The EFF and iSEC have posted their slides on x.509 certificate research. They call it an HTTPS Observatory. I guess it is a good thing they did not ask me because I would have called it the SSLatarium.

Some of the observations (ok, observatory makes sense) are the usual stuff you might expect. Our trust includes far more information than we could possibly verify in detail. This is true in regular life so it’s no surprise we have similar behavior when faced with the nontrivial certificate system on the web. I have always argued that certs are basically a failure and authority does not exist. The value of SSL is in the ability to encrypt communications. No one, except perhaps Verisign, walks around boasting about CAs or talking about how authorities are great.

I would like to take this moment to remind everyone how many unprotected windows there are in an average neighborhood. We trust that all the anonymous people wandering by outside will not try to break the window or fool us into opening our door. Authority is something difficult to put a finger on. A badge? A car with blinking lights? The Internet is a dangerous place with even less information about authority. It’s not obvious in what kind of neighborhood your browser lives and who it should trust. Back to the question of certificates. We knew they were bad. We knew they were untrustworthy. What now?

The presentation says to this point “Who are these [Certificate Authorities] we trust & what’s going on?” I sense a Harvey Keitel movie plot coming — Certificate Authority gone bad.

The observatory was created by mining the Internet for TLS communication and then recording X.509 certificate data. Here are some fun facts from their database of roughly 10 million handshakes:

• The majority (6.5 million) of sites used invalid or self-signed certs
• Wildcard certs are used more often than they should.
• Google and Microsoft are impersonated
• There are around 1,500 CA Certificates trusted by IE (the presentation says Windows) or Firefox
• Your browser probably trusts all intermediary certs signed by the CAs, including the Department of Homeland Security and Booz Allen Hamilton.
• Mozilla has 124 trust roots from 60 organizations.
• GoDaddy is practicing unsafe authority-ness with just one signature for 300,224 leaf certs. I would have guessed this from their advertising campaigns anyway, but it is nice to see the data backs it up.

To answer the question in the presentation, yes the CA model is fundamentally broken. Authority has not worked out so well at the giant global level. No big surprise since there is hardly any big global authority to back up the authority role and management that a clean CA infrastructure would require. I think the failure maps well to the world outside of technology and people are wise to think of it in the same way they might identify and measure a physical authority.

I am getting a bit frustrated with the statistics in the news related to phone sales.

The real message for security is that mobile phones are outselling laptops and other devices by a far margin. Let me delve into the headlines for a minute, however, and try to explain my frustration.

Reuters, for example, headlines with “Google’s Android takes lead in US consumer smartphones: Android devices had 33 pct share in Q2“. Open the article, however, and you you see that they compare Android to RIM.

That is like comparing Linux to Apple Laptop sales. One is an operating system, the other is hardware with an operating system.

A more fair comparison would be to say that hardware A is outselling hardware B. We find that in the article, as a late admission.

Android is available on smartphones from a number of different manufacturers.

NPD said Motorola’s (MOT.N) Droid was the best-selling Android handset in the second quarter among U.S. consumers, followed by HTC’s (2498.TW) Droid Incredible and EVO 4G.

Therefore, Motorola, which is now owned by Nokia, is the best-selling handset of the best-selling operating system. That is why I call this Nokia in the US outsells RIM and Apple in Q2.

Here is an even more egregious example, from the BBC. Their headline reads “Google Android phone shipments increase by 886%”

We should prepare to be wowed. That’s a lot of percentage points, right? Open the article and you find the same error as with Reuters. They bounce back and forth between platforms and devices, software and hardware.

Right away they say that Android sales is split across numerous companies.

Pete Cunningham, an analyst at Canalys, said Android’s sales were in part due to recent launches of “highly compelling” phones.

“We’re really seeing major vendors getting behind the platform,” he said.

In particular, he said, large manufacturers such as HTC, Samsung and Sony Ericsson, all used the platform and had helped drive shipments.

Um, ok. HTC, Samsung, Sony Ericsson get mentioned, but where is Motorola Nokia Siemens? Note above again that the Reuters article called Motorola the Android sales leader.

I find BBC trying to compare software on a chart that has shipments of Symbian far ahead of RIM, Android and Apple. RIM and Apple? Companies that make hardware and software. Android and Symbian? Operating Systems. Mix it all together, ignore the fact that Symbian includes everything from the most basic phone to smart phone…and you get a statistical mess. Strange how they pull the Android market together to get the high percentage but leave alone the question of what that really means…like Nokia might be consolidating their lead position with an Android option on their hardware while RIM, Apple and Microsoft lag behind.

Someone in Android marketing is doing a very good job at confusing the press.

The story, as I mentioned at the start, is really that consumers are buying into an open platform smart phone model. Adoption and upgrade rates are far higher than with more expensive laptops and mobile compute devices. Nokia has a strong lead in the US as well as globally, while RIM is distant second and Apple is third. Microsoft is seeing shrink, which they apparently blame on a transition in OS but everyone knows it’s just another leadership catastrophe (like when CEO Ballmer blamed weak Vista sales on better security *cough*).

Perhaps a reporter could do a more fair evaluation along the lines of Nokia/HTC/Samsung/Sony/RIM/Apple and then Symbian/Android/BBOS/iOS. I have looked but not found one yet.

A brief synopsis of this video by Marc Weber Tobias is “nice package…but this lock should not be used”.

A Model 333 from Biolock USA has a fingerprint reader on a mechanical cylinder. The lock costs nearly $200 and gives the appearance of high security. The following demonstration shows that a paperclip can be inserted to easily defeat the lock.

I see a particularly glaring gap between safety and appearance since the very distinctive and expensive look also indicates it can be easily picked. That shiny blue LED that was probably meant to provide some kind of deterrent effect instead practically advertises a lock with no security.

BioLock has refused to comment but a vendor called BrickHouse Security has agreed to accept returns and discontinue sales of the BioLock Model 333.

Upon hearing this information, BrickHouse Security immediately pulled the BioLock 333 from their product line. “We’re dedicated to offering consumers a quality product and frankly, the BioLock 333 is not that,” said Todd Morris, CEO of BrickHouse Security.

Locks are picked all the time but it is rare to see a vendor take such a firm stance on protecting customers, especially given the apparent lack of concern from a manufacturer.

ISACA has announced that the venerable SAS 70 is going away at the end of 2010:

Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards: an attestation standard that will guide service auditors in the conduct of an examination of, and the resulting reporting on, controls at a service organization and an auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization.

These new standards are to be used for periods ending on or after June 15, 2010.

• International Standard on Assurance Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization
• Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization

ISAE 3402 is the international standard adopted by the International Auditing and Assurance Standards Board (IAASB), while SSAE 16 is the “local” standard adopted by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

One of the big complaints about SAS 70 was that it allowed the entity being audited to drastically limit scope. A test may only include physical security, for example, while logical security controls are ignored. An ISAE 3402/SSAE 16 report still allows this gap, however the audit guidelines state that a report should clearly explain what was not included in the review and report.

Likewise, a complaint about a Type 1 SAS 70 was that it did not test for control effectiveness in operations. This is still present in the new standard, but not exactly the same. A Type 1 report is when an auditor reports if a service provider’s description “fairly presents” their system and whether controls are “suitably designed to achieve control objectives” by a deadline. A Type 2 report adds to this whether the controls operated effectively over a specified period of time.

Although the Type 2 seems similar upon first review, I noted that there is a major difference with the new standard. A SAS 70 Type 2 audit opinion used to be based upon control status on the final day of a review period. An ISAE 3402/SSAE 16 appears to require the opinion to cover the entire period under review. The new Type 2 now also requires a formal written attestation from management.