Interesting People mailing list archives
Re: Creating a rogue CA certificate
From: David Farber <dave () farber net>
Date: Sat, 3 Jan 2009 09:46:18 -0500
Begin forwarded message: From: Adrian Perrig <adrian () ece cmu edu> Date: January 3, 2009 8:51:58 AM EST To: David Farber <dave () farber net> Subject: Re: [IP] Creating a rogue CA certificate Dear Dave, Fortunately, we have developed a system that protects against the SSL/TLS attack recently discovered, our system called Perspectives is available as an extension for the Firefox web browser. The attack pointed out by Sotirov et al. is very serious: it enables an attacker on the network path between the client and server to mount a Man-in-the-Middle attack, that is, to effectively eavesdrop and alter "encrypted and authenticated" SSL/TLS connections. Just to be absolutely clear, an attacker can read your bank username / password when logging in if he can control the network packets (this is quite feasible through DNS-based redirection attacks, malicious access points, or in many wireless environments). Several other vulnerabilities exist in SSL/TLS, for example a CA's private key that is leaked, or a malicious CA root key that is installed by users through instructions received through spam email also enable Man-in-the-Middle attacks. To help users protect themselves against these attacks, Dan Wendlandt, Dave Andersen, and I have designed the Perspectives system at Carnegie Mellon University and CyLab. Perspectives is available as a Firefox extension. When the browser opens an https connection (and thus establishes an SSL/TLS connection with the web server) Perspectives contacts several globally distributed notary servers which keep a history of servers' SSL/TLS public keys. If the observation from the network notaries does not match the received server key, Perspectives warns the user. Perspectives is already in use by an estimated 30,000 users, and the code is stable. The Firefox extension works on Windows, MAC and Linux and can be downloaded and installed from: http://www.cs.cmu.edu/~perspectives/firefox.html#install To ensure Perspectives detects these attacks, you must instruct it to contact notary servers for all HTTPS sites (not only for self-signed certificates, which is the default setting), even if your browser considers the certificate valid. Select Tools->Add-ons->Perspectives and then click on "Preferences", then select the "Preferences" tab, and finally select the option "Contact Notaries for all HTTPS sites" to enable such verification. The project web site is at: http://www.cs.cmu.edu/~perspectives/ Technical details are available from our paper available at: http://sparrow.ece.cmu.edu/group/pub/wendlandt-andersen-perrig-usenixatc08.pdf Best wishes, Adrian
Begin forwarded message: From: Paul Robichaux <PaulR () 3sharp com> Date: December 31, 2008 9:22:23 AM EST To: David Farber <dave () farber net> Subject: FW: [ISN] Creating a rogue CA certificate Perhaps interesting to IP readers? -- Paul Robichaux (paulr () 3sharp com) Sr VP, Infrastructure Services 3Sharp 14700 NE 95th St, Suite 210 Redmond, WA 98052 425-882-1032 x7285 (v) 425-558-5710 (f) MSN: paul () robichaux net Twitter: paulrobichaux ------ Forwarded Message From: InfoSec News <alerts () infosecnews org> Date: Wed, 31 Dec 2008 09:08:14 +0000 To: "isn () infosecnews org" <isn () infosecnews org> Subject: [ISN] Creating a rogue CA certificate http://www.win.tue.nl/hashclash/rogue-ca/ December 30, 2008 MD5 considered harmful today Creating a rogue CA certificate
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: Creating a rogue CA certificate David Farber (Jan 03)