[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 11:47:01 CST 2008


On Wed, Dec 31, 2008 at 9:42 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
>
>> Firefox 3 does OCSP checks.
>
> Not by default, no. It was either disabled by default or there was a
> bug, I don't remember, but it doesn't work as expected by default.

Could be. I'd be interested in learning more about the status of OCSP
deployment.


>> s/Windows/Linux/. It's not exactly like those operating systems are
>> perfect.
>
> As there are many distributions of Linux and most customized theirs, a
> worm would be hard.

I'm not convinced that's true. And since this attack is also hard, I don't think
this is a very convincing argument.

I notice you've elided the more important issue: whether this is
really repeatable. You wrote:

" And it's now publically
known how you could forge the root CA. I'm pretty sure that will be
used soon."

I asked:

"Really? As I stated earlier, VeriSign claims that they have fixed RapidSSL.
Most of the other CAs on the list presented at CCC also are VeriSign
properties and VeriSign claims that none of them are now vulnerable,.

Are you actually aware of any CA that is still using MD5 and predictable
sequence numbers?"


It seems to me that this goes to the heart of whether this is a
serious threat or
just a demonstration. So, again: are you aware of a CA which is widely trusted
and is actually vulnerable to this form of collision attack?

-Ekr


More information about the Security mailing list