RE: Self-signed certs unrestricted in Windows XP

["Menashe Eliezer" <menashe () finjan com>]

Andrew,
Your test demonstrates more problems: 
1. The signed applet has been launched automatically without any security warning that asks whether to trust the signer.
The browser assumes that since you trust the signer for signing the page, you also trust the signer to sign the Java 
applet.
However, you haven't decided to trust the signer as a trusted publisher.
The certificate doesn't appear in the publishers list (Tools-Internet Options-Content-Publishers)
IE should have warned you that that the applet has been signed by entrusted publisher.
Trusting a signer to launch mobile code on your machine is much more dangerous than trusting it for signing a web page.
If IE is configured to use Sun Java Plug-In, there will be a security warning. This is actually the work around for the 
problem that you have raised.
2. I've configured IE to warn upon 'Changing between secure and not secure mode'. It doesn't prevent the automatic 
loading of the Java applet from non-HTTPS web site.


Your demonstration shows the need for scanning encrypted web pages in the gateway level.
Finjan Software is launching in the upcoming year a new product that enables the scanning of encrypted web pages.
Finjan Software will also be launching a new product in 2004 that validates SSL certificates.
Your demonstration was blocked in our lab since the CA was not trusted by the security administrator.
After we've added the CA to our store, SurfinGate for Web has proactively blocked the signed applet for a network 
violation.
Future versions of SurfinGate for Web will provide an additional line of defense and block any mobile code that is 
signed by a self-signed certificate.
Finjan Software desktop applications proactively blocks the signed applet for a network violation.


--
Regards,
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software
http://www.finjan.com/mcrc
 
Prevention is the best cure!



-----Original Message-----
From: Andrew Daviel [mailto:advax () triumf ca]
Sent: Sunday, December 14, 2003 10:23 PM
To: bugtraq () securityfocus com
Subject: Self-signed certs unrestricted in Windows XP



It appears that if a self-signed (test) certificate is installed under
Windows XP, that it acquires all (or an unreasonable number of) privileges
by default.

I was testing a webserver and Java applet which I had signed with
a self-signed cert (https://andrew.triumf.ca/mterm/)

I notice that under Windows XP, if I elect to accept the certificate
permanently, and then go to the Content tab in "Internet Options" in IE,
that I see my cert is installed under "Trusted Root CAs", and if I click
Advanced, that it is by default trusted for a large number of purposes
such as driver verification and time stamping; I can change this (and did)
under "View->Details->Edit Properties".

I would have assumed that it would only be trusted for "Server
Verification" (and for the Java certificate, "Code Signing")

(In Netscape 4 or Mozilla on Linux, the server cert is installed only as
an "SSL Server Site", while the Java cert, although installed as a CA,
does not by default certify network sites, and is not used for local
functions such as filesystem encryption, software package verification
etc.)

Since by default self-signed certs are not trusted, and generate a lot
of alerts if used, I don't see this a big problem. But on occasion
someone may use such a cert to provide protection against eavesdropping at
zero cost, and tell users "if you install the cert you won't get the
popups every time you connect", without taking the same precautions to
safeguard the private key as they might otherwise have done.


(It might be nice to have a mechanism to trust a certificate for
only one object, but I guess things don't work like that)

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca