Re: GoAgent vulnerabilities: CA cert with known private key, TLS MITM

[David Fifield <david () bamsoftware com>]

On Mon, Jun 02, 2014 at 01:13:56PM -0700, David Fifield wrote:
> There is an HTML version of this document with screenshots at
> https://www.bamsoftware.com/sec/goagent-advisory.html.
>
> == GoAgent installs a root CA certificate with a known private key ==
>
> At startup, GoAgent installs a system-wide root CA certificate with a
> fixed and publicly known private key. Because the private key is known,
> anyone can impersonate the "GoAgent CA" and sign certificates for almost
> any web site. The trusted root CA certificate remains installed even
> after GoAgent is turned off or removed. Depending on the circumstances
> of GoAgent's installation, the certificate may also affect browsers
> other than the one used with GoAgent, and other users of the same
> computer.

It appears that this problem is now fixed. The software now generates a
CA certificate with an unpredictable private key when run for the first
time. The fix is in the released version 3.2.1.

https://github.com/goagent/goagent/compare/0e2eb37c098b2a5653aac24a6256f0d262d2be47...77c8e7f131f9eb7d857cded9c0bc2f662e80b78a

I've updated the advisory page.

David Fifield

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/