[Doctrinezero] HTTPS
Eugen Leitl
eugen@leitl.org
Thu Aug 22 09:09:28 PDT 2013
----- Forwarded message from Bryce Lynch <bryce@zerostate.is> -----
Date: Thu, 22 Aug 2013 12:00:52 -0400
From: Bryce Lynch <bryce@zerostate.is>
To: doctrinezero@zerostate.is
Subject: Re: [Doctrinezero] HTTPS
Organization: Zero State
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130514 Thunderbird/17.0.6
Reply-To: doctrinezero@zerostate.is
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/21/2013 10:37 AM, Dirk Bruere wrote:
> Do the certification authorities hold a key that can break the
> encryption of sites that use it?
It's more complicated than that.
Most of the time, whenever someone buys an SSL certificate pair signed
by a CA, they have the CA generate the certificate pair for them
(because OpenSSL's command line is pants, usually), sign it for them,
and then send them the whole mess. The CA archives copies of the
public and private certs after signing. We've seen several times in
the past where CAs have given untrusted third parties copies of those
signed certs. Ouch.
There is a subtle flaw in the CA ecosystem: So long as a cert is
signed by a CA that the client trusts, it doesn't matter /who/ the
signer was. So, example.com could buy an SSL certificate from Thawte,
and Eve could buy an SSL cert from Comodo for example.com. Eve could
then use her cert for example.com to run a man-in-the-middle attack
against users of example.com, and their browsers would never notice
because both Thawte and Comodo are trusted. The SSL protocol has no
provision for noticing if and when the trust chain changes in
mid-flight. Double ouch. We've seen this one happen in the field
several times. This is how ComodoHacker wrecked so much havoc a few
years ago.
There is another flaw in SSL: Wildcards. It is not uncommon for
companies to buy SSL certs valid for *.example.com, so that they have
only one cert covering all of their SSL enabled resources. What isn't
obvious is that it's possible to generate a valid cert for *.com. Or
*.org. Or *. Those certs are valid for *.com, or *.org, or * (any
SSL enabled resource on the global Net) until they expire. A few of
the big CAs sell these for whoever can pony up for them (they're very
expensive) because they can be loaded into DPI/DCI hardware which
basically carries out MITM attacks for detecting data exfiltration.
That they are also used for surveillance comes with the territory. At
least one CA that was pwned in the past five years had a number of
wildcard certs generated by the attacker for * which are good until 1
January 2038. Uh-oh.
Third parties have been trying to find ways to fix this - certificate
pinning, TOFU/POP, Webs of Trust for SSL, Convergence, manually
untrusting every CA in your browser - but none of them have caught on.
- --
The Doctor [412/724/301/703] [ZS]
PGP: 0xF1F922F2 / CABE 73FB 2D68 D1EF 3956 A468 7B1F DFE8 F1F9 22F2
WWW: https://drwho.virtadpt.net/
The future belongs to the brave.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSFjWzAAoJEHsf3+jx+SLyYGUH/3ekahHofFHoxwcIAXikcxY6
SEgYQdN2MQyyX4JHfC+T56d0spWyBykd87NV53+qqxLkRpK90OHAgcciKTctyFw7
Vw4VUGIJlie+IXItZTD203mWLjfHlNubJFCTCFeujVs/Sl9WBCXOi3I2mN9RP20j
G3EPYvR7NWUk8Y0O66ZUwh5Wnblj1PtbpCqU6vbByK1DWTIOopI1UC++aU7wYw4F
9IyfoXRe7JJIjexxq03XRsOc2GeaYkuy6LpwG+LDO3HrTv7Us7Y5plF/ybUnuQWL
pccOHBcUgnvaCcD+8S8/6x0do8qVQNNVu74C88SCDR0R6vrNT0k2Ws1wfG8ix8s=
=oa/z
-----END PGP SIGNATURE-----
_______________________________________________
Doctrinezero mailing list
Doctrinezero@zerostate.is
Unsubscribe: https://lists.zerostate.is/mailman/listinfo/doctrinezero
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
More information about the cypherpunks
mailing list