Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Simon Josefsson]

Sam Morris  writes:

> Maybe in a few years, NSS will have disabled the use of MD5 and the 
> ancient MD2 algorithm. I wonder how many other insecure algorithms are 
> still lurking in NSS, OpenSSL, GNU TLS, Java, etc...

In GnuTLS, we decided in 2005 that certificate signatures with MD5
should be rejected because MD5 was not a good hash function any more.

/Simon


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Aiko Barz]

On Thu, Jan 01, 2009 at 12:45:22PM -0500, Micah Anderson wrote:
> >>On Wed, 31 Dec 2008, Micah Anderson wrote:  
> >>  
> >> Does anyone have a legitimate reason to trust any particular Certificate
> >> Authority?
> > Yves-Alexis Perez  writes:
> > 
> > > I may be wrong, but I trust the CAs in ca-certificates. I've followed
> > > the add of French Gvt CA Certificates, and the procedure was enough
> > > strict to give me this trust impression.
> > * Russ Allbery  [2009-01-01 10:04-0500]:
> >
> > While this exploit is particularly interesting because it's technical
> > rather than social and therefore easy to wrap one's mind around, it's not
> > been particularly difficult to get a forged certificate since nearly the
> > beginning of the commercial CA concept.  Very few of the certificate
> > authorities do any sort of real authentication of the requester, so if
> > you're willing to simple things like fax them forged letterhead, you can
> > probably get a certificate claiming to be just about anyone who isn't
> > extremely high-profile.
> 
> I agree, and this is why I poised this question. The hierarchical
> Certificate Authority model is fundamentally flawed, and easily
> exploited.

There are two more things, that disturbs me a lot:

If you trust a CA, you also trust any SUB CAs signed by their
certificate. But you don't have any control over those SUB CAs. You do
not know, who has them or how many are out there.

So, if you trust a Certificate Authority that belongs to a specific
country, it may be possible, that their government asks for a
certificate, that enables them to sign certificates by their own. That
would enable the government to create trusted certificates for any
website, mailserver, etc on the planet...

The second thing, that disturbs me:

Firefox 3 made it more difficult to accept self signed certificates.
It would be nice, if Firefox at least could remember certificates to
generate warnings like:

- INFO:  Certificate fingerprint changed.
 New certificate is signed by the same CA.

- ALERT: Certificate fingerprint changed.
 New certificate is signed by a different CA.
 Possible MITM attack going on.

So long,
Aiko

-- 
:wq ✉


signature.asc
Description: Digital signature

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Jacob Appelbaum]

Cristian Ionescu-Idbohrn wrote:
> http://www.win.tue.nl/hashclash/rogue-ca/
> 
> Could some skilled person comment on the article?
> 
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
> Reason to worry?
> 
> 

Hi,

(I'm one of the authors of that research)

It's not entirely terrible (yet) that certificate authorities sign their
own certificate with MD5. If and when a second preimage attack becomes a
reality for MD5; it will be very bad news indeed...

Best,
Jacob


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Certification Authorities are recommended to stop using MD5 altogether

[Bernd Eckenfels]

In article <0901011447100.8...@somehost> you wrote:
>Signature Algorithm: md5WithRSAEncryption
>^

> should be distributed at all.

Yes, because it is the self signature, but since we distribute the CA
certificate it is not checked but trusted. The question is if this CA signes
its issued certificates in a safe way or not.

Gruss
Bernd


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Micah Anderson]

>>On Wed, 31 Dec 2008, Micah Anderson wrote:
>>
>> Does anyone have a legitimate reason to trust any particular Certificate
>> Authority?
> Yves-Alexis Perez  writes:
> 
> > I may be wrong, but I trust the CAs in ca-certificates. I've followed
> > the add of French Gvt CA Certificates, and the procedure was enough
> > strict to give me this trust impression.
> * Russ Allbery  [2009-01-01 10:04-0500]:
>
> While this exploit is particularly interesting because it's technical
> rather than social and therefore easy to wrap one's mind around, it's not
> been particularly difficult to get a forged certificate since nearly the
> beginning of the commercial CA concept.  Very few of the certificate
> authorities do any sort of real authentication of the requester, so if
> you're willing to simple things like fax them forged letterhead, you can
> probably get a certificate claiming to be just about anyone who isn't
> extremely high-profile.

