lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <26156.1230747396@turing-police.cc.vt.edu>
Date: Wed, 31 Dec 2008 13:16:36 -0500
From: Valdis.Kletnieks@...edu
To: Elazar Broad <elazar@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Creating a rogue CA certificate

On Wed, 31 Dec 2008 12:57:52 EST, Elazar Broad said:

> That's true, keeping up with security is not cheap nor easy.

Meanwhile, doing nothing is *always* cheap and easy, especially when it's
very unlikely that *you* will end up paying the price...

> Tradeoff's are tradeoff's, the question is, when it comes down to
> the $$$, is more cost effective to be proactive vs reactive in this
> case. Time will tell...

The important point here is that the cost of the vulnerability is what
economists call an externality - the CA who issued the cert that got
abused isn't the one who ends up with the headache.  If Certs-R-Us gives
BadGuy Inc a jiggered cert, and BadGuy Inc uses that to make a fake
Widgets-Today.com site and Joe Sixpack gets suckered, then Joe Sixpack
has a problem, Widgest-Today may have a problem - and neither victim is
very likely to blame Certs-R-Us - after all, Widgets-Today got *their*
cert from somebody else.  Certs-R-Us doesn't have a problem unless they
end up on CNN - otherwise *their* potential customers won't know there's
an issue.

On the other hand, if Microsoft and Mozilla issue updates that make their
browsers reject out-of-hand any cert with an MD5, *that* will make Certs-R-Us
sit up and pay attention *immediately*, because "I bought a cert from you
and the frikking thing doesn't work" *does* impact their bottom line.

I predict that if Microsoft and Mozilla do this, there will be a lot of
ambulance-chasing, as opportunists spider the web looking for OpenSSL
connections that present a cert with MD5, and spam the site with "We have
sooper-cheap non-MD5 certs!" ads...

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