On Wed, Sep 17, 2008 at 05:06:55PM -0700, Wan-Teh Chang wrote:
On Wed, Sep 17, 2008 at 4:52 PM, Eddy Nigg [EMAIL PROTECTED] wrote:
I've been banging my head against a wall here because of this FUD and
about misinformation which is absolutely incorrect. Sad, because there
are many FF users
Kyle,
Kyle Hamilton wrote:
There's another, more pressing issue:
If there are buffer overflows in ASN.1 parsing (there have been in at
the least OpenSSL and Microsoft's), anyone who can provide a
certificate that points to an AIA that ultimately wouldn't be trusted
could provide malicious
Eddy,
Eddy Nigg wrote:
Julien, can we assume that by trying to construct a valid chain up to a
trusted root - even by fetching intermediate CAs via the AIA CA Issuer
extension - doesn't present a risk we can not take? During this
discussion I've found that only a very minimal privacy
On 09/20/2008 02:45 AM, Julien R Pierre - Sun Microsystems:
We took care of such issues in our ASN.1 parsing years ago. It was a
large effort and many problems were found, and resolved in NSS 3.9, in
2004. Currently, we run test cases of millions of malformed certs from
NISCC against every
Kyle,
Kyle Hamilton wrote:
Mary and Mallory may not be the same control.
Mary has a site with a cert with AIA. Mallory can take control over
that location for the AIA, without Mary being able to do a thing to
stop it.
If Mallory was able to replace Mary's cert with a fake one, then they
On 09/20/2008 03:45 AM, Julien R Pierre - Sun Microsystems:
I'm only saying it's safe to try to decode anything you have in memory
within the application with one of the NSS ASN.1 decoders, and it
doesn't present a risk to the integrity risk of the rest of the process.
Thank you! This was my
On 09/20/2008 03:54 AM, Julien R Pierre - Sun Microsystems:
It's a little hard to see what Mallory is gaining from using an AIA that
they can't already get by other means.
And besides that, there are precedents with OCSP URI, to which any of
the mentioned scenarios would also apply. However
On 09/18/2008 07:22 AM, Nelson B Bolyard:
In the case of AIA cert fetching, we have a cert for which we have no
issuer cert. We cannot know that the the cert we are trying to validate
was signed by a real trusted CA.
But you trust the CA certificates the server send to you, do you?
Even if
On 09/18/2008 01:43 PM, Eddy Nigg:
Even if its issuer name matches that of
a known and trusted CA, it may be a cert crafted by an attacker
I wanted to add here, that if this were true, than this would apply for
any certificate, including server certs, CA certs and anything in the
path. I
On 9/17/2008 4:52 PM, Eddy Nigg wrote:
On 09/18/2008 02:05 AM, David E. Ross:
Note that this is not a unique situation. See bug #390835 at
https://bugzilla.mozilla.org/show_bug.cgi?id=390835. Unfortunately,
Internet Explorer (IE) works around this situation by searching the
Internet for
There's another, more pressing issue:
If there are buffer overflows in ASN.1 parsing (there have been in at
the least OpenSSL and Microsoft's), anyone who can provide a
certificate that points to an AIA that ultimately wouldn't be trusted
could provide malicious data that could compromise the
On 09/18/2008 09:48 PM, Kyle Hamilton:
There's another, more pressing issue:
If there are buffer overflows in ASN.1 parsing (there have been in at
the least OpenSSL and Microsoft's), anyone who can provide a
certificate that points to an AIA that ultimately wouldn't be trusted
could provide
Eddy Nigg wrote, On 2008-09-18 03:43:
On 09/18/2008 07:22 AM, Nelson B Bolyard:
In the case of AIA cert fetching, we have a cert for which we have no
issuer cert. We cannot know that the the cert we are trying to validate
was signed by a real trusted CA.
But you trust the CA certificates
Kyle Hamilton wrote, On 2008-09-18 11:48:
There's another, more pressing issue:
If there are buffer overflows in ASN.1 parsing (there have been in at
the least OpenSSL and Microsoft's), anyone who can provide a
certificate that points to an AIA that ultimately wouldn't be trusted
could
On 09/18/2008 10:29 PM, Nelson B Bolyard:
After verifying that the signatures are valid in the chain, all the
way to a trusted root, then yes.
