Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

Fri, 28 Apr 2017 12:37:53 -0700

"Incomplete understanding"? That's rich.

There is no reliance on certs as a protection mechanism. Rather, the use of certs/encryption help to facilitate my bad acts. If I'm doing malvertising I basically must use an encrypted channel. If I'm doing other bad things, encryption frustrates the efforts of security personnel to figure out that something bad is happening.

As for the weak link, it isn't necessarily weak. True, I could get additional subdomain certs by exploiting the weak validation methods that CABF has endorsed. In many cases that will work just fine but I do still have to interact with the CA which leaves a paper trail--especially if the cert gets published via CT.

In the wildcard scenario, there is no need for that interaction. Less interaction, low profile, few opportunities for detection, ability to operate unimpeded...this is the dream for any bad guy. Wildcard certs make it easier for me to get there. One can definitely reach that goal using non-wildcard tactics but it might not be as easy.


Getting back to Gerv's original question, should the wildcard section be removed? My answer is: no, it should not be removed. It could stand to be updated though.


From: Ryan Sleevi
Sent: Friday, April 28, 2017 9:51 AM‎



On Fri, Apr 28, 2017 at 9:48 AM, Peter Kurrasch <fhw...@gmail.com> wrote:
Suppose I want to set up a system to be used for spam, malware distribution, and phishing but, naturally, I want to operate undetected. First step is to find a (legitimate) server that is already set up and is not well secured. Without getting bogged down in the details, let's just assume I can find such a server and I'm able to obtain access to the admin panel or a command line/shell that controls it. With this access, let's also just assume I'm able to obtain the certificate and private key data that the legitimate site owner is using.

You can stop here. Once you've done that, it's game over for any subdomains as it stands. Wildcard certs are a red herring. If you've got file control on the server, or can demonstrate control of the base, you can get the subdomains.

That's the weak link in your attack model, and for that to change, it will at least require some action on the CA/Browser Forum to restrict the file-based controls or 'practical demonstration of control'. If you just compromise the server/key, you've compromise every subdomain, as it stands today. That's not because of wildcards. That's because of the CA/Browser Forum.
 
Granted, there is a healthy amount of hand waving in this illustration and frankly there are situations where other attack methods are more advantageous for any number of reasons. That said, the point I am hoping to make is that a wildcard certificate opens up possibilities for me as the bad guy that I might not have otherwise.

Right, not really, because above :)
 
Again, I'll be the first to admit this is perhaps not the best illustration of the risks posed by wildcard certs but hopefully it's at least good enough. I don't think the above is a major problem today but if the desire is make wildcard certs ubiquitous (?), I hope people will at least think twice.

I appreciate your threat modelling of this space, but I think it's operating on incomplete understanding of what the reasonable security boundary is, but also tries to rely on certificates as a spam/phishing protection, of which they most certainly are not :)


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to