[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 10:26:15 CST 2008


On Wed, Dec 31, 2008 at 8:10 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
>
>> No, this isn't correct either.
>>
>> One root CA issued a single bad certificate for a single domain. That
>> CA has now corrected its practices.
>
> Well, we *KNOW* of one. That doesn't mean there isn't more.

Sure. But we also don't know that there are more. We don't know
there's not a back door in J. Random XMPP client. So what?

Remember, you're claiming that "SSL is dead" on the basis of this.
I'd hope to see more evidence than "we don't know" for an assertion
that strong.

>> A second root CA issued a single CA certificate. This certificate has
>> invalid markers (it's way out of date) and the private key for that
>> certificate is known only to some small group of people. In effect,
>> they're a CA. As long as they behave properly (i.e., don't issue
>> false certificates), there's no problem.
>
> They said more than once that they *COULD* get a valid one as well, but
> they did a outdated one to not harm anybody. They still can create one
> that is NOT outdated. They said that about 3 times in the talk that it
> isn't limited to outdated keys and that they could create a valid one
> any time.

Well, they *could* then, but RapidSSL has stopped using MD5, so now they
can't now.


>> >  Even one root cert is enough
>> > to kill SSL.
>>
>> Again, this isn't correct. If the CCC team ever starts issuing false
>> certificates
>> for real, the browser manufacturers will just blacklist it. It's
>> really quite straightforward.
>
> Oh, please, browsers are the most unimportant clients when it comes to
> SSL. Sure, not if you do banking etc., but you shouldn't do that online
> anyway.

Jonathan's opinion that people shouldn't do online banking notwithstanding,
people do this all the time, including for very large sums of money. So,
no, I don't really think it's accurate to say that "browsers are the most
unimportant clients".


> But clients like MUA, XMPP etc. don't have a blacklist
> sometimes.

Then they can add one (note that on Windows and Mac there are consolidated
trust databases anyway).  Again, this really isn't that hard.


>> And if you're on the same network with people who know about a remote
>> exploit in your machine, then you better not trust the software on
>> your machine.
>
> Sure, there never is complete security. But breaking each machine is
> *MUCH* more work than doing a MITM, which will effect multiple people
> at once.

On the contrary: breaking into a machine once and installing a keylogger
is far more efficient than having to be a MITM all the time.


>> Given that there has been a major break in both common
>> SSH and SSL implementations this year (the Debian PRNG bug), it's a
>> little odd to be complaining about how this particular issue, which
>> is ext> --
> Jonathan
>remely hard to exploit, is the end of the world for SSL.
>
> What do you mean when talking about a break in SSH? I don't know of
> any. Only that there were issues with using SSH in CBC mode. But the
> default is CTR.

DSA-1571-1/CVE-2008-0166


-Ekr


More information about the Security mailing list