[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
ArkanoiD
ark at eltex.net
Tue Sep 6 01:28:07 PDT 2011
BTW are default NTP setups in major OS distributions secure out of the box?
I doubt it..
On Tue, Sep 06, 2011 at 09:50:39AM +0200, Jacob Appelbaum wrote:
> On 09/06/2011 09:12 AM, Peter Gutmann wrote:
> > Erwann ABALEA <erwann at abalea.com> writes:
> >
> >> But the client can include a nonce in the request and compare it with the
> >> response
> >
> > The response will come back without the nonce. That was Verisign's
> > "performance optimisation" (since copied by other CAs).
> >
> >> And if it doesn't fit the client request, or not within the client "good
> >> timeframe", this response will be discarded. Then, depending on the client,
> >> this will be a hard fail, or a switch to CRLs.
> >
> > This relies on synchronised clocks between client and server, which is often
> > not the case (there have been various informal studies by web sites on how
> > out-of-sync client PC clocks are, I can dig up some refs if required, but in
> > practice clocks are all over the place). In addition the SSL handshake
> > advertises how out-of-sync the client's clock is in the first message it
> > sends, so an attacker can use that to see which stale response to replay.
> >
>
> Consider the case where a user is on a GSM cell phone and the attacker
> controls the entire phone network - they can set the time on the phone
> to be whatever they'd like.
>
> All the best,
> Jacob
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
More information about the Observatory
mailing list