Bugtraq mailing list archives
Re: "The End of SSL and SSH?"
From: Darren Reed <avalon () COOMBS ANU EDU AU>
Date: Fri, 22 Dec 2000 08:59:05 +1100
In some mail from Martin Rex, sie said: [...]
(1) the significance of a secure key storage. SSL: All Web-Browsers that I know keep Root-CA certificates in software and it is quite possible for software to modify Root-CA certs or to add new Root-CA certs, which subverts the whole PKI trust model.
No, it just subverts the implementation whereby the browser doesn't bother you if it can find a path back to a root-CA for a X.509 cert associated with whatever cert it has been given. For Netscape there is a builtin MIME type that cannot be disabled which invokes the root CA installation code. 10:1 most people would click "ok" to install a root CA if so prompted from a random web site. Now that's without even doing anything nasty. [...]
SSL: Web-Browsers area shipped with >100 preconfigured CA certs these days. Most Browsers can be downloaded via the Internet, but many of the distributions are still not signed -- how do you know they haven't been backdoored with additional Root-Certs?
How do you know there is any integrity at all in those preconfigured ? What's to say that 10 of them aren't controlled by some mafia ? I'll let the conspiracy theorists goto town on that note. Darren
Current thread:
- Re: "The End of SSL and SSH?", (continued)
- Re: "The End of SSL and SSH?" Ryan Russell (Dec 21)
- Re: "The End of SSL and SSH?" Michael H. Warfield (Dec 20)
- Re: "The End of SSL and SSH?" Alfred Perlstein (Dec 20)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 21)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Samuele Giovanni Tonon (Dec 21)
- Re: "The End of SSL and SSH?" - mongo followup Kurt Seifried (Dec 24)
- Re: "The End of SSL and SSH?" Adrian Close (Dec 22)
- Re: "The End of SSL and SSH?" Martin Rex (Dec 21)
- Re: "The End of SSL and SSH?" Darren Reed (Dec 21)
- Re: "The End of SSL and SSH?" Klaus Moeller (Dec 22)
- Re: "The End of SSL and SSH?" Adam Shostack (Dec 21)