[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 10:41:22 CST 2008

On Wed, Dec 31, 2008 at 8:34 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
>> On Wed, Dec 31, 2008 at 8:10 AM, Jonathan Schleifer
>> <js-xmpp-security at webkeks.org> wrote:

>> Remember, you're claiming that "SSL is dead" on the basis of this.
>> I'd hope to see more evidence than "we don't know" for an assertion
>> that strong.
> Well, for *ME*, it's dead. Maybe I should empathize more that it's my
> personal opinion :). I'm too paranoid to trust SSL now. Sure, this will
> be fixed somewhen. But that will take some time. There are still certs
> generated with insecure Debian OpenSSL versions out there.

It's odd you'd focus on this, since (1) there are still OpenSSH keys
that were generated with insecure PRNGs out there and (2) this
is the case that's easiest for the clients to detect, since all the
keys are known.


>> Jonathan's opinion that people shouldn't do online banking
>> notwithstanding, people do this all the time, including for very
>> large sums of money. So, no, I don't really think it's accurate to
>> say that "browsers are the most unimportant clients".
> I consider online banking too insecure, especially for Average Joe.
> Really important things should always be done offline. And the user is
> still the biggest hole ;).

Regardless of what you consider, people still use it all the time, so
security issues in online banking are extremely relevant.

>> Then they can add one (note that on Windows and Mac there are
>> consolidated trust databases anyway).  Again, this really isn't that
>> hard.
> Sure then can, and I never said something else. But all that will take
> time. Likely, a long time.

Perhaps, but this is true for *every* vulnerability. There's nothing
special about this one.

>> On the contrary: breaking into a machine once and installing a
>> keylogger is far more efficient than having to be a MITM all the time.
> Then you got accounts of how many persons? Only one. Data from more
> persons = more money. So a MITM is more effective.

What, you've never heard of viruses? The idea here is you write a virus/worm
that installs a keylogger. Then you don't have to MITM.

>> DSA-1571-1/CVE-2008-0166
> SSL ≠ SSH. I asked for the vulnerability in SSH you were talking about.
> I only know of an attack where you can get parts of a session if it's
> using CBC.

Yes, you need to keep reading past the first few paragraphs:

"Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections.  Keys generated with GnuPG or GNUTLS are not affected,


More information about the Security mailing list