And what exactly prevents you from verifying the signatures of the
received chain (by whatever means you constructed the chain) all the way
to a
Attack scenario is an information-leakage vulnerability.
Client Alice connects to server Mary. Mary sends a certificate with
an AIA, no chain.
Mary happens to be a honeypot.
Alice looks up AIA, makes connection to Mallory to retrieve the certificate.
Mallory is looking for people who are
On 09/18/2008 11:50 PM, Kyle Hamilton:
Client Alice connects to server Mary. Mary sends a certificate with
an AIA, no chain.
Cute :-)
Mary happens to be a honeypot.
Alice looks up AIA, makes connection to Mallory to retrieve the certificate.
Mallory is looking for people who are looking
Mary and Mallory may not be the same control.
Mary has a site with a cert with AIA. Mallory can take control over
that location for the AIA, without Mary being able to do a thing to
stop it.
-Kyle H
On Thu, Sep 18, 2008 at 2:02 PM, Eddy Nigg [EMAIL PROTECTED] wrote:
On 09/18/2008 11:50 PM,
On 09/17/2008 09:01 PM, Nelson Bolyard:
I wouldn't call it a known issue with Mozilla based products.
It's a requirement of the SSL/TLS specifications.
That's correct.
It's an issue with servers that are not configured to conform to those
specifications.
Right, but as I mentioned elsewhere,
Yes, that's the right solution.
It was, indeed.
Testing it with other browser worked flawlessly, thus the misunderstanding.
Thank you very much,
--
Fabio
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
Perhaps, Eddy, StartCom's roots were only approved for SSL Certificate
Authority. Did you not include a request for Email or Software
Development bits?
-Kyle H
On Wed, Sep 17, 2008 at 11:11 AM, Eddy Nigg [EMAIL PROTECTED] wrote:
On 09/17/2008 09:01 PM, Nelson Bolyard:
I wouldn't call it a
On Wed, Sep 17, 2008 at 4:52 PM, Eddy Nigg [EMAIL PROTECTED] wrote:
I've been banging my head against a wall here because of this FUD and
about misinformation which is absolutely incorrect. Sad, because there
are many FF users running into it. And it doesn't help to ignore the
fact that web
On 09/18/2008 03:06 AM, Wan-Teh Chang:
It would be nice to contribute a patch for Apache/mod_ssl to validate
its own certificate chain at startup.
Perhaps then you should also offer a patch for IIS ;-)
Ironic as it may sound, but as a matter of fact, Windows servers serve
more secured web
Eddy Nigg wrote, On 2008-09-17 16:52:
There is absolutely no security issue at all with following the AIA CA
Issuer extension, otherwise FF could not use the same extension to find
the OCSP responder URL either. Nevertheless NSS does exactly that...uses
the OCSP URL listed in the AIA
This might be helpful for you:
http://www.mozilla.org/projects/security/certs/
I'm writing to kindly ask you to consider to insert the Cybertrust
Educational certificate in the list of the trusted
certificate authorities.
___
dev-tech-crypto mailing
Fabio Spelta wrote, On 2008-09-16 07:12:
I'm writing to kindly ask you to consider to insert the Cybertrust
Educational certificate in the list of the trusted certificate authorities.
Fabio,
Mozilla doesn't add any CA certificates to Firefox unless and until the
CA itself requests the
On 09/16/2008 05:12 PM, Fabio Spelta:
Hello everybody and thanks for reading.
Many educational institutions, among which there are various Italian
universities, are using X.509 certificates issued by the Cybertrust
Educational CA for their websites.
In Italy such certificates are obtained
On Tue, Sep 16, 2008 at 11:46 AM, Eddy Nigg [EMAIL PROTECTED] wrote:
By having a look at [GTE CyberTrust Global Root] I realized that the purposes
of the
certificate show in in Firefox for:
SSL Server Certificate
Email Signer Certificate
Email Recipient Certificate
SSL Certificate
On 09/17/2008 12:03 AM, Wan-Teh Chang:
On Tue, Sep 16, 2008 at 11:46 AM, Eddy Nigg[EMAIL PROTECTED] wrote:
By having a look at [GTE CyberTrust Global Root] I realized that the
purposes of the
certificate show in in Firefox for:
SSL Server Certificate
Email Signer Certificate
Email
29 matches
Mail list logo