Key compromise and root cert with shared key in german lawyer communication software (beA)
Hi, The german bar association has a software for secure communication between lawyers called "besonderes elektronisches Anwaltspostfach" (beA). They used a local https server run on the client with a valid certificate for bealocalhost.de (the domain resolves to 127.0.0.1). This means the private key is part of the software, so this is a key compromise. This has been reported by Markus Drenger to the CA and it got revoked. Here's the cert: https://crt.sh/?id=285821301 What happened after that is no longer relevant for the PKI as a whole, but is even worse for the users of beA: They used a self-signed certificate and asked the users to import that into the Windows root certificate store. Thus the same problem appears as with Superfish, edell and similar: Everyone can now sign certificates for arbitrary hosts and use them to perform man in the middle attacks against the users who followed these instructions. Starting January 1st all lawyers in Germany have to use this beA software. Article in German: https://www.golem.de/news/bea-bundesrechtsanwaltskammer-verteilt-https-hintertuere-1712-131845.html -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: CA generated keys
Matthew Hardeman wrote: > On Wednesday, December 13, 2017 at 5:52:16 PM UTC-6, Peter Gutmann wrote: >> In all of these cases, the device is going to be a safer place to generate >> keys than the CA, in particular because (a) the CA is another embedded >> controller somewhere so probably no better than the target device and (b) >> there's no easy way to get the key securely from the CA to the device. > > Agreed, as I mentioned the secure transport aspect is essential for > remote key generation to be a secure option at any level. I have strong doubts that all these Internet-of-shitty-things manufactures will get ever anything like this right. I agree with Peter: Private key generation is the least you have to worry about when using such devices. Also I'm seriously concerned that if the policy is changed to allow CA-side key generation and this gets adopted, the CAs will be forced to implement key escrow disclosing keys to . => Mozilla policy *shall not* be changed to allow CAs to generate the end entities' keys. (The only reasonable use-case for a CA generating the private keys is to ensure that they are immediately stored in a secure device. But that's not really applicable in this broad use-case.) Ciao, Michael. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
