FYI!!!
http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
ms_all_diginotar_certificates_untrust.html
Google and Mozilla have also updated their browsers to block all DigiNotar
certificates, while Apple has been silent on the issue, a emblematic zombie
response!
Cheers.
FYI!!!
http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
ms_all_diginotar_certificates_untrust.html
Google and Mozilla have also updated their browsers to block all
DigiNotar
certificates, while Apple has been silent on the issue, a emblematic
zombie
response!
Cheers.
It would be really nice if the folk at Twitter would fix their images
servers (i.e si*.twimg.com) to use a non-evil CA (i.e. not Comodo or
DigiNotar or Bubba Gump's Bait, Firearms & Crypto Verification). Not
that user pics are a great loss, but if you use
Tweetdeck/Seesmic/whatever, the constant SSL cert warnings from dozens-
to-hundreds of user pics are noisy.
This is trivial whining on my part but it is operational.
Apple has sent out a notification saying that they are removing
DigiNotar from their list of trusted root certs.
I like this response; instant CA death penalty seems to put the
incentives about where they need to be.
Marcus
Instant? This has been going on for over a week, and a lot of damage could have been done in that time, especially given certs for *.*.com were signed against Diginotar. Most cell phones are unable to update their certificates without an upgrade and you know how long it takes to get them through Cell Phone carriers. A number of alternative android builds are adding the ability to control accepted root certs to their builds in the interest of speeding this up. The CA system is fundamentally flawed.
Paul
Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all.
I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'.
Is it true that the my browser on a windows, mac, or linux desktop may have listed as trusted authorities, an outfit that sells '*.*.tld' ?
Thanks,
- Mike
Sorry for being ignorant here - I have not even been aware that it is
possible to buy a '*.*.com' domain at all.I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'.
Is it true that the my browser on a windows, mac, or linux desktop may
have listed as trusted authorities, an outfit that sells '*.*.tld' ?
The issue is that a trusted third party's (Diginotar) trusted signing
certificate was stolen, allowing the holder to create and sign whatever
certificates he wished, which don't necessarily need to be wildcard certs
to be effective.
Certificate signers are not restricted to any domain hierarchy (a design
feature of x.509 pki), which means that *any* trusted stolen signing
certificate can wreak havok on the trusted nature of x.509.
Even the hint that the claimed Diginotar cracker has gotten her hands
on several other signing certificates may be significant motivation to find
a replacement for the existing x.509 based pki.
I wouldn't necessarily count them dead just yet; although their legit
customers must be very unhappy waking up one day to find their
legitimate working SSL certs suddenly unusable....
So DigiNotar lost their "browser trusted" root CA status. That
doesn't necessarily mean they will
be unable to get other root CAs to cross-sign CA certificates they
will make in the future, for the right price.
A cross-sign with CA:TRUE is just as good as being installed in
users' browser.
Given a private network and the need to monitor it in a private company[1], we generated a certificate like this for internal use signed by a company-internal trusted certificate authority.
Also, given the Subject Alternative Name extension, it is quite possible to generate a "godmode" certificate for gracefully redirecting proxied HTTPS requests to an "Access Denied" page or even nefarious-purpose-logging machine.
-H.
The root CAs are have no technical limitation in regards to what kind
of certificates they can issue.
There is no inherent reason that technical limitations cannot be
imposed... there are mechanisms available to do this,
if the original CA certificates were issued with restrictions:
http://tools.ietf.org/html/rfc3280#section-4.2.1.11
Special limitations or "security warnings" can be raised by
individual browsers above and beyond the certificate validation rules.
I would be in favor of each root CA certificate being name
constrained to CNs of one TLD per CA certificate, so that root CA
orgs would need a separate CA cert and separate private key for each
TLD that CA is authorized to issue certificates in.
It would be useful if the name restriction would be extended further
to allow 2nd level wildcards to be prohibited such as "CN=*.com"
or "CN=*.*.com"
Browsers will honor "*" in hostname components of the CN field as
required by the RFCs.. however a "*.mydomain.tld" certificate
does not match www.mydomain.tld, "*.*.mydomain.tld" does.
Some CAs have partaken in problematic practices such as issuing SSL
certificates with RFC1918 IP addresses,
or "unofficial" TLDs in the CN or subject alternative names section.
see https://wiki.mozilla.org/CA:Problematic_Practices#Issuing_SSL_Certificates_for_Internal_Domains
If all the root CA certificates become name constrained, such
problematic practices should cease.
The problem here wasn't just that DigiNotar was compromised, but that they
didn't have an audit trail and attempted a coverup which resulted in real
harm to users. It will be difficult to re-gain the trust they lost.
Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.
Damian
Damian Menscher wrote:
The problem here wasn't just that DigiNotar was compromised, but that they
didn't have an audit trail and attempted a coverup which resulted in real
harm to users. It will be difficult to re-gain the trust they lost.Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.Damian
I'd be interested in hearing what you have to say about the hacker's claim at:
"d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update!"
Thanks,
--Michael
> > I like this response; instant CA death penalty seems to put the
> > incentives about where they need to be.
>
> I wouldn't necessarily count them dead just yet; although their legit
> customers must be very unhappy waking up one day to find their
> legitimate working SSL certs suddenly unusable....
>
> So DigiNotar lost their "browser trusted" root CA status. That
> doesn't necessarily mean they will
> be unable to get other root CAs to cross-sign CA certificates they
> will make in the future, for the right price.
>
> A cross-sign with CA:TRUE is just as good as being installed in
> users' browser.
