[linuxkernelnewbies] Untrusted Certificates

Tue, 13 Jan 2009 23:26:24 -0800

https://blog.startcom.org/?p=145

Untrusted Certificates


In a previous article I reported about Man-In-The-Middle (MITM) attacks and if they really happen. Unfortunately it does happen as some testimonials confirm. Now it’s even easier because in the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and fully trusted certificate? No problem, just head over to one of Comodo’s resellers.

In an unrelated event which was briefly mentioned at the dev.tech.crypto mailing list of Mozilla, something strange happened. During my attempt to verify and understand who stands behind the sending of fraudulent “reminder” email messages tricking our customers, I created a certificate from the source I was following. And my certificate was issued without any further questions.

This prompted me to create another certificate through them, but this time by using a domain name which should never be issued to me. For the purpose of testing, I selected the domain mozilla.com (I’m certain they will forgive me). Five minutes later I was in the possession of a legitimate certificate issued to mozilla.com - no questions asked - no verification checks done - no control validation - no subscriber agreement presented, nothing.

With the understanding about MITM attacks, the severity of this practice is obvious. No encryption is worth anything if an attacker can implant himself between the client and the server. With a completely legitimate and trusted certificate, the attack is perfect. No warning and no error.

And here the disclosure:

Mozilla’s new home page Certificate Details More Certificate Details

Please see update. In order to confirm for yourself, edit the hosts file at your computer and add the following entry:

192.116.242.23    www.mozilla.com
192.116.242.23    mozilla.com

On Linux and Mac that would be in /etc/hosts, for Windows it’s most likely in C:\Windows\System32\drivers\etc\hosts. Navigate with your browser to https://www.mozilla.com/ and enjoy Mozilla’s new home page. Don’t forget to delete the entry in the hosts file once you are done.

Needless to say that I’m deeply disappointed and can only ask myself - how and why is this possible? This proves clearly non-conformance of the Mozilla CA Policy and that of other browser vendors. This isn’t a bug or flaw in their system, this is simply pissing on all of us - browser vendors, subscribers, relying parties and the Internet at large. See the detailed walk-through here.


Reply via email to