On Thu, Jul 17, 2003 at 10:56:06PM +0200, Dr. Stephen Henson wrote: > On Wed, Jul 16, 2003, Amar Desai wrote: > > > Hi All > > I would like to know what are the security concerns if we provide a > > functionality of downloading a CRL (in case where there is no crl in > > specified direcotry or file) in the get_crl function using say wget? > > > > You should be careful that you don't download CRLs for unstrusted > certificates. If you do there are several possible concerns: > > DOS attack. The CRL download could be made very slow, either by throttling > the connection or including a huge CRL.
In SET, CRLs were made part of the business. That is, one could try DOS it as a whole but cant hurt just CRL pickup. Maybe one could send CRLs as part of TLS handshake > Leaking information about the caller. If the CRL downloader is on a machine > that isn't public then some details about it can be obtained (IP address etc). It's unlikely non-public IP address will be shown after an ip-masquerading host (a very popular solution). Yes, at least one http proxy (squid, another popular solution) can insert "X-Forwarded-For: 192.1.2.3" headers into outgoing requests unless default config was changed. Any online status check leaks info on who deals with whom. OCSP clients with signed requests provides even better tracing Surprisingly there's still a very limited interest in anonymous or controlled-leaks solutions. > Steve. > -- > Dr Stephen N. Henson. > Core developer of the OpenSSL project: http://www.openssl.org/ > Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ > Email: [EMAIL PROTECTED], PGP key: via homepage. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
