lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.53.0312141139530.1355@andrew.triumf.ca>
Date: Sun, 14 Dec 2003 12:22:57 -0800 (PST)
From: Andrew Daviel <advax@...umf.ca>
To: bugtraq@...urityfocus.com
Subject: Self-signed certs unrestricted in Windows XP



It appears that if a self-signed (test) certificate is installed under
Windows XP, that it acquires all (or an unreasonable number of) privileges
by default.

I was testing a webserver and Java applet which I had signed with
a self-signed cert (https://andrew.triumf.ca/mterm/)

I notice that under Windows XP, if I elect to accept the certificate
permanently, and then go to the Content tab in "Internet Options" in IE,
that I see my cert is installed under "Trusted Root CAs", and if I click
Advanced, that it is by default trusted for a large number of purposes
such as driver verification and time stamping; I can change this (and did)
under "View->Details->Edit Properties".

I would have assumed that it would only be trusted for "Server
Verification" (and for the Java certificate, "Code Signing")

(In Netscape 4 or Mozilla on Linux, the server cert is installed only as
an "SSL Server Site", while the Java cert, although installed as a CA,
does not by default certify network sites, and is not used for local
functions such as filesystem encryption, software package verification
etc.)

Since by default self-signed certs are not trusted, and generate a lot
of alerts if used, I don't see this a big problem. But on occasion
someone may use such a cert to provide protection against eavesdropping at
zero cost, and tell users "if you install the cert you won't get the
popups every time you connect", without taking the same precautions to
safeguard the private key as they might otherwise have done.


(It might be nice to have a mechanism to trust a certificate for
only one object, but I guess things don't work like that)

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@...umf.ca


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