[Security] Rogue CAs

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Dec 31 11:13:08 CST 2008


"Eric Rescorla" <ekr at rtfm.com> wrote:

> I'm not convinced it's especially severe.
> 
> To recap:
> We have one example of an RA failing to do proper validity checks.
> That RA as promptly shut down by their CA and the relevant
> certificate was revoked.
> 
> We have one example of a CA issuing a bogus CA certificate via this
> collision attack. That certificate isn't usable as-is, and the CA has
> since fixed their procedures.
> 
> To date, we have exactly 0 examples of this being used in the wild,
> and it's not clear how someone other than the researchers would
> do so. This is especially severe how?

Not even Firefox checks the revocation list. And it's now publically
known how you could forge the root CA. I'm pretty sure that will be
used soon.

> I don't think that's at all clear. These researchers put *quite* a bit
> of effort into this problem. It's not at all clear to me you couldn't
> find a Windows 0-day in that time.

Seriously, who uses Windows on the 25c3? As to what I've seen, that was
the least used Operating System there. Most were using Linux, followed
by OS X and then the BSDs.

> How exactly is generating predictable private keys not a
> vulnerability?

It's Debian only. It will only work when the private and public key
were generated on a Debian machine. That's now a flaw in SSH itself,
but in Debian. For example, I was never affected by that Debian bug. I
don't have a single key generated on a Debian machine.

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20081231/566ec398/attachment.pgp 


More information about the Security mailing list