[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 09:45:30 CST 2008


On Wed, Dec 31, 2008 at 7:06 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
>
>> > Yup, SSL is pretty much dead now.
>>
>> Uh, no.
>
> Well, 2 root certs have been compromised.

No, this isn't correct either.

One root CA issued a single bad certificate for a single domain. That CA
has now corrected its practices.

A second root CA issued a single CA certificate. This certificate has invalid
markers (it's way out of date) and the private key for that certificate
is known only to some small group of people. In effect, they're a CA.
As long as they behave properly (i.e., don't issue false certificates),
there's no problem.


>  Even one root cert is enough
> to kill SSL.

Again, this isn't correct. If the CCC team ever starts issuing false
certificates
for real, the browser manufacturers will just blacklist it. It's really quite
straightforward.



>> Uh, there have been a grand total of two certificates that we know of
>> being issued to the wrong people. That's hardly the end of the world.
>> Yes, I totally agree that CA procedures could be significantly
>> tighter, but I think "can't rely" is rather too strong.
>
> Well, if you are in the same network with those who just presented an
> attack on a root CA, you better not rely on SSL :).

And if you're on the same network with people who know about a remote
exploit in your machine, then you better not trust the software on your
machine. Given that there has been a major break in both common
SSH and SSL implementations this year (the Debian PRNG bug), it's a little
odd to be complaining about how this particular issue, which is extremely
hard to exploit, is the end of the world for SSL.


>> Additionally,the only part of SSL/TLS that this stuff implicates is
>> a feature SSH doesn't even have, namely third party authentication.
>
> Exactly. But for my server, I got the exact fingerprint. But I don't
> have it for every server I use using SSL.

Right. SSL is usable in a much wider set of settings than SSH. It's
those settings that are implicated by attacks on CAs.

-Ekr


More information about the Security mailing list