[openssl-users] HTTPAS (was RE: engine interface for genrsa)

Michael Wojcik Michael.Wojcik at microfocus.com
Tue Apr 24 13:11:59 UTC 2018

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of ojike asharpel
> Sent: Monday, April 23, 2018 22:54

> I joined these group so that l can get assistance for my research work.

Fine. However, don't hijack an existing discussion for a new topic. That's considered impolite, and it makes it difficult for readers to follow the discussion. Post a fresh message to the list with an appropriate subject line.

> My Project is an Msc Research on HTTPS Man-In-The-Middle (MITM) Attack using a Compromised
> Certificate Authority.
> I have a Journal base paper am already working on. The author designed a new HTTPAS (HTTP Active Secure) …

Right. So you're working from a paper that appears to describe a couple of statistical heuristics on certificate issuance which might be used, with some probability, to detect MITM attacks made using entity certificates generated by a compromised CA.

First, I'll note that I'm not sure how valuable this original contribution (as I understand it) is, in the current era of Certificate Transparency - which is, after all, already displacing pinning (HPKP) as a countermeasure, because it's superior (at least in its failure modes). While the public X.509 PKI is a horrible mess, it's less horrible than it was even a few years ago. Is there any great need for heuristic countermeasures, particularly when end-user confusion is already one of our biggest problems?

Second: After reading your paraphrase of the HTTPAS project, I still don't know what *your* project is. You've identified this paper that describes an experimental protocol. What do you want to do with it?

> Dear friends, l need help, even though,it might require some financial involvement.

This makes me nervous. Financial compensation for assistance with a graduate research project? In the US, that would almost certainly be considered unethical (except when compensating research subjects under terms approved by an IRB, which doesn't seem to be the situation here). Asking questions is one thing; paid assistance is quite another.

I hope this is helpful.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list