I agree, and this is why I poised this question. The hierarchical
Certificate Authority model is fundamentally flawed, and easily
exploited. The state of SSL CAs is really dismal in a number of ways,
its trivial to get a certificate issued as someone else, as has been
demonstrated by the recent Comodo example, and as Russ explains
above. Revocations are handled poorly, if at all, and even the protocols
for revocation leak private information about what sites you are
visiting to your friendly neighborhood OCSP provider. Firefox/Iceweasel
doesn't even ship with a default CRL list for the certificates that are
accepted by Mozilla

It gets worse trusting a CA means trusting that one central
"authority" is secure, sure their security protocols have been
independently audited before they are accepted into Mozilla, but that
doesn't mean that they aren't a prime target. Can you imagine the
fallout from when a CA is hacked?

There are other pressures too. What if the authorities of whatever
country the CA resides in decide that they want to snoop the traffic of
some site on the internet that has a certificate from the CA? They would
just need to get the CA to issue a new certificate that looks like yours
and employ a man-in-the middle attack to read all your SSL traffic after
installing a proxy somewhere upstream, using this 'replacement'
certificate for your server. This proxy is installed between you and the
internet, or the target, and the target is presented with the fake
certificate instead of yours. With the key in-hand, the attacker can
decrypt all encrypted traffic that travels the wire. Unless you are
checking the fingerprint of every SSL connection, you will not notice
this because the certificate was issued by a "trusted" CA.

To have faith in your SSL certificate, you need to trust the government
(not recommended), or trust a company who has various interests, such as
commercial and pressures applied to it. In some cases Certificate
Authorities are *sold* to someone who wants to buy the
company. Purchasing a company, whose root is in Mozilla, would be a
great way of compromising a lot of very sensitive data and probably
would recoup the investment in no time. Do you trust the United States
government, the NSA to have a convenient backdoor into your SSL verified
encrypted traffic? What about the company Verisign? They provide a 3rd
party CALEA compliance service, which means that they have NSA/FBI
backdoors built-into their systems. Chances are AOL, wells fargo,
comodo, entrust, equifax, gte, starfieldtech, godaddy, visa, valicert,
hungarian company netlock, the Taiwanese government, SwissComm all have
similar issues.

The architecture and protocols involved here need to be tweaked just a
to change the situation so that this problem will no longer exist[0]. The
Monkeysphere[1] project's broader goals are to make these sorts of
changes, and move us towards a decentralized web-of-trust model, instead
of depending on centralized hierarchical models of control. Currently
the project only works for SSH connections, but there is work ongoing to
make gnutls changes that will eventually lead us to a way out of this
dismal situation. If you are interested, the project could use help.

micah

0. http://lair.fifthhorseman.net/~dkg/tls-centralization/
1. http://monkeysphere.info


signature.asc
Description: Digital signature

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Michael Marsh]

On Thu, Jan 1, 2009 at 9:56 AM, Sam Morris  wrote:
> Maybe in a few years, NSS will have disabled the use of MD5 and the
> ancient MD2 algorithm. I wonder how many other insecure algorithms are
> still lurking in NSS, OpenSSL, GNU TLS, Java, etc...

Having programmed with OpenSSL a fair amount, I can say that the
problem isn't that the library has older algorithms in it.  That's
needed for legacy compatibility.  When initializing the library's
engine, or for a specific connection, you specify the acceptable
algorithms, so a particular application can reject MD2 or MD5
entirely.  For the openssl binary, it's a question of how it's
configured at compile- and run-time.  The default at least is to use
SHA-1.  More worrisome is that RSA keys are generated with only
512-bit moduli by default, but that may be a holdover from US export
regulations.

-- 
Michael A. Marsh
http://www.umiacs.umd.edu/~mmarsh
http://mamarsh.blogspot.com
http://36pints.blogspot.com


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Sam Morris]

On Wed, 31 Dec 2008 02:39:53 +0100, Cristian Ionescu-Idbohrn wrote:

> http://www.win.tue.nl/hashclash/rogue-ca/
> 
> Could some skilled person comment on the article?
> 
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption". Reason
> to worry?
> 
> 
> Cheers,

As an aside to my previous post, you may find the following link 
interesting:

https://bugzilla.mozilla.org/show_bug.cgi?id=471539

Maybe in a few years, NSS will have disabled the use of MD5 and the 
ancient MD2 algorithm. I wonder how many other insecure algorithms are 
still lurking in NSS, OpenSSL, GNU TLS, Java, etc...

