[SSL Observatory] SSL CA compromise in the wild
Jacob Appelbaum
jacob at appelbaum.net
Wed Mar 23 18:47:06 PDT 2011
On 03/23/2011 06:29 PM, Peter Gutmann wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
>
>> Right, we're hoping that the CA key isn't compromised. I mean, more
>> compromised. :-)
>
> You don't need a CA key compromised, you just issue yourself a CA cert and use
> that to both issue fraudulent certs and verify, via OCSP, that they're not
> revoked.
It's doom and fire if you've convinced a CA to sign a cert for you where
the basic constraints don't stop you from becoming a CA.
>
> (Or use the '500' proxy trick, so you don't even need a CA cert. Once you
> can get a CA to sign just a single cert of your own devising it's game over,
> whether you make yourself a CA or not).
The 500 proxy trick is great. PKI defeated by HTTP!
All the best,
Jacob
More information about the Observatory
mailing list