Bugtraq mailing list archives
Re: "The End of SSL and SSH?"
From: Klaus Moeller <moeller () CERT DFN DE>
Date: Fri, 22 Dec 2000 12:29:48 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hi Martin, Martin Rex writes:
(1) the significance of a secure key storage. SSL: All Web-Browsers that I know keep Root-CA certificates in software and it is quite possible for software to modify Root-CA certs or to add new Root-CA certs, which subverts the whole PKI trust model. Modifying this storage is not that difficult, given the doors and bugs in Javascript, Java, ActiveX and Browser plugins. And the more application vendors move over to using Web-Browsers as frontends, the more (signed) general-purpose lauch pads will be installed and used.
True, the storage itself isn't protected at all (except the root certificates in Win2K). Everbody who knows Berkeley DBM and has write access to $HOME/.netscape/cert7.db can modify the Netscape 4.x certificate DB. Same goes for IE for those who know the registry calls and have write access to HKEY_CURRENT_USER\Software\Microsoft\ SystemCertificates\Root\Certificates\* or (on Solaris, etc.) write access to $HOME/.microsoft/registry5. Win2K at least protects writing to the branch containing the root certificates of the registry to administrator or SYSTEM and gives a notification if a self signed certificate is inserted into the certificate branch. There's a DFN-CERT security bulletin about this (in German only :( at http://www.cert.dfn.de/infoserv/dsb/dsb-2000-02.html Klaus Moeller, DFN-CERT - -- Klaus Moeller | mailto:moeller () cert dfn de DFN-CERT GmbH | http://www.cert.dfn.de/team/moeller/ Vogt-Koelln-Str. 30 | Phone: +49(40)42883-2262 D-22527 Hamburg | FAX: +49(40)42883-2241 Germany | PGP-Key: finger moeller () ftp cert dfn de -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface iQEVAwUBOkM7KIrEggYLt8j5AQEVXQgAk3v8EA8Urlo4giKY8KOtONONoRNJ9gtj nYKYNKPyKErrdtGCr4GPOollpfc+1t4jJLMt0QISFrO2oi3HPQYXH0sVdimEcOCr Fh4uNUUqH5XthT9nzJ93RNrEg4kj6YPo7gvuYXN9TohKQOphrgaXznHChIqjXcS4 B7cxjypZeHuBO3eEgRQc23/+iLDjPshLcecsOlBxAbXrtfDXiVdvBOenW8zi8SAL 0yMI891oAn//ymZhAS4lyzjipH6YNZqi8TIkFevBJuEltmvDPJjWp1gNzFTf2Nt+ 1ZiU+nxRE2ARW4L29C24kaBWaTbWS8iCzhFVFWDlPf/FtktIj6VIqw== =Hiod -----END PGP SIGNATURE-----
Current thread:
- Re: "The End of SSL and SSH?", (continued)
- Re: "The End of SSL and SSH?" Michael H. Warfield (Dec 20)
- Re: "The End of SSL and SSH?" Alfred Perlstein (Dec 20)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 21)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Samuele Giovanni Tonon (Dec 21)
- Re: "The End of SSL and SSH?" - mongo followup Kurt Seifried (Dec 24)
- Re: "The End of SSL and SSH?" Adrian Close (Dec 22)
- Re: "The End of SSL and SSH?" Martin Rex (Dec 21)
- Re: "The End of SSL and SSH?" Darren Reed (Dec 21)
- Re: "The End of SSL and SSH?" Klaus Moeller (Dec 22)
- Re: "The End of SSL and SSH?" Adam Shostack (Dec 21)