-- 
Sam Morris
https://robots.org.uk/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Russ Allbery]

Yves-Alexis Perez  writes:

> I may be wrong, but I trust the CAs in ca-certificates. I've followed
> the add of French Gvt CA Certificates, and the procedure was enough
> strict to give me this trust impression.
>
> I would hope that other CA are checked to be trustworthy enough before
> adding them to ca-certificates. Not sure if the same thing applies to
> certificates in iceweasel or stuff like that, but at least in Debian we
> (as “the maintainers”) have control over this.

While this exploit is particularly interesting because it's technical
rather than social and therefore easy to wrap one's mind around, it's not
been particularly difficult to get a forged certificate since nearly the
beginning of the commercial CA concept.  Very few of the certificate
authorities do any sort of real authentication of the requester, so if
you're willing to simple things like fax them forged letterhead, you can
probably get a certificate claiming to be just about anyone who isn't
extremely high-profile.

Such a social engineering attack was successfully used on Microsoft in the
past, for instance.

We've tested this from time to time at Stanford and it's startling how
easy it is to get one of the major commercial CAs, recognized by all the
browsers and so forth, to give you a certificate with very little checking
as long as you're willing to pay them money.  The conclusion that I've
drawn from that is that SSL certificate checking from known roots provides
little meaningful authentication and shouldn't be treated as if it does.

Debian is in an awkward position with ca-certificates and with
certificates in browsers since not having a root certificate that everyone
else honors is a significant UI bug.  In practice, most organizations only
care about SSL certificates to a sufficient extent that their users aren't
getting confusing error messages, and if Debian doesn't honor the same set
of CAs that everyone else does (at least by default), Debian just becomes
a support burden rather than something that's perceived as more secure.

-- 
Russ Allbery (r...@debian.org)   


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Sam Morris]

On Wed, 31 Dec 2008 02:39:53 +0100, Cristian Ionescu-Idbohrn wrote:

> http://www.win.tue.nl/hashclash/rogue-ca/
> 
> Could some skilled person comment on the article?
> 
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption". Reason
> to worry?

Nah. What we really need to do, is patch the crypto libs use the 
certificates in ca-certificates to disable the use of broken algorithms 
such as MD5.

But at the end of the day, unless you actually do OCSP validation of 
every single connection you make, you are already running the risk of 
being MitM'd.

And even then, you are basically relying on the CA companies to perform 
the task of validating the identities of certificate-holders, when they 
make a lot more money by simply rubber-stamping everything they see. :)

> Cheers,

Happy new year, and sleep well. ;)

-- 


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Certification Authorities are recommended to stop using MD5 altogether

[Peter Palfrader]

On Thu, 01 Jan 2009, Cristian Ionescu-Idbohrn wrote:

> Still, the original question was (sort of) whether MD5 signed certificates
> like this one:

> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: md5WithRSAEncryption
> ^
> Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, 
> OU=Certification Services Division, CN=Thawte Server 
> CA/emailaddress=server-ce...@thawte.com
> Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, 
> OU=Certification Services Division, CN=Thawte Server 
> CA/emailaddress=server-ce...@thawte.com

The algorithm used for the self sign doesn't really matter.  What you
care about is md5 used in any place but the root of any cert chains
you encounter.

-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Yves-Alexis Perez]

On mer, 2008-12-31 at 14:15 -0500, Micah Anderson wrote:
> 
> Does anyone have a legitimate reason to trust any particular
> Certificate Authority? 

I may be wrong, but I trust the CAs in ca-certificates. I've followed
the add of French Gvt CA Certificates, and the procedure was enough
strict to give me this trust impression.

I would hope that other CA are checked to be trustworthy enough before
adding them to ca-certificates. Not sure if the same thing applies to
certificates in iceweasel or stuff like that, but at least in Debian we
(as “the maintainers”) have control over this.

Cheers,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Re: Certification Authorities are recommended to stop using MD5 altogether

[Cristian Ionescu-Idbohrn]

On Wed, 31 Dec 2008, Micah Anderson wrote:

> Does anyone have a legitimate reason to trust any particular Certificate
> Authority?

