[SSL Observatory] SSL CA compromise in the wild
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Mar 24 04:31:29 PDT 2011
Jacob Appelbaum <jacob at appelbaum.net> writes:
>They disclosed this in a bug report:
>https://bugzilla.mozilla.org/show_bug.cgi?id=643056
I don't have a blog to post this to :-) so I'll post it here:
Two interesting points about this issue, from observing what hasn't been said
rather than what has:
- The blacklist-based controls used in PKI (CRLs and OCSP) don't work, and the
vendors agree (Jacob Appelbaum has pointed this out too). AFAIK every
single one of them pushed out updates that hardcode the certs to be rejected
into their browsers. Looked at the other way round, not one single vendor
trusts the mechanisms that PKI is supposed to use to deal with these
certificates. So if you want to go through the motions for compliance
purposes, issue a CRL or OCSP. If you really care about the status of a
cert, do something else.
(If you can issue your own certs then it's even worse, just fit them with a
CRLDP extension pointing to an OCSP responder that you control and those
certs can never be revoked. It's another case of PKI relying on mechanisms
that involve asking the drunk whether he's drunk).
- The broswer vendors have gone from passive collusion with CAs, refusing to
consider any authentication mechanism like TLS-PSK, TSL-SRP, Perspectives,
and others, that might threaten the CA's business model, to active collusion
with CAs, hiding details of the problem until Jacob Appelbaum's detective
work forced them to reveal it. In the case of an unpatched 0-day it makes
sense to conceal the issue, in this case it should have been publicised as
widely and quickly as possible in order to warn everyone against using these
certs. If the browser vendors are, as they appear from their actions here,
little more than patsys for commercial CAs, then it's little wonder that the
only response to ten years of failure of certs for server
authentication/phishing protection has been PKI-me-harder from browser
vendors.
So the interesting point (well, at least for me) isn't that fraudulent certs
were issued, since you've been able to do that for years simply by going to
CAs and asking for them (and in particular both live.com and mozilla certs,
involved in the attack here, have already been legitimately issued by CAs to
people who used this devious trick) but the peripheral actions around the
outside.
Peter.
More information about the Observatory
mailing list