contain unknown CA names, thus will be much harder to scrutinize for security - any CA on the chain of trust may have been tampered with with catastrophic consequences. Ironically the very CA that issues those cheap $9 `certificates´ has been tampered with, probably by the Iranian government: http://en.wikipedia.org/wiki/Comodo_Group#Breach_of_security -- Marcello Perathoner webmaster@gutenberg.org

As you undoubtedly know, the chain of trust only helps the browser and the user (assuming they even look at it, which is doubtful) decide whether or not they can trust the certificate. If a key in the chain of trust is compromised, this only gives an attacker the ability to create a fake certificate from the gutenberg.org domain which they could use in a man in the middle attack. It would not give them the ability to decrypt the traffic on a direct connection between the user and gutenberg.org. In order to do that, they would need to compromise the secret key installed on the ibiblio server. If a user doesn't check the chaine of trust, all that is needed to launch a successfull man in the middle attack is to compromise any level of any chaine of trust that the user browser recognizes as trustworthy. However, what I'm saying is that most users wouldn't detect either sort of attack because most users don't look at the chain of trust. Even if they did look at the chaine of trust, how would they know what the correct chaine of trust should be for gutenberg.org? IMHO, the only value in having a certificate that is signed by a recognize CA is that it prevents the browser from scaring the user, and it does make it non-trivial to create a forged certificate. Would you consider it a reasonable compromise to install a cheap SSL cert on gutenberg.org and to provide a security notice to the user to the effect that while the connection is encrypted, it shouldn't be relied upon for protection against sophisticated attackers. We could even suggest some more secure alternatives like TOR for folks with higher security concerns. Aaron On 1/1/12, Marcello Perathoner <marcello@perathoner.de> wrote:
On 01/01/2012 09:09 PM, Aaron Cannon wrote:
If a government agency wanted to read the encrypted traffic to and from gutenberg.org, would an EV certificate be significantly harder to compromise than a cheap domain verified cert? As far as I know, there is no cryptographic difference between the two types of certs. The only difference is in the price and the steps you have to go through to prove your identity when acquiring the certificate.
The difference is in the chain of trust. While there never can be 100% certainty, the shorter the chain is, and the stronger the links are, the greater the chance you will get away with it. And that can be a matter of live and death in some jurisdictions.
If you need a high degree of certainty that you are indeed connected to the real PG site, you should not trust any browser bar colors, you should examine the certificate's chain of trust.
Now if we get a certificate from Verisign the chain will be:
- browser-installed Verisign certificate - Verisign Inc. - Project Gutenberg
A user in (let's say) Iran, will have the certainty that no authority outside the US is in the chain of trust. That's enough security for an Iranian that wants to download Karl Marx.
(It may not be enough for an US citizen wanting to download Karl Marx because US officials may very well have colluded with Verisign and tampered with the DNS system.)
If instead we buy a certificate from discounter X:
- the chain will be longer and contain unknown CA names, thus will be much harder to scrutinize for security
- any CA on the chain of trust may have been tampered with with catastrophic consequences.
Ironically the very CA that issues those cheap $9 `certificates´ has been tampered with, probably by the Iranian government:
http://en.wikipedia.org/wiki/Comodo_Group#Breach_of_security
-- Marcello Perathoner webmaster@gutenberg.org _______________________________________________ gutvol-d mailing list gutvol-d@lists.pglaf.org http://lists.pglaf.org/mailman/listinfo/gutvol-d

On 01/02/2012 07:07 PM, Aaron Cannon wrote:
If a key in the chain of trust is compromised, this only gives an attacker the ability to create a fake certificate from the gutenberg.org domain which they could use in a man in the middle attack.
`Only´ in this case means that if you also control DNS you can set up a site that is cryptographically indistinguishable from gutenberg.org. As most DNS servers are in the same jurisdiction as the user, all a government needs is a credible fake certificate.
If a user doesn't check the chaine of trust, all that is needed to launch a successfull man in the middle attack is to compromise any level of any chaine of trust that the user browser recognizes as trustworthy.
If a user doesn't check, its his fault. If we use a chain of trust that is hard to check, its our fault.
However, what I'm saying is that most users wouldn't detect either sort of attack because most users don't look at the chain of trust. Even if they did look at the chaine of trust, how would they know what the correct chaine of trust should be for gutenberg.org?
They don't have to know. They only look at each link and decide if they can trust it. If one of the certificates is signed by "Iranian Secret Service LLC", they just download the Koran and go away.
IMHO, the only value in having a certificate that is signed by a recognize CA is that it prevents the browser from scaring the user, and it does make it non-trivial to create a forged certificate.
The only raison d'etre of a certificate is that it is hard to spoof.
Would you consider it a reasonable compromise to install a cheap SSL cert on gutenberg.org and to provide a security notice to the user to the effect that while the connection is encrypted, it shouldn't be relied upon for protection against sophisticated attackers. We could even suggest some more secure alternatives like TOR for folks with higher security concerns.
No. "Compromise" and "security" don't mix at all. A user sophisticated enough to know about TOR doesn't need PG to have SSL anyway. SSL is appropriate for protecting your credit card number from a rogue user of the same hotspot, it is not appropriate for protecting your private sphere from your government. Assuming it is the latter you had in mind, I don't see SSL helping us at all, it will only throw in a lot of confusion. -- Marcello Perathoner webmaster@gutenberg.org

