Full Disclosure mailing list archives
Re: GoAgent vulnerabilities: CA cert with known private key, TLS MITM
From: David Fifield <david () bamsoftware com>
Date: Fri, 31 Oct 2014 23:10:16 -0700
On Mon, Jun 02, 2014 at 01:13:56PM -0700, David Fifield wrote:
There is an HTML version of this document with screenshots at https://www.bamsoftware.com/sec/goagent-advisory.html. == GoAgent installs a root CA certificate with a known private key == At startup, GoAgent installs a system-wide root CA certificate with a fixed and publicly known private key. Because the private key is known, anyone can impersonate the "GoAgent CA" and sign certificates for almost any web site. The trusted root CA certificate remains installed even after GoAgent is turned off or removed. Depending on the circumstances of GoAgent's installation, the certificate may also affect browsers other than the one used with GoAgent, and other users of the same computer.
It appears that this problem is now fixed. The software now generates a CA certificate with an unpredictable private key when run for the first time. The fix is in the released version 3.2.1. https://github.com/goagent/goagent/compare/0e2eb37c098b2a5653aac24a6256f0d262d2be47...77c8e7f131f9eb7d857cded9c0bc2f662e80b78a I've updated the advisory page. David Fifield _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: GoAgent vulnerabilities: CA cert with known private key, TLS MITM David Fifield (Oct 31)