Right.  Thing is it's not straight forward to remove package
ca-certificates.  On my systems, some 60 other packages depend on it :(
The alternative may be to reconfigure and deactivate all:

  $ dpkg-reconfigure ca-certificates
  ...
  1. yes  2. no  3. ask
  Trust new certificates from certificate authorities? 3
  ...
  Certificates to activate:

Still, the original question was (sort of) whether MD5 signed certificates
like this one:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
^
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, 
OU=Certification Services Division, CN=Thawte Server 
CA/emailaddress=server-ce...@thawte.com
Validity
Not Before: Aug  1 00:00:00 1996 GMT
Not After : Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, 
OU=Certification Services Division, CN=Thawte Server 
CA/emailaddress=server-ce...@thawte.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c:
68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da:
85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06:
6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2:
6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b:
29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90:
6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f:
5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36:
3a:c2:b5:66:22:12:d6:87:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
^
07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:
a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88:
4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9:
8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5:
e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9:
b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
70:47


should be distributed at all.


Cheers,

-- 
Cristian


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Nikolai Lusan]

On Wed, 2008-12-31 at 14:15 -0500, Micah Anderson wrote:

> Does anyone have a legitimate reason to trust any particular Certificate
> Authority? 

The trust comes with knowing the procedures a CA uses to verify the
particulars of the people asking (or indeed paying) them to sign
certificates. The point of signing certificates is to generate a web of
trust, you trust that X is who they say they are bcause Y(whom you
trust) says they are.

-- 
Nikolai Lusan 


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Michael Stone]

On Wed, Dec 31, 2008 at 02:15:18PM -0500, Micah Anderson wrote:

Does anyone have a legitimate reason to trust any particular Certificate
Authority? 


Of course--some charge *lots* of money, and we all know that expensive 
bits are better than cheap bits.


Mike Stone


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Micah Anderson]

* bgr...@toplitzer.net  [2008-12-31 05:47-0500]:
> On Mittwoch, 31. Dezember 2008, Cristian Ionescu-Idbohrn wrote:
> > http://www.win.tue.nl/hashclash/rogue-ca/
> >
> > Could some skilled person comment on the article?
> >
> > I noticed around 20 certificates distributed with the package
> > ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
> > Reason to worry?
> >
> 
> It is a problem. It's a reason to worry.
> But it is only one of many. 
> (They mentioned that in their presentation: It's a matter
> of trust :-) )
> Don't trust certificates too much.

Does anyone have a legitimate reason to trust any particular Certificate
Authority? 

micah



signature.asc
Description: Digital signature

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[Florian Weimer]

* Cristian Ionescu-Idbohrn:

> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
> Reason to worry?

These are self-signatures and typically not checked anyway.  When
these CA certificates are used to issue other certificates, they can
use SHA-1, and are not restricted to MD5.  (Same comment applies to
the certificates with MD2 self-signatures.)

Only the CA knows if it still issues certificates with MD5 signatures.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: "Certification Authorities are recommended to stop using MD5 altogether"

[bgrpt3]

On Mittwoch, 31. Dezember 2008, Cristian Ionescu-Idbohrn wrote:
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Could some skilled person comment on the article?
>
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
> Reason to worry?
>

It is a problem. It's a reason to worry.
But it is only one of many. 
(They mentioned that in their presentation: It's a matter
of trust :-) )
Don't trust certificates too much.

See following links for more information:

Homepage Peter Gutman:
http://www.cs.auckland.ac.nz/~pgut001/
http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

Peter Gutman, PKI: It's Not Dead, Just Resting 2002
http://www2.computer.org/portal/web/csdl/doi/10.1109/MC.2002.1023787

On the Security of Today’s Online Electronic Banking Systems 
http://dx.doi.org/10.1016/S0167-4048(02)00312-7

Quite old, but you get the message...


Hope that helps...


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

"Certification Authorities are recommended to stop using MD5 altogether"

[Cristian Ionescu-Idbohrn]

http://www.win.tue.nl/hashclash/rogue-ca/

Could some skilled person comment on the article?

I noticed around 20 certificates distributed with the package
ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
Reason to worry?


Cheers,

-- 
Cristian


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org