[SSL Observatory] SSL CA compromise in the wild

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Mar 24 04:31:29 PDT 2011 

Jacob Appelbaum <jacob at appelbaum.net> writes:

>They disclosed this in a bug report:
>https://bugzilla.mozilla.org/show_bug.cgi?id=643056

I don't have a blog to post this to :-) so I'll post it here:

Two interesting points about this issue, from observing what hasn't been said
rather than what has:

- The blacklist-based controls used in PKI (CRLs and OCSP) don't work, and the
  vendors agree (Jacob Appelbaum has pointed this out too).  AFAIK every
  single one of them pushed out updates that hardcode the certs to be rejected
  into their browsers.  Looked at the other way round, not one single vendor
  trusts the mechanisms that PKI is supposed to use to deal with these
  certificates.  So if you want to go through the motions for compliance
  purposes, issue a CRL or OCSP.  If you really care about the status of a
  cert, do something else.

  (If you can issue your own certs then it's even worse, just fit them with a
  CRLDP extension pointing to an OCSP responder that you control and those
  certs can never be revoked.  It's another case of PKI relying on mechanisms
  that involve asking the drunk whether he's drunk).

- The broswer vendors have gone from passive collusion with CAs, refusing to
  consider any authentication mechanism like TLS-PSK, TSL-SRP, Perspectives,
  and others, that might threaten the CA's business model, to active collusion
  with CAs, hiding details of the problem until Jacob Appelbaum's detective
  work forced them to reveal it.  In the case of an unpatched 0-day it makes
  sense to conceal the issue, in this case it should have been publicised as
  widely and quickly as possible in order to warn everyone against using these
  certs.  If the browser vendors are, as they appear from their actions here,
  little more than patsys for commercial CAs, then it's little wonder that the
  only response to ten years of failure of certs for server
  authentication/phishing protection has been PKI-me-harder from browser
  vendors.

So the interesting point (well, at least for me) isn't that fraudulent certs
were issued, since you've been able to do that for years simply by going to
CAs and asking for them (and in particular both live.com and mozilla certs,
involved in the attack here, have already been legitimately issued by CAs to
people who used this devious trick) but the peripheral actions around the
outside.

Peter.

More information about the Observatory mailing list