[F] TidBITS / TidBITS / TidBITS Talk /

Secure Certificate Hack Doesn't Imperil Users

[ron]ron (apparently) - 03:36am Dec 31, 2008 PST
via email

Glenn Fleishman's article "Secure Certificate Hack Doesn't Imperil
Users" was timely, but I'm afraid that his closing statement -- "I
expect this particular problem will disappear as a potential threat in
a matter of weeks" -- is rather optimistic.

It is true that, for the certificate authority, the switch from MD5 to
SHA-* should be a relatively simple matter. Alas, that won't make the
problem go away. Browsers don't check with the CA to verify a
certificate, they simply validate each site's certificate against
(ultimately) a root certificate that was included with the browser
when it shipped. Once someone has a forged CA certificate, they can
create any number of bogus site certificates that appear to be validly
signed by a legitimate CA. All current browsers will recognize these
certificates as valid, whether or not the CA switches to a more secure
hash algorithm.

A fix by the CA isn't enough. All current browsers would have to be
patched to warn when encountering a certificate signed by a CA using
MD5. It's more than just IE, Firefox, Safari, Opera, and Konqueror --
all SSL-secured applications (Glenn mentions Quicken, for one example)
would have to be fixed as well.

Most current owners of certificates issued using MD5 CA certs (I'm
among that group) would have to get new certs issued. If they don't,
people will just learn to ignore the browsers' warnings about MD5
certificates.

This issue is likely to be with us for a while. And it makes the DNS
cache-poisoning flaw, which I previously considered a tempest in a
teapot, a much more serious threat.

--Ron
www.risley.net


Mark as Read
  (older msg: 13)OutlineAll MessagesOlder MessagesOldest MessagesNewest MessagesNewer Messages

ron (apparently) - Jan 8, 2009 1:58 am (#14 Total: 15)  

Reply to this message
via email  

Photo of Author
Posts: 35
Re: Secure Certificate Hack Doesn't Imperil Users



On 07Jan2009, at 00:10, sscarbrough wrote:

> who can anymore trust an MD5 based one?

The attack by Sotirov et al. didn't create just a way to forge MD5
based certificates, it created a way to forge CA (certificate signing)
certificates. As far as I know, that CA certificate could then be used
to sign forged certificates that were hashed with SHA-*. At the very
least, the user would have to check the entire certificate chain to
the root to be sure there were no MD5 signers involved. At least in
Safari, that's difficult for an end user to do.

Aanother interesting issue, since you mentioned EV certificates: EV
certificates might be secure, but now we know that signing
certificates for plain old SSL certificates have been forged. I can
alter a name server to redirect, say, https://
sitekey.bankofamerica.com/ to a server of my own. I can create a
forged SSL certificate for my server. How many people who visit my
site will notice that they're connecting with a regular SSL
certificate and not an EV certificate? I doubt it would be 100%. There
would be no warning from the browser -- the user would have to notice
that (in Safari) the site name doesn't appear by the lock icon. It's a
bit more obvious in other browsers, but I doubt user recognition
approaches 100% in any case.

We need browsers that check the whole certificate chain for MD5-hash
based signatures, and at the very least put up a warning when they
detect such certificates.

On a closely related issue, does anybody know if or how often modern
browsers check key servers for revoked certificates? If they do, is it
in a way that protects users' privacy?

--Ron
www.risley.net

Joe R - Jan 9, 2009 4:58 pm (#15 Total: 15)  

Reply to this message
 

Photo of Author
Re: Secure Certificate Hack Doesn't Imperil Users

A lot of good information here on this issue. Ron, I'm also curious how often browsers check for revoked certs -- I know I'm alerted every time I navigate to a site that has an expired cert, but that's a different issue. And of course any self-signed or forged certs I can't tell from legit ones.

One thing I've been hearing lately -- not only from this thread but from the IT gurus I work with -- is that the biggest obstacles to making SSL more secure, especially on the EV side, lie squarely with browser technology. CA's and cert designers can create all the robust security measures they want -- ie, the fact that EV cannot be forged -- but if your major browsers don't recognize the difference then it's a lot of lost effort. It's in a way unfortunate that everyone concentrates on the "green url" aspect of EV, since that only speaks to the noticeable security changes and the green url has had a slow adoption. But I've seen a handful of sites that had no green url and were still technically EV encrypted. The problem is not just technology or security, it's -- as Ron pointed out -- user recognition. Since the peril lies with users' decisions, they need to be better armed to make prudent ones.



  OutlineAll MessagesOlder MessagesOldest MessagesNewest MessagesNewer Messages


 Content:

Read New | Search

 Guest:

New User Registration | Email to Sysop | Login

 Add:

Post Message

[F] TidBITS / TidBITS / TidBITS Talk / Secure Certificate Hack Doesn't Imperil Users




Add a message

To add a message to this discussion, you must be a registered user. Enter your email address below. If you have an account associated with the email address you enter, you will be prompted for your password. If not, you'll be able to create a new account with no fuss.

Enter your email address:

Submit