On Sep 10, 2011, at 1:46 PM, Ian G wrote: >> Today CA compromise isn't even a, let alone the most, common way of >> "exploiting" the blanket trust of all CAs involved in the PKI infrastructure. > > Is the current attack an exploit? Or is it a direct attack on the > infrastructure?
That's what I meant with the quotes. I was using exploit in the english not infosec sense of the word, the browser's trust in all CAs equally is what is being exploited. :) >> The two most common methods are: >> 1) MITM where the attacker controls the victim's network connection to some >> extent and redirects them to or proxies them through a different server. > > Do you have any numbers on that? I thought this was relatively rare. No numbers, and it is rare. There's a huge disproportionate leap from phishing to *anything* else. As an example, look at all the fun that was had at defcon this year. It's a real vs imagined or theoretical vector for selected targets and determined attackers. Especially in the "prying government eyes" case that's come up in several of these threads. >> 2) Phishing using a similar-looking domain name. > > Yes. That's the big one in this space. Afaik. > >> In case 1 any type of pinning that is not hardcoded in the software, > > Sorry, please explain? Are you assuming that the user's machine / browser is > compromised? If that is the case, isn't hard-coding just obfuscation? If you're in a position to successfully MITM there's a good chance you can take control of their DNS responses as well. Meaning pinning via DNS/etc would actually make the method *easier* to take advantage of and more common since you no longer need to hijack before the encrypted session and redirect elsewhere or compromise a specific cert beforehand, etc. This of course depends on exactly how the pinning is done. Is it tied to a specific cert fingerprint? A specific CA fingerprint? Bringing us back to it all being about the details, which was my original point. -- Douglas Huff
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
