[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Erwann ABALEA
erwann at abalea.com
Tue Sep 6 00:32:43 PDT 2011
2011/9/6 Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
> Erwann ABALEA <erwann at abalea.com> writes:
>
>>But the client can include a nonce in the request and compare it with the
>>response
>
> The response will come back without the nonce. That was Verisign's
> "performance optimisation" (since copied by other CAs).
I agree it's both:
- bad (defeating the purpose of a nonce, which was optional)
- useless (looking at our OCSP responders logs, there's clearly *NO*
nonce sent by the clients, over hundreds of millions of requests,
browser based)
Do you have any CA in mind doing this (ignoring the nonce)?
>>And if it doesn't fit the client request, or not within the client "good
>>timeframe", this response will be discarded. Then, depending on the client,
>>this will be a hard fail, or a switch to CRLs.
>
> This relies on synchronised clocks between client and server, which is often
> not the case (there have been various informal studies by web sites on how
> out-of-sync client PC clocks are, I can dig up some refs if required, but in
> practice clocks are all over the place).
The good timeframe can span a whole day long.
Starting with Windows XP (SP3 at most), the clock is synchronized with
some servers (by default). It's also the same with MacOSX machines.
Not at all with Linux (or any other Unix-like), though.
> In addition the SSL handshake
> advertises how out-of-sync the client's clock is in the first message it
> sends, so an attacker can use that to see which stale response to replay.
Nice optimization :)
--
Erwann.
More information about the Observatory
mailing list