[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 11:09:06 CST 2008


On Wed, Dec 31, 2008 at 9:02 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:

>> Regardless of what you consider, people still use it all the time, so
>> security issues in online banking are extremely relevant.
>
> But maybe they shouldn't use it at all.

Sure. Let me know how that works out.


>> > Sure then can, and I never said something else. But all that will
>> > take time. Likely, a long time.
>>
>> Perhaps, but this is true for *every* vulnerability. There's nothing
>> special about this one.
>
> But this one is especially severe and will take especially long.

I'm not convinced it's especially severe.

To recap:
We have one example of an RA failing to do proper validity checks. That
RA as promptly shut down by their CA and the relevant certificate was
revoked.

We have one example of a CA issuing a bogus CA certificate via this
collision attack. That certificate isn't usable as-is, and the CA has
since fixed their procedures.

To date, we have exactly 0 examples of this being used in the wild,
and it's not clear how someone other than the researchers would
do so. This is especially severe how?


>> What, you've never heard of viruses? The idea here is you write a
>> virus/worm that installs a keylogger. Then you don't have to MITM.
>
> I guess on an event like 25c3, you can't write a worm that easily. Most
> there know their system and have secured it to their best knowledge.
> It's very unlikely that you will find an exploit that will work on more
> machines than you would get using MITM.

I don't think that's at all clear. These researchers put *quite* a bit
of effort into this problem. It's not at all clear to me you couldn't
find a Windows 0-day in that time.


>> Yes, you need to keep reading past the first few paragraphs:
>>
>> "Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
>> material for use in X.509 certificates and session keys used in
>> SSL/TLS connections.  Keys generated with GnuPG or GNUTLS are not
>> affected, though."
>
> Ok, but anyway, this is a Debian-only issue and you said there's a
> vulnerability. So now I'm curious to know which :). I only know of the
> flaw when using CBC.

How exactly is generating predictable private keys not a vulnerability?

-Ekr


More information about the Security mailing list