RE: A mighty fortress is our PKI, Part III
I, too, would love to get the details, but Peter is right here. The flaw he reported was in the PKI itself, not in the UI. If there were a bulletproof OS with perfect non-confusing UI, once the malware has a valid signature that traces to a valid certificate, it's the PKI that failed. As for EV being as meaningless as ordinary certificates, that's the point Peter is making. Of course, neither of them certifies the qualities of the publisher that the end user cares about. That would be too expensive and open to liability (therefore, more expensive still). But, in a verbal shell game, the CAs make it sound like someone with an expensive certificate is trustworthy (in the end-user's value system). -Original Message- From: owner-cryptogra...@metzdowd.com [mailto:owner-cryptogra...@metzdowd.com] On Behalf Of Andy Steingruebl Sent: Wednesday, September 15, 2010 4:12 PM To: Peter Gutmann Cc: cryptography@metzdowd.com Subject: Re: A mighty fortress is our PKI, Part III On Wed, Sep 15, 2010 at 8:39 AM, Peter Gutmann wrote: > Some more amusing anecdotes from the world of PKI: Peter, Not to be too contrary (though at least a little) - not all of these are really PKI failures are they? > - There's malware out there that pokes fake Verisign certificates into the > Windows trusted cert store, allowing the malware authors to be their own > Verisign. The malware could just as easily fake the whole UI. Is it really PKI's fault that it doesn't defend against malware? Did even the grandest supporters ever claim it could/did? > - CAs have issued certs to cybercrime web sites like > https://www.pay-per-install.com (an affiliate program for malware > installers), because hey, the Russian mafia's money is as good as anyone > else's. Similarly here - non-EV CAs bind DNS names to a field in a certificate. No more. They don't vouch for the business being run, and in any case any such "audit" would be point in time anyway. I suppose way back when people "promised" that certs would do this, but does anyone believe that anymore and have it as an expectation? Perhaps you're setting the bar a bit high? BTW - do you have pointers to most of the things you've reported? I'd love to get the full sordid details :) - Andy - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part III
On 2010-09-16 6:12 AM, Andy Steingruebl wrote: The malware could just as easily fake the whole UI. Is it really PKI's fault that it doesn't defend against malware? Did even the grandest supporters ever claim it could/did? That is rather like having a fortress with one wall rather than four walls, and when attackers go around the back, you quite correctly point out that the wall is only designed to stop attackers from coming in front. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part III
On Wed, Sep 15, 2010 at 8:39 AM, Peter Gutmann wrote: > Some more amusing anecdotes from the world of PKI: Peter, Not to be too contrary (though at least a little) - not all of these are really PKI failures are they? > - There's malware out there that pokes fake Verisign certificates into the > Windows trusted cert store, allowing the malware authors to be their own > Verisign. The malware could just as easily fake the whole UI. Is it really PKI's fault that it doesn't defend against malware? Did even the grandest supporters ever claim it could/did? > - CAs have issued certs to cybercrime web sites like > https://www.pay-per-install.com (an affiliate program for malware > installers), because hey, the Russian mafia's money is as good as anyone > else's. Similarly here - non-EV CAs bind DNS names to a field in a certificate. No more. They don't vouch for the business being run, and in any case any such "audit" would be point in time anyway. I suppose way back when people "promised" that certs would do this, but does anyone believe that anymore and have it as an expectation? Perhaps you're setting the bar a bit high? BTW - do you have pointers to most of the things you've reported? I'd love to get the full sordid details :) - Andy - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
A mighty fortress is our PKI, Part III
Some more amusing anecdotes from the world of PKI: - A standard type of fraud that's been around for awhile is for scammers to set up an online presence for a legit offline business, which appears to check out when someone tries to verify it. A more recent variation on this is to buy certs for legit businesses. One of these certs was traced back by a security researcher who found that the scammers had obtained it through the incredibly devious trick of shopping round commercial CAs until they found one that was prepared to sell them a certificate. - In a repeat of the original race to the bottom with non-EV certs, CA's have issued EV certs for RFC 1918 addresses (!!!). What makes this particularly entertaining is that in combination with a router warkitting attack and Moxie Marlinspike's OCSP faking it allows an attacker to spoof any EV-cert site. - The list of people who have bought certificates for Apple from commercial CAs keeps on growing (I guess Microsoft is just so five minutes ago :-). For example one SMTP admin needed a cert for his server and wondered what would happen if he asked for one for *.apple.com instead of his actual domain name. $100 and a cursory check later he had a wildcard cert for Apple. At least two more users have reported buying certificates for Apple, and there are probably even more lurking out there - if you too have a certificate from a certificate vending machine saying that you're Apple, do get in touch - There's malware out there that pokes fake Verisign certificates into the Windows trusted cert store, allowing the malware authors to be their own Verisign. - CAs have issued certs to cybercrime web sites like https://www.pay-per-install.com (an affiliate program for malware installers), because hey, the Russian mafia's money is as good as anyone else's. - One of the most important things a CA needs to manage is certificate serial numbers, because the combination { CA name, cert serial number } is a unique identifier used in lots of security protocols to identify certs. Without this uniqueness, you can't tell who signed something, you can't revoke a cert, you can't... well, you get the idea. Not only have commercial CAs issued certs with duplicate serial numbers, they've issued *CA certs* with duplicate serial numbers. Ouch! (When this was pointed out to the CA who did this - "oops, my bad, we'll get those re-issued for you" - someone else pointed out that their OCSP responder certs had expired, which none of the CA's clients appeared to have noticed until then. "Yeah, we'll look into fixing those too. Anything else while we're at it?"). If anyone has any further amusing PKI stories, please get in touch, I'd love to add a Part IV to this series. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com