| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20141101061016.GA2353@ignominy.bamsoftware.com> Date: Fri, 31 Oct 2014 23:10:16 -0700 From: David Fifield <david@...software.com> To: fulldisclosure@...lists.org Subject: Re: [FD] GoAgent vulnerabilities: CA cert with known private key, TLS MITM On Mon, Jun 02, 2014 at 01:13:56PM -0700, David Fifield wrote: > There is an HTML version of this document with screenshots at > https://www.bamsoftware.com/sec/goagent-advisory.html. > > == GoAgent installs a root CA certificate with a known private key == > > At startup, GoAgent installs a system-wide root CA certificate with a > fixed and publicly known private key. Because the private key is known, > anyone can impersonate the "GoAgent CA" and sign certificates for almost > any web site. The trusted root CA certificate remains installed even > after GoAgent is turned off or removed. Depending on the circumstances > of GoAgent's installation, the certificate may also affect browsers > other than the one used with GoAgent, and other users of the same > computer. It appears that this problem is now fixed. The software now generates a CA certificate with an unpredictable private key when run for the first time. The fix is in the released version 3.2.1. https://github.com/goagent/goagent/compare/0e2eb37c098b2a5653aac24a6256f0d262d2be47...77c8e7f131f9eb7d857cded9c0bc2f662e80b78a I've updated the advisory page. David Fifield _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists