[HTTPS-Everywhere] Hashing for SSL Observatory root cert list
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 13 12:12:18 PST 2015
On Mon 2015-01-12 18:55:20 -0500, Jacob Hoffman-Andrews wrote:
> I intended to re-generate with a composite hash of SHA1 and SHA256, on
> the same principle. However, on further thought it seems like the idea
> is wrong. An attacker would not try to make a bogus root collide with
> the known public roots, since that would ensure submission. The attacker
> would want to make their bogus chain look like it was signed by a
> private cert, so it would not get submitted.
I believe this analysis is correct.
the hash check is used to avoid submitting private certificates; if we
want to be even more thorough, we could check against the full root cert
in question, but i don't think that matters.
In fact, if an attacker manages to forge a private root cert that *does*
match the digest of a well-known root cert, that would be a piece of
information that would be pretty neat to capture, not something to
avoid.
> So, I propose that the strength of the hashes in Root-CAs.js does not
> matter, and we should continue with only a SHA1 hash. Thoughts?
sounds fine to me.
--dkg
More information about the HTTPS-Everywhere
mailing list