Bunch of random thoughts about identity and Trust
MitM proxy, active network traffic redirection and modification. - In the cases you've presented the sites fingerprint will get changed and it's not valid anymore.
If I know you, I want to meet "you", exactly you. Whom I know. Not someone who got a 'valid' identity document from any of the identity issuers globally. - Which is the current https certificate problem.
Ok, in last decades the ID papers have gotten much better. But you should have seen what kid of identity documents some countries used to issue.
Outsourced identity is that I've go a paper with photo, stamp and it says you're Peter Quill. Issued by Zambian Police department.
That's one of the reasons why many organizations do not actually use the official identity documents and or channels. They do use their own solutions, because those are potentially more secure. - Official channels are kind of secure, but there are also well known ways how to work around those, if required.
It's just like the VPN company X will provide you anonymity discussion. They'll do it to certain degree, but when you go over certain threshold, it suddenly goes way. And the VPN becomes totally transparent to the surveillance, even if might not have been that earlier at least in bulk data collection sense.
Trust is complex is very complex issue. And even if technical trust would be absolutely perfect, you still can't trust the people being trusted. - At least ways.
I just hope banking systems won't completely trust that checking the banks domain certificate being valid is enough. Especially when walking about intra bank networking. But who knows, maybe all the RESTful times have already changed that, as well as the PSD2. And that's what they're actually doing.
History has proven that it's a bad idea. But maybe it's just the future.
It would be awesome to read that someone got the valid bank.of.america certificate and was able to make a few API calls and get a billion.
"Any authority that has been installed on your browser should be safe." - Safe, safe to what degree is always the question.
Also the official online identity systems are safe to certain degree. And should be safe and enough. I just wonder why it's actually not being used more.
At least it's more safe than something utterly stupid, like password recovery using email alone.
Maybe and hopefully PSD2 will bring pretty safe online authentication to wider use.
"With a VPN you have a much more secure connection, with the VPN server verifying who you are, as well as you verifying who they are. Much more secure." - Yes, this in case of private direct VPN. But most of VPN providers are lobbying for generic VPN, which is terminated well before reaching the final destination. Which is a pretty big fail.
Yet, SSH / HTTPS (especially with client certificates) should be just as good as VPN. - Especially if specific key is required, not trusting the certificate authorities.
2018-10-07