This description by Jeremy Gosni about how he cracked CloudFlare's challenge makes grabbing a private key sound much easier than thought:
https://gist.github.com/epixoip/10570627 I admit I don't 100.0% follow the approach, but it hinges on looking for the actual p and q prime factors in memory, rather than something that looks "key-like" in PEM format or whatever. hat tip Harry Garrood: https://twitter.com/hdgarrood/status/455487235199344640 -- Eric On Saturday, April 12, 2014 5:57:27 PM UTC-4, Peter Eckersley wrote: > Florian, there's something that about legal rules that is often quite > > unintuitive to those of us with technical backgrounds: lawyers don't > > necessarily expect them to be followed exhaustively all of the time. At > > least in common law countries (.us, .uk, .ca, .au, .il, and many more), > > legal rules exist most profoundly to resolve disputes between people who > > cannot resolve their dispute by less formal means. > > > > As a legal instrument, the Baseline Requirements should be understood in > > the same tradition. They exist as operational guidelines, and as a > > fallback mechanism if there is an unresolved dispute with a CA. The > > Cloudflare Challenge is a pretty unusual case that probably wasn't > > anticipated by whoever drafted the BRs and the Comodo CPS. But if there's > > nobody who has a security problem because of the Cloudflare Challenge, why > > on earth would the cert be revoked? > > > > Putting it another way, given that the Cloudflare Challenge is good for > > Internet security (it's giving us better information about what the > > blackhats can and can't do), why would you try to make Comodo revoke it? > > > > > > > > On 12 April 2014 05:42, Florian Weimer wrote: > > > > > * Jürgen Brauckmann: > > > > > > > Cloudflare set up a challenge with nginx on Ubuntu. Seems some > > > > people succeeded in extracting the servers private key: > > > > > > > > https://www.cloudflarechallenge.com/heartbleed > > > > > > FWIW, I've asked Comodo to revoke the Cloudflare certificate due to > > > this compromise. The challenge itself is probably against the > > > subscriber agreement, but that is an internal matter between > > > Cloudflare and Comodo. > > > > > > On the other hand, I do think that a rule that requires CAs to revoke > > > keys against the subscriber's will can be problematic. But > > > nevertheless, it's a rule, and we'll see if all those costly audits > > > are good at ensuring that CAs follow it. > > > _______________________________________________ > > > dev-security-policy mailing list > > > [email protected] > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
