Root Causes 469: The All or Nothing Fallacy in Cybersecurity

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  I want to talk today about a fallacy that you see. That we've seen a long time, that we continue to see in security, and this can affect other areas as well. But let's focus on cybersecurity, which is, I'll call it the all or nothing fallacy. And the gist of the all or nothing fallacy, which is not that deep, is you look at some proposal that makes things safer or more secure, and if you can find any kind of hole in it at all, if there's any way that it's less than perfectly 100% secure, then the conclusion you come to is, well, no point in doing that.

• 

  Jason Soroko

  So I guess there's no point in MFA, Tim. In fact, I think the entire security industry is imperfect, and therefore - -

• 

  Tim Callan

  It's all risk. It's all risk-based. It's all about risk reduction, and it's all about cost of risk reduction. Cost can be a bunch of things. It could be money. It can be time. It can be capabilities. It can be opportunity cost. A lot of different costs. But at the end of the day, when you put it all together, that's what we do all the time in security. And the reason that this is coming up right now is it's one of the arguments that has been launched against the Apple 47-day CA/Browser Forum Ballot, that as of recording time, is in a discussion period. You and I did an episode recently where we listed out seven reasons to shorten certificate lifespans, and some of those reasons absolutely involve security. It's things like reduce the attack window if there's a key compromise or reduce the attack window if there's some kind of domain name takeover attack that goes on.

• 

  Jason Soroko

  So let me guess, Tim, sorry, that must mean that since this 47-day window, if a key is compromised, private key is compromised within that 47 days, the bad guy can still do something. So why should I bother to rotate my certs is the point?

• 

  Tim Callan

  Absolutely! There's plenty of time. If you get a compromised key with a 47-day certificate, you have plenty of time to do all kinds of malicious stuff. If you can trick DNS, or somehow, some other way, get control of a domain name that you shouldn't have, there's plenty of time to do bad things in 47 days. So why are we reducing this? That's the argument.

• 

  Jason Soroko

  Tim, I would think, if you take a look through time, we went from 5 and 10 year to 3 year to 2 year to 398 days, eventually down to 200, 100, 47 days. This constant stepping down was always going in the correct direction and I think that once we hit this 200 and 100 day threshold, the motivation for people to automate their certificates is growing and growing and growing, and this is what people are trying to avoid. The direct avoidance of automation is directly counter to security, and therefore that argument is so utterly full of fallacy and is false in all directions it's not even funny. It's unfortunately at the same time laughable as an argument, but it is based on really, really misguided thinking, and I really regret that we live in a world where people still think that if I just complain loudly enough with really bad thinking, I can get my way and not have to do anything.

• 

  Tim Callan

  I think the argument is easily defeated. It goes as follows. Engage in a thought experiment with me. Let's suppose that a bad guy manages to get a hold of your private key on day 45 of the certificate’s lifespan. Well, according to this proposal, starting in 2028 there will be two days’ worth of attack window. If you back up in time to today, there will be 350 days’ worth of attack window. That's just very, very different.

• 

  Jason Soroko

  Tim, if you read the sheer number of incident handling reports that are out in the world today, Verizon has one, Mandiant has a very famous one. There's a lot of really, really good incident handling reports that are out there right now. What they all say now is the trend is for the bad guys to sit on a compromised asset for quite a long time before they go off and utilize it. Therefore, the shortening of these time windows is critical to deal with that problem.

• 

  Tim Callan

  That is exactly right, Jason. So, sophisticated attackers. Absolutely. They like to get the lay of the land. They like to watch and observe, and they will happily spend months observing. If your total attack window in the worst case scenario is 47 days or 46 days, you can't spend months doing anything.

• 

  Jason Soroko

  That is 100% the point. Not the least of which, Tim, and we are talking about key compromise. There's six other reasons for the shortening certificate lifespans as well.

• 

  Tim Callan

  This is a fallacy that we have seen in lots of forms, in cyber security and other aspects of life, for a long time. I think it's a fallacy that's as old as people. And there's an adage that I love, which is perfect, is the enemy of good. This is an example of perfect is the enemy of good. This concept of perfection prevents us from embracing something that's better. So anyway, there's no suggestion that Apple is changing its opinion on this. I'm sure this will still go to ballot. We'll see if the ballot passes or fails because, as of recording time, it hasn't gone, but that is one of the objections that was raised, and it struck me as silly, and I thought we should talk about it.

• 

  Jason Soroko

  Thank you so much, Tim. Listen folks, certificate Lifecycle Management, certificate automation, which leads to certificate agility, is always going to be hand in hand with shortened certificate lifespans, a better security option for you period. There is no argument other than that.