lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090105233514.GM16795@sentinelchicken.org>
Date: Mon, 5 Jan 2009 15:35:14 -0800
From: Tim <tim-security@...tinelchicken.org>
To: Volker Tanger <vtlists@...e.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: FD / lists.grok.org - bad SSL cert

> And as browsers usually do not check CRLs, there is no way preventing
> the use of wrongfully signed certificates short of distributing a
> "software update" (as was with the MS case). If browsers had a cert
> cache and checked it similar to SSH, MitM-attacks would be much harder. 

Well, now you're just pushing the problem off on users.  How many of
them would check the certificate the first time?  Does it matter to an
end-user if their credit card info is stolen *only the first time* and
not after that?

Certainly SSL's PKI has major problems.  Many of these problems can be
remedied through simple client software changes.  Why is every CA
treated the same?  Why don't we start assigning levels of trust to
different CAs?  A web-of-trust would be a great way to go, so long as
there's a way to hide it from end users.  Who would be allowed to
participate in the web of trust?  Tough questions.

As a basic first step, perhaps what browsers need to start doing is to
take all of those CAs out of the default install and replace it with
just one.  Their own.  Sign all current CAs as sub-CAs.  Turn on CRL
checks by default to their servers and start tracking all revocations in
one place.  Then, when a CA starts misbehaving, deal with it through the
central CRL or through a trust rating system which is separate from the
standard certificate formats.  Yeah, sure, it centralizes things in a
bad way, but centralized CRLs are still better than none.  Once the
system is solidified, standardize and redistribute.

Some crazy ideas, I know.  Feel free to shred them.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