Penetration Testing mailing list archives
RE: Can you impersonate a client side cert??
From: Ed Moyle <emoyle () scsnet csc com>
Date: Tue, 29 Jan 2002 09:22:55 -0500
On Monday, January 28, 2002 17:32 pmawson () deloitte co nz wrote:
Phrack #57 - Hang on, Snoopy (by stealth) http://www.phrack.org/show.php?p=57&a=13 Here in lies the answer to your question.
It should be noted that this article *only applies* to CAs that are unknown to the browser and is focused primarily on server certs used for SSL. With respect to client-side certs, the web server will only trust certs issued by a known, valid CA. In most applications, servers only trust certs issued by a particular CA (perhaps a local CA) and not the universe of possible commercial CA's that are available by default in the web server (since commercial CAs typically have pretty week auth criteria - Verisign, for example lets you get one for "test purposes" using just your email address.) So, using a spurious CA that you control is (usually) out of the question. If you can get a *trusted* CA to issue you a cert with a CN that you can control (this is not always easy to do,) the only way you can impersonate is if the application uses custom-written software that checks only the CN and not any other information on the cert. This is not a common practice for exactly the reason that is being discussed. Many times the SN is used, which is unique per CA. Some resources regarding mapping a cert to a user in particular environments: Microsoft has an article on how this is set up w/ IIS. Check out: http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp IBM has a similar article for websphere: http://www-4.ibm.com/software/webservers/appserv/doc/v35/ae/infocenter/was/050505.html Note that in both cases, doing a mapping based on CN where *more than one CA is trusted* and/or *uniqueness of CN is not enforced* is incredibly dangerous and hence is typicaly avoided... At the very least, DN should be used. Just my $.02... -E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 28)
- <Possible follow-ups>
- RE: Can you impersonate a client side cert?? Jason Brvenik (Jan 28)
- RE: Can you impersonate a client side cert?? charl van der walt (Jan 28)
- Can you impersonate a client side cert?? Darren Craig (Jan 28)
- RE: Can you impersonate a client side cert?? Bryan Allerdice (Jan 28)
- RE: Can you impersonate a client side cert?? L Williams (Jan 28)
- RE: Can you impersonate a client side cert?? pmawson (Jan 28)
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 29)
- RE: Can you impersonate a client side cert?? Cushing, David (Jan 30)
- RE: Can you impersonate a client side cert?? Michael Howard (Jan 30)