[18302] in bugtraq
Re: "The End of SSL and SSH?"
daemon@ATHENA.MIT.EDU (Darren Reed)
Thu Dec 21 20:26:42 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200012212159.IAA24192@caligula.anu.edu.au>
Date: Fri, 22 Dec 2000 08:59:05 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: mrex@sap-ag.de
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200012211520.QAA19665@hw1464.wdf.sap-ag.de> from Martin Rex at
"Dec 21, 0 04:20:03 pm"
In some mail from Martin Rex, sie said:
[...]
> (1) the significance of a secure key storage.
>
> SSL: All Web-Browsers that I know keep Root-CA certificates in software
> and it is quite possible for software to modify Root-CA certs
> or to add new Root-CA certs, which subverts the whole
> PKI trust model.
No, it just subverts the implementation whereby the browser doesn't
bother you if it can find a path back to a root-CA for a X.509 cert
associated with whatever cert it has been given.
For Netscape there is a builtin MIME type that cannot be disabled
which invokes the root CA installation code. 10:1 most people would
click "ok" to install a root CA if so prompted from a random web site.
Now that's without even doing anything nasty.
[...]
> SSL: Web-Browsers area shipped with >100 preconfigured CA certs
> these days. Most Browsers can be downloaded via the Internet,
> but many of the distributions are still not signed --
> how do you know they haven't been backdoored with additional
> Root-Certs?
How do you know there is any integrity at all in those preconfigured ?
What's to say that 10 of them aren't controlled by some mafia ? I'll
let the conspiracy theorists goto town on that note.
Darren
