What happened with the session fixation bug?

Anne & Lynn Wheeler lynn at garlic.com
Fri May 20 21:07:40 PDT 2005

James A. Donald wrote:
> PKI was designed to defeat man in the middle attacks
> based on network sniffing, or DNS hijacking, which
> turned out to be less of a threat than expected.

all of them may have been less than expected ... the comoningly 
recognized SSL certificate issuers (that have their public key preloaded 
into common browsers) sell their certificates and have processes that 
look at whether you have a validly registered corporation. For most 
practical purposes this has been for e-commerce sites and the objective 
for the majority is protecting credit card numbers.

however, the reported exploits .... and what seem to represent a 
significantly larger ROI (fraud for effort invested) is to harvest the 
merchant transaction file (containing all the accumulated transaction 
information that would have taken months of listening to gather) ... aka 
it is much easier to let the merchant gather and organize all the 
information on behalf of the crook. slightly related posting ...
http://www.garlic.com/~lynn/2001h.html#61 Security proportional to risk

the original ssl e-commerce work

had the user typing in the merchant webserver URL as a HTTPS session 
from the start and then it would check the domain name in the returned 
certificate (after all the digital signature gorp) with the domain name 
typed in. this is rarely if ever happening ... the common justification 
is running SSL during the shopping experience cuts the thruput by 80-90 
percent. as a result, SSL is typically saved for the "check-out" button.

so lets say you have been redirected to a fraudulent site and don't know 
it because the SSL domain name stuff hasn't been done yet. then comes 
time to do the check-out button. if it is a fraudulent site ... and 
since the crooks would then be supplying the URL with the check-out 
button ... the crooks are likely to have obtained a valid SSL 
certificate for some domain and that domain will match whatever the 
check-out button supplies.

random past ssl certificate posts

crooks are capable of setting up valid dummy front companies ... it 
isn't a very large effort.

most of what the CA TTPs do when they are verifying stuff ... is that 
the person applying for a certificate is in some way associated with a 
valid company that they claim to be associated with.

then the CA TTPs check with the domain name infrastructure to see if the 
corporation that they just checked on ... is the same one listed as the 
owner of the subject domain name (modulo the issue that there can be a 
common company name, a DBA company name, and a legal company
name ... all for the same corporation and all completely different names 
... you sometimes will see this in credit card statements where the 
store-front name and the company name on the statement are different).

As observed, one of the things SSL was for a countermeasure for 
integrity problems in the domain name infrastructure involving domain 
name hijacking (where the mapping of the domain name to an ip-address 
was altered to be a different ip-address, potentially fraudulent website).

However, there have been more sophisticated domain name hijackings that 
have occured where both the domain name infrastructure records had both 
the name of the corporate owner as well as the ip-address altered. In 
this more sophisticated form, a crook with a perfectly valid dummy front 
corporation ... that has done the more sophisticated form of domain name 
hijacking ... could apply for a perfectly valid SSL domain name 
certificate ... and pass all the tests.

in any case, that was my perception of what we were doing with SSL ten 
years ago.

PKI is slightly different. One of the reasons that we coined the term 
"certificate manufactoring" was to try and differentiate what was 
comingly being referred to as PKI ... and what SSL domain name 
certificate stuff was actually doing.

Note that there has been a proposal to somewhat address the more complex 
form of domain name hijacking (both the company name take-over as well 
as the ip-address take-over) ... which involves having domain name 
owners register a public key when they get a domain name. Then all 
future correspondance with the domain name infrastructure is digitally 
signed ... which then can be veriefied with the onfile public key. as a 
side note ... this is a non-PKI, certificateless implementation of 
public key. In any case, with authenticated correspondance ... there 
supposedly is less chance of domain name hijacking occuring.

This has somewhat been supported by the CA SSL domain name certification 
industry. The have a complex, expensive, and error-prone identification 
process to try to establish a valid corporation. And even then they are 
at the mercy of whether the company name listed in the domain name 
infrastructure is actually the correct company (i.e. their whole 
infrastructure otherwise is useless).

The other advantage ... is that the Certification Authority can require 
that SSL domain name certificate applications also be digitally signed. 
Then the CA can turn an expensive, time-consuming, and error-prone 
identification process into a much simpler, cheaper, and reliable 
authentication process ... by retrieving the onfile public key from the 
domain name infrastructure for verifying the applicants digital 
signature (again note that this is a non-PKI, certificateless 
implementation that they would use as the trust basis for the whole SSL 
domain name certificate operation).

There is some slight catch22 to this for the SSL domain name certificate 
business. First off, improving the integrity of the domain name 
infrastructure for the Certification Authority industry ... would also 
improve the integrity for everybody ... somewhat mitigating one of the 
original supposed requirements for having SSL domain name certificates 
in the first place. The other is that if the SSL certification industry 
found it viable to base their trust infrastructure on the 
certificateless, onfile public keys at the domain name infrastructure... 
it might be possible that the rest of the world might find them 
acceptable also. One could imagine a slightly modified SSL process where 
the public key didn't come from a certificate ... but was an onfile 
certificateless public key retrieved directly from the domain name 
infrastructure (in much the same way the CA industry has proposed doing).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list