Re: [ANNOUNCE] NSS 3.12.3.1 Release

Fri, 31 Jul 2009 12:38:27 -0700 

On 31/07/2009 11:29, William L. Hartzell wrote:

Nelson B Bolyard wrote:

On 2009-07-30 19:46 PDT, Ian G wrote:

On 31/7/09 04:29, Nelson B Bolyard wrote:

... So, a name with a NULL in it will appear
as something like www.mybank.com\00*.badguy.org


There must be something I am missing. Since when is a NULL a legal
character in a domain?


Read the article that Howard cited. It's more fun than my dry
explanation.

Some lax CAs will evidently issue certs with just about anything in the
DNS names. I'd pull the plug on them if I could find them, but the
presenters at Black Hat were careful NOT to reveal which CAs made the bad
certs for them. I guess that's why they call it "Black Hat".




For the record, I spent most of the day helping look at this at CAcert 
(not at the code, myself, but the people).



It is completely unclear to me at this stage whether CAcert is 
vulnerable.  What is clear is that nulls aren't properly checked, and 
cause funny effects as they go through the system.  So we'll be fixing 
stuff regardless.


(There'll be a full disclosure at some point.)



All these presenters make the same mistake of blaming SSL for a problem
that is not in the SSL protocol anywhere.




I don't know for sure, but I'll happily speculate:  this is a 
side-effect of complication.  Using ASN1 and similar results in very 
tortuous code, which contributes to all sorts of difficulties in production.



One can say "they should write good code" but that's just hopeful.  To 
echo Dan, to fix this we should really start again using techniques 
developed more in more modern times.  But that's equally hopeful :)




Look in your code for those who issue crappy certs. You have to work
around them. If their cert are defective, what makes anyone think their
internal procedures are any better?




There's no necessary correlation between coding practices and internal 
procedures.  Governance and coding just don't see eye to eye.




I know that there is one vendor who
blames their government's privacy policy for their crappy certs. Enuf said.



Huh?  How does that follow?

iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to