[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 11:24:53 CST 2008


On Wed, Dec 31, 2008 at 9:13 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
>
>> I'm not convinced it's especially severe.
>>
>> To recap:
>> We have one example of an RA failing to do proper validity checks.
>> That RA as promptly shut down by their CA and the relevant
>> certificate was revoked.
>>
>> We have one example of a CA issuing a bogus CA certificate via this
>> collision attack. That certificate isn't usable as-is, and the CA has
>> since fixed their procedures.
>>
>> To date, we have exactly 0 examples of this being used in the wild,
>> and it's not clear how someone other than the researchers would
>> do so. This is especially severe how?
>
> Not even Firefox checks the revocation list.

Firefox 3 does OCSP checks.


> And it's now publically
> known how you could forge the root CA. I'm pretty sure that will be
> used soon.

Really? As I stated earlier, VeriSign claims that they have fixed RapidSSL.
Most of the other CAs on the list presented at CCC also are VeriSign
properties and VeriSign claims that none of them are now vulnerable,.

Are you actually aware of any CA that is still using MD5 and predictable
sequence numbers?



>> I don't think that's at all clear. These researchers put *quite* a bit
>> of effort into this problem. It's not at all clear to me you couldn't
>> find a Windows 0-day in that time.
>
> Seriously, who uses Windows on the 25c3? As to what I've seen, that was
> the least used Operating System there. Most were using Linux, followed
> by OS X and then the BSDs.

s/Windows/Linux/. It's not exactly like those operating systems are perfect.


>> How exactly is generating predictable private keys not a
>> vulnerability?
>
> It's Debian only. It will only work when the private and public key
> were generated on a Debian machine. That's now a flaw in SSH itself,
> but in Debian. For example, I was never affected by that Debian bug. I
> don't have a single key generated on a Debian machine.

Neither is this a flaw in SSL itself, but in a single CA, which is easily
dealt with in a number of ways which I have already described.

As I said earlier, on the one hand we have some demonstration attacks
of flaws which have already been fixed and are not clearly repeatable.
On the other hand, we have a real, repeatable vulnerability which affects
a large number of machines in the wild. If you want to take home from
that "SSL is dead", I guess that's your right, but I don't think it's supported
by the available evidence.

-Ekr


More information about the Security mailing list