[SSL Observatory] Interesting fun with Verisign and X.509 by Kaminsky, Patterson, Sassaman

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu May 5 06:16:41 PDT 2011


Len Sassaman <len.sassaman at gmail.com> writes:

>That said, I'm convinced there are more such problems waiting to be
>discovered. 

I was told by someone working for a Big Software Vendor that they've performed
Javascript attacks using certs, so that at least works alongside the SQL ones.
Somewhere I've got (or at least had) a composite cert with SQL, Javascript,
PHP, and VBScript in the DN, but apart from the SQL never really got around to
trying it with too many things to see what was vulnerable.

>S/MIME and STARTTLS are obvious targets, and OCSP keeps me up at night.

Drifting way off topic, but what scares me most of all the security protocols
is SSH's encoding (the crazy mix of binary data and comma-delimited text
strings is just asking for trouble), followed at a distance by PGP/OpenPGP,
then behind that (but not too far) SSL/TLS, and ASN.1 some way behind that.

>I'm happy to send a draft, when it's finished, to this list if there's
>interest.

+1.

Peter.



More information about the Observatory mailing list