[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Sep 6 00:12:19 PDT 2011
Erwann ABALEA <erwann at abalea.com> writes:
>But the client can include a nonce in the request and compare it with the
>response
The response will come back without the nonce. That was Verisign's
"performance optimisation" (since copied by other CAs).
>And if it doesn't fit the client request, or not within the client "good
>timeframe", this response will be discarded. Then, depending on the client,
>this will be a hard fail, or a switch to CRLs.
This relies on synchronised clocks between client and server, which is often
not the case (there have been various informal studies by web sites on how
out-of-sync client PC clocks are, I can dig up some refs if required, but in
practice clocks are all over the place). In addition the SSL handshake
advertises how out-of-sync the client's clock is in the first message it
sends, so an attacker can use that to see which stale response to replay.
Peter.
More information about the Observatory
mailing list