Hi All, I find this discussion amusing. I someone is really worried about others observing what they downloading/uploading to PG there are more subtle ways of obscuring their identity when on the internet. Personally, PG should not need to worry about this nor need to implement personal security. That is the responsibility of every user, if s/he must protect her/himself invasion. regards Keith.

On 1/1/2012 10:57 AM, Marcello Perathoner wrote:
On 01/01/2012 06:35 PM, Aaron Cannon wrote:
Hi all.
Just wondering if we've ever considered installing an SSL certificate on gutenberg.org? It occurs to me that someone might consider their downloads from the site and what they are reading to be confidential information, and not want it sent in the clear. I don't think that it would be necessary to go so far as to make it the default, but having the option available would be nice.
My first reaction to this was "what a silly idea! Why should anyone care if I'm downloading 100-year-old books?" My second reaction was, "given the state of the world, this is probably a very good idea."
Would our web host, Ibiblio, have a problem with this?
Other thoughts?
SSL certificates serve three basic purposes: authentication of the certificate holder (at least to the extent of knowing that a certificate authority asserts that data in a certificate, including identity information and a public key, is valid), data integrity (if the private key is used to sign the data), and confidentiality (if the data channel is encrypted).
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia.
Why not use a self-signed certificate? Self-signed certificates provide no assurance that the data in the certificate (including the public key) is accurate, but they are still completely adequate to ensure confidentiality, and it seems to me that confidentiality is the goal PG would be trying to achieve.

A self-signed cert actually doesn't necessarily provide confidentiality as they do not protect against man in the middle attacks. Also, self-signed certs cause users to get those scary warnings. Considering the fact that an SSL cert can be had for less than $10, I don't think there's any good reason not to just get a CA signed cert. I'd even be willing to donate the cost of getting one. Here are the current prices from NameCheap.com, and there are almost certainly other providers as well: https://www.namecheap.com/ssl-certificates/comodo.aspx Aaron On 1/1/12, Lee Passey <lee@novomail.net> wrote:
On 1/1/2012 10:57 AM, Marcello Perathoner wrote:
On 01/01/2012 06:35 PM, Aaron Cannon wrote:
Hi all.
Just wondering if we've ever considered installing an SSL certificate on gutenberg.org? It occurs to me that someone might consider their downloads from the site and what they are reading to be confidential information, and not want it sent in the clear. I don't think that it would be necessary to go so far as to make it the default, but having the option available would be nice.
My first reaction to this was "what a silly idea! Why should anyone care if I'm downloading 100-year-old books?"
My second reaction was, "given the state of the world, this is probably a very good idea."
Would our web host, Ibiblio, have a problem with this?
Other thoughts?
SSL certificates serve three basic purposes: authentication of the certificate holder (at least to the extent of knowing that a certificate authority asserts that data in a certificate, including identity information and a public key, is valid), data integrity (if the private key is used to sign the data), and confidentiality (if the data channel is encrypted).
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia.
Why not use a self-signed certificate? Self-signed certificates provide no assurance that the data in the certificate (including the public key) is accurate, but they are still completely adequate to ensure confidentiality, and it seems to me that confidentiality is the goal PG would be trying to achieve. _______________________________________________ gutvol-d mailing list gutvol-d@lists.pglaf.org http://lists.pglaf.org/mailman/listinfo/gutvol-d

Self signed certs throw up some really scary looking warnings[0] and will scare off most non-technical users. Not worth the $10 / year or whatever. R C [0] They've been getting progressively worse in the past few years, at least in firefox. On Sun, Jan 1, 2012 at 1:52 PM, Lee Passey <lee@novomail.net> wrote:
Why not use a self-signed certificate? Self-signed certificates provide no assurance that the data in the certificate (including the public key) is accurate, but they are still completely adequate to ensure confidentiality, and it seems to me that confidentiality is the goal PG would be trying to achieve.
participants (6)
-
Aaron Cannon
-
Alex Buie
-
Keith J. Schultz
-
Lee Passey
-
Marcello Perathoner
-
Robert Cicconetti