[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Gervase Markham gerv at mozilla.org
Mon Sep 5 02:23:04 PDT 2011 

Hi Peter,

On 04/09/11 07:15, Peter Gutmann wrote:
> Blacklist-based validity checking, the Second Dumbest Idea in Computer
> Security (Marcus Ranum), doesn't work: 
> 
>   Diginotar issued certs for which there was no record of issuance, therefore
>   they couldn't be revoked.  Whitelist-based checking would have prevented
>   this.

Surely OCSP is whitelist-based checking? (I can't imagine engineering an
OCSP server which, when asked about a certificate for which it had no
record, said "Fine, no problem!")

> Universal implicit cross-certification makes the entire system as weak as the
> weakest link:
> 
>   Diginotar apparently issued certs for other majors CAs like Equifax, Thawte,
>   and VeriSign, allowing them to usurp other major CAs.

I would disagree that _this_ makes the entire system as weak as its
weakest link. It only makes systems which choose to interlink in any way
as weak as the weakest link.

The thing which makes the entire system as weak as its weakest link is
the lack of CA pinning.

>   An HSM or smart card that does anything the PC that it's attached to tells
>   it to is only slightly more secure than simply storing the key directly on
>   the PC.  You need to do more to secure a high-value signing process than
>   sprinkling smart card/HSM pixie dust around and declaring victory.

This is true, but I'm not sure it's particularly relevant. (Who claims
that HSMs are magic pixie dust?)

> Lack of breach disclosure requirements for CAs means that they'll cover
> problems up if they can get away with it:

Do you think that remains true? Comodo didn't cover their problems up,
and are still in business. DigiNotar covered theirs up, and are not.
Covering up is a massive business gamble, because if anyone finds the
certs in the wild (as happened here), you are toast. Particularly given
that browsers are deploying more technologies like pinning which makes
this sort of attack easier to find, it would be a brave CA who covered a
breach up after the lesson we had last week. You'd have to be pretty
darn confident any misissued certs didn't get obtained by the attackers
- and if they didn't get out, is there actually a problem?

>   there's nothing protecting the user.  Even the most trivial checks by
>   browsers would have caught the fake Google wildcard cert that started all
>   this.

What sort of "trivial checks" are you suggesting?

>   Diginotar both passed audits in order to get on the browser gravy train and
>   then passed a second level of auditing after the compromise was discovered.
>   The auditors somehow missed that fact that the Diginotar site showed a two-
>   year history of compromise by multiple hacking groups, something that a
>   bunch of random commentators on blogs had no problem finding.

I think there are definitely searching questions to ask of DigiNotar's
auditors.

>   available.  There is no fallback.  Site owners who are concerned about the
>   security of their users can't do anything, because the browser vendors have
>   chosen to prevent them from employing any other option (I can't, for
>   example, turn on TLS-PSK or TLS-SRP in my server, because no browsers
>   support it - it would make the CAs look bad if it were deployed).

Patches welcome? (Or did we reject them already? :-)

Gerv

More information about the Observatory mailing list