Hi, >> http://www.meleeisland.de/issuer_ca_on_eff.csv > > Oh, now it makes sense, those are mostly router certs (and various other certs > from vendors who create broken certs like the Plesk ones). You won't just
Hm. I agree that many are router certs, certainly those with brand names of networking equipment in the CN, but mostly? For example, are the 550,000+ ones with "CN=localhost.localdomain" also router certs? I guess the only way would be to rescan them and get the HTML they deliver. I did that, BTW, for about 60k certs with "Plesk" as CN. Mostly, the sites redirected to port 80, but in about a quarter of cases we found the typical Plesk portal sites. Given that you can google the default password, this seems a weak configuration. We'll report on that in our upcoming IMC paper, too [1]. > find them in Korea, they're everywhere, in vast numbers, but (at least for the > router certs) they're usually only visible from the LAN interface. It would certainly explain why they show up so often in the EFF scan, but not in our scan of the Top 1M (EFF: 13%, ours: 3%). But, even in the Top 1M, we get about 30k such certs, and they are not router certs. > So all you need to do is warkit a router via one of a seemingly endless > series > of vulns that SOHO routers have and you've got a trusted root cert that can > MITM all traffic through it. That would be very bad, truly. I am wondering if we can't get our hands on such a router and do a proof-of-concept. Anyone in? [1] http://conferences.sigcomm.org/imc/2011/program.htm Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