>The problem here wasn't just that DigiNotar was compromised, but that they
didn't have an audit trail and attempted a coverup which resulted in real
harm to users. It will be difficult to re-gain the trust they lost.Because of that lost trust, any cross-signed cert would likely be revoked
by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.
Yep. The CA business is one of trust. If the CA is not trusted, they are out
of business.
Cb
Cameron Byrne <cb.list6@gmail.com> writes:
Yep. The CA business is one of trust. If the CA is not trusted, they are out
of business.
You can rewrite that: Trust is the CA business. Trust has a price. If
the CA is not trusted, the price increases.
Yes, they may end up out of business because of that price jump, but you
should not neglect the fact that trust is for sale here.
Bjørn
I like this response; instant CA death penalty seems to put the
incentives about where they need to be.I wouldn't necessarily count them dead just yet; although their legit
customers must be very unhappy waking up one day to find their
legitimate working SSL certs suddenly unusable....So DigiNotar lost their "browser trusted" root CA status. That
doesn't necessarily mean they will
be unable to get other root CAs to cross-sign CA certificates they
will make in the future, for the right price.A cross-sign with CA:TRUE is just as good as being installed in
users' browser.The problem here wasn't just that DigiNotar was compromised, but that they
didn't have an audit trail and attempted a coverup which resulted in real
harm to users. It will be difficult to re-gain the trust they lost.Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.
To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was in my list of CA certs in the first place.
Yes they're blackballed now, better late than never I suppose. What does
that say about the potential for other CAs to behave in such a fashion?
To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was in my list of CA certs in the first place.
Yes they're blackballed now, better late than never I suppose. What does
that say about the potential for other CAs to behave in such a fashion?
I'd say we have every reason to believe that something similar *will*
happen again 
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers. It would also make the browser vendors question whether the
> signing CA is worthy of their trust.To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was in my list of CA certs in the first place.
Yes they're blackballed now, better late than never I suppose. What does
that say about the potential for other CAs to behave in such a fashion?
The average corporation much prefers to avoid the bad publicity and will
downplay most bad things. Your favorite CA probably included.
I think that it's hard to cope with SSL. It doesn't do the right things
for the right reasons. Many of us, for example, operate local root CA's
for signing of "internal" stuff; all our company gear trusts our local
root CA and lots of stuff has certs issued by it. In an ideal world,
this would mean that our gear talking to our gear is always secure, but
with other root CA's able to offer certs for our CN's, that isn't really
true. That's frustrating.
The reality is that - for the average user - SSL doesn't work well
unless about 99% of the CA's used by the general public are included
as "trusted." If a popular site like Blooble has a cert by DigiNotar
and the Firerox browser is constantly asking what to do, nothing really
good comes out of that ... either people think Firerox blows, or they
learn to click on the "ignore this" (or worse the "always trust this")
button. In about 0.0% of the cases do they actually understand the
underlying trust issues. So there's a great amount of pressure to
just make it magically work.
However, as the number of CA's accepted in most browsers increases,
the security of the system as a whole decreases dramatically. Yet
the market for $1000/year SSL certs is rather low, and the guys that
are charging bargain rates for low quality certs are perhaps doing
one good thing (enabling encryption) while simultaneously doing another
bad thing (destroying any "quality" in the system). SSL is going to
have these problems as long as we maintain the current model.
In the long run, I expect all the CA's to behave something like this -
especially the ones that have more to lose if they were to become
suddenly "untrustworthy."
... JG
I'm sure at least one of the other 250-odd certificates from 100-ish CA's
trusted by most browsers now are actually trustworthy. There is no evidence at
all that the average CA is any less trustworthy than the average DNS registrar.
However, this isn't as big a problem as one might think - the *only* thing that
an SSL sert gives you is "you reached the host your browser tried to reach". It
does *not* validate "the host you intended to reach", or "whether you should
trust this host with your data", or any of a long set of interesting security
issues. And that one question - "did you reach the host your browser tried
to reach" doesn't really mean much unless you have DNS and routing security
in place as well. After all, if the IP you get for www.my-bank.com is incorrect,
or the route has been hijacked, what the cert says is pretty meaningless.
Considering that we seem to muddle along just fine with a DNS that doesn't
really do DNSSEC yet(*), and a lot of black and grey hat registrars out there,
and no real BGP security either, maybe it isn't the "sky is falling" scenario
that a lot of people want to make it.
Or maybe we should all be even more worried. 
(*) Has anybody actually enabled "only accept DNSSEC-signed A records"
on an end user system and left it enabled for more than a day before
giving up in disgust?
I am not engaging in speculation that DigiNotar plans to continue to
operate, they have already stated so much.
http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx
"VASCO does not expect that the DigiNotar security incident will have
a significant impact on the company’s future revenue or business
plans."
So long as DigiNotar can show what they are required to show when they
would request
re-signing, and another CA can legitimately cross-sign their cert,
following that CA's official
correct certification practices; it's unlikely to lead to the signer
being revoked.
As far as we know, DigiNotar is not dead, it is just a really great
example showing how broken TLS security model is.
The trust model hard-coded into the protocol is much weaker than the
cryptography.
Since the browsers already approved that root CA's certification
practices. Particularly not
if the cross-signer is one of the larger CAs such as Thawte or Verisign ---
the browser might as well remove SSL support altogether, if they will
perform a revokation
that renders 40% of internet web server SSL certs invalid.
I think you are misinterpreting that statement -- I interpret it as meaning
VASCO will continue to exist, and possibly buy another root CA to continue
their business plans. (They had only recently acquired DigiNotar.)
Damian