[SSL Observatory] SSL CA compromise in the wild

Steve Schultze sjs at Princeton.EDU
Wed Mar 23 10:49:43 PDT 2011


On Mar 23, 2011, at 1:41 PM, Chris Palmer wrote:
> On 03/23/2011 10:33 AM, Steve Schultze wrote:
> 
>> I do wonder whether there has been any work on TOFU for SSL cert
>> verification other than the existing Firefox plugins like Cert
>> Patrol... of course cert rollover and accelerators probably make that
>> hard to do well.  Maybe TOFU of the CA rather than the leaf would be
>> viable.
> 
> Yes, cert rollover is a problem for TOFU, of course. I don't see why
> accelerators would be — you install your cert in your HTTPS endpoint,
> whatever that happens to be. Gmail, for example, is obviously hosted on
> many servers, but they all have the same cryptographic identity (and
> have had for a long time). (Last time I checked, anyway. See slides 62 -
> 65 of https://docs.google.com/present/view?id=df9sn445_206ff3kn9gs.)

http://dankaminsky.com/2010/12/19/dnssec-ch4/

"By standard security theory, bits are cheap, so if you have a hundred TLS accelerators, you should never move one private key into all of them.  Instead, you should make a hundred different keys, and sign them all with the same Certificate Authority."

Supposedly there are some prominent examples of this on banking sites.  Supposedly the hardware actually makes it hard or impossible to import your own private key.

>> Anyway, I stand by the first part of my email fwiw... SSH is just TOFU.
> 
> And I stand by my assertion that TOFU is significantly better than what
> we have. What we have is Total Pwnage.

Agreed.  There's just nothing special about SSH in this regard other than the fact that it does TOFU.


More information about the Observatory mailing list