Full Disclosure mailing list archives

OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange

From: niclas <lists () datenritter de>
Date: Sun, 25 May 2008 21:15:55 +0200

Alex,

you recently wrote that you tested the CA-certificates - but you didn't
test the certificates which have been *signed* by the CAs.

They are a serious problem. The attack described in your recent post can
easily be avoided by exchanging vulnerable certificates, BUT:

If somebody grabbed an old (vulnerable) certificate quickly he or she
could generate the private key which fits to it and then abuse the cert.
for a man in the middle attack.

I think all servers which had a vulnerable certificate, even for a short
time, are still not secure - at least as long as the old certificates
are still valid, which depends on the validity date saved in the
certificate, only.

No, CRLs don't work. Firefox for example does not check for CRLs
(default setting), making certificate revocation senseless. I assume,
other Browsers don't check CRLs either. And what about the german
tax-software ELSTER?

German CCC Member Fefe describes this here (english and german):
http://blog.fefe.de/?ts=b6c9ec7e

His post is dated 23rd of May. He says, somebody allready got the old
cert. of "a248.e.akamai.net".

My comment with screenshots of Firefox' settings pages and an error
message here (german):
http://blog.datenritter.de/archives/208-gefaehrliche-Angriffsmoeglichkeit-durch-das-OpenSSL-Debakel.html

I think the only option is to change domain names. :-(

IMHO Felix is totally right in his criticism of PKI. When you download a
browser you get a bunch of CA-Certificates but no reason to trust even a
few of them.

Everybody keeps talking about changing your keys and updating OpenSSL,
but this is not the only issue with the Debian/OpenSSL debacle. Consider
that someone has sniffed your SSH traffic (say at a securit conference?).
If either a compromised server or client were involved, you have got
a problem as the Diffie-Hellmann key exchange at the start of the
SSH session can now be broken. This means that all the data (passwords,
SSH tunnel anyone?) can now be considered compromised if you are
reasonably paranoid.


(...)

You can find the script at
http://www.cynops.de/download/check_weak_dh_ssh.pl.bz2



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 24)
- OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange niclas (May 25)
  - Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 26)
    - Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange Larry Seltzer (May 26)
    - Re: OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clientsin SSH DH key exchange Alexander Klink (May 26)