[14306] in bugtraq
Certificate Validation Error in Netscape Browsers...
daemon@ATHENA.MIT.EDU (Dennis W. Mattison (Little Wolf))
Thu Mar 16 21:56:36 2000
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_009B_01BF8EA5.F2971980"
Message-Id: <NDBBLOAKGLIKDKCJKIJIEEIGCAAA.mattison@webovision.com>
Date: Wed, 15 Mar 2000 17:43:32 -0800
Reply-To: "Dennis W. Mattison (Little Wolf)" <mattison@WEBOVISION.COM>
From: "Dennis W. Mattison (Little Wolf)" <mattison@WEBOVISION.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_009B_01BF8EA5.F2971980
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
This may not be a normal "BugTraq" issue, since it is more a flaw in trust
in a security design then it is an actual bug in software...but
none-the-less I think it is something that should be discussed. I haven't
checked this with Microsoft IE, I just noticed it as being a flaw in
Netscape (submitted a bug report to them earlier but they are either
really busy or have chosen to ignore the report.) Tested in browsers from
4.07 - 4.72, all which operated in the same fashion.
What is the issue?
The scenerio is that a user accesses a website for which they do not
currently have trust for the signer of the certificate. They are asked
whether they would like to trust the server certificate (until it
expires,) which if they respond yes, the web site signer certificate will
be stored in the certificate database. You can check on these
certificates by clicking on the Security Icon on the browser, then select
the Website item from the menu. Once stored in the database, any future
access to this site is permitted without warning. The error occurs when
the web site certificate is expired and the new site certificate is valid,
Netscape never checks to see if the certificate is expired and replaced
with a new certificate, and thus the user can continue to access the site
without a warning stating that the certificate is expired and that a new
certificate exists for the site (it apparently only checks to see if the
new certificate isn't expired.) Manually verifying the old certificate in
the database will prove that the certificate is invalid. When the site is
properly reissued a certificate, Netscape automatically trusts the new
certificate based on the previous certificate...if the previous
certificate is removed from the database and the website is re-accessed,
the standard warning appears asking the user if they wish to trust the
certificate. Since the new certificate is cryptographically different
from the old certificate, no trust relationship should exist (only the
signer is the same.)
Netscape does not replace the old expired certificate with the new
certificate, and does not add the new certificate to the database. Nor
does it tell the user that the new certificate a site is sending does not
match a previous certificate.
Why is this a problem?
The problem is that there is an inherited trust between an expired
certificate and an active certificate, where there really shouldn't be.
If any trust should be there, it certainly shouldn't be with an expired
certificate. The idea here is that Netscape should complain about a site
which has a certificate different than what Netscape has in its database.
When you accept a certificate from a website which you do not already hold
a trust with the signer of the certificate, you should be warned if that
certificate is no longer valid or when the server has been issued a new
one. You are trusting that certificate and its signer, not that site. If
the site's certificate changes, you should be warned about the change and
asked if you still want to trust the site. If a hacker manages to gain
access to the key and the certificate, and changes the key and the
certificate, a warning may be the only thing to protect you from that
hacker becoming a man in the middle to the attack.
What should be the solution?
An option, in the browser, to allow the user to be warned the first time a
certificate changes on a webserver. If the previous certificate is
expired, and the current certificate on a site is different, the user
should be warned of the change, and asked whether they wish the new
certificate to replace the previous one. That way, paranoid users like
myself can be warned when a certificate changes, so that we can decide
whether the new certificate should be trusted. Of course, if I already
trust the certificate signer, then I shouldn't be prompted about the
certificate.
------=_NextPart_000_009B_01BF8EA5.F2971980
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIHazCCAy4w
ggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIyMzU5NTla
MIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0
d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlk
dWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFLuUgTVi3H
COGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+HthzjzMaajn9q
JJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYwRwYDVR0g
BEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29tL3JlcG9z
aXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBAgUAA4GB
AIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/LSzdmkKe
wz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDlX4KmsaiS
xVhqwY0DPOvDzQWikK5uMIIENTCCA56gAwIBAgIQKy32gOSoGX/Qtslym695FTANBgkqhkiG9w0B
AQQFADCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw
LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5k
aXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDAeFw05OTA4MzEwMDAwMDBa
Fw0wMDA4MzAyMzU5NTlaMIIBHTEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
cmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90
IFZhbGlkYXRlZDE0MDIGA1UECxMrRGlnaXRhbCBJRCBDbGFzcyAxIC0gTWljcm9zb2Z0IEZ1bGwg
U2VydmljZTEbMBkGA1UEAxQSRGVubmlzIFcuIE1hdHRpc29uMSYwJAYJKoZIhvcNAQkBFhdtYXR0
aXNvbkB3ZWJvdmlzaW9uLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDJBCOlR9MNgGTACbGv
lP5McuEzhT7wlDPpacMOnRzIBf/DZrLSU+YfkMas/frAnwhewAnGrIPc2cHS+OmcZcfLAgMBAAGj
ggEGMIIBAjAJBgNVHRMEAjAAMIGsBgNVHSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVy
aVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlh
Yi4gbHRkLiAoYyk5NyBWZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAooCag
JIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQBa
+ODsSJhBNObUWSbpZqMswKXsRPRfcVn2MAlh8lcacSConLgDEudKcjvy4TDzDP6ibONY34YJpcdM
lLs+eSZBUs8SEswVAGJHFGnQ1MuL19fHTWJTURzAL0vSiNhzpjnEoxiuPO808nGM214SyaSt2w62
6ATtE0gOQIsZnMsQCzGCAvcwggLzAgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNv
bS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/
VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFs
aWRhdGVkAhArLfaA5KgZf9C2yXKbr3kVMAkGBSsOAwIaBQCgggGsMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAwMDMxNjAxNDMxOFowIwYJKoZIhvcNAQkEMRYEFAlb
9mvbrc+R4i2iWWIHIOMd+bmfMFgGCSqGSIb3DQEJDzFLMEkwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
AwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHyBgkr
BgEEAYI3EAQxgeQwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkv
UlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFz
cyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCECst9oDk
qBl/0LbJcpuveRUwDQYJKoZIhvcNAQEBBQAEQBIb1QHB5XMP1fZGKIY0/tI0gD2XdbjwPcs4LImk
U2DeoR/ljGRyx/Lasn0miV3i9HvZxIChGBfhp7jhLcP5fh8AAAAAAAA=
------=_NextPart_000_009B_01BF8EA5.F2971980--
