[Security] Rogue CAs
ekr at rtfm.com
Wed Dec 31 12:22:49 CST 2008
On Wed, Dec 31, 2008 at 10:16 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
>> You've said that repeatedly, but I don't think it's convincing.
>> Again, we know that two invalid certificates issued: one for
>> mozilla.org and one CA certificate. Please explain how this turns
>> into a generalized MITM attack by anybody *but* the people who hold
>> those private keys.
> Everybody knows now how to forge a CA using MD5. Even if that CA is not
> using MD5 anymore, many browsers don't check revocation lists and still
> have the old root CA imported. So the CAs revoke the bad root CA, but
> it's still in the browsers and other now know as well how to forge the
> old, revocated root CA, which is still in many browsers. Do you
> understand the problem now?
I now understand what you think the problem is. Luckily for the world, you're
This is a collision attack, not a preimage attack. In order to mount it, the
attacker needs to do the following:
1. Construct a pair of unsigned certificates with the same digest, one of
which is acceptable (i.e., the CA would sign it) and one of which
2. Convince the CA to sign the acceptable certificate.
3. Cut and paste the signature from the acceptable certificate onto the
The key point here is step (2): you need a live CA willing to sign the
certificate. As long as the current CAs aren't vulnerable (i.e., they don't
use MD5 or they randomize the serial numbers adequately), then it's
not possible to mount this attack and acquire a new malicious certificate.
This of course leaves us with the threat from whatever malicious
already been issued. However, there's no evidence that there are any other
than the one demonstrated at CCC, and for the reasons I indicated before,
that's not likely to be a serious threat.
This is all explained in my blog post on this topic from yesterday:
More information about the Security