> David Schwartz wrote:
> >>Dr. Stephen Henson wrote:
> >
> >>A determined and knowledgable attacker can subvert anything that's
> >>not in hardware.
> >
> > I think this is a very strange thing to say. If he has access to the
> > hardware, he can subvert it too. If he doesn't have access to
> > the hardware,
> > how can he subvert the software?
> Software is exploited or subverted all of the time without access
> to the physical hardware. You don't even need a shell account on
> the system if there's a remote exploit.
Hardware can likewise be exploited without physical access.
> Most, but not all, hardware can be compromised if you have
> physical access. Hardened equipment is not cheap.
Any mechanism that can compromise one can compromise the other. Both
hardware and software are really combinations of both.
> >>Pulling a cert from a server isn't that much
> >>harder to break given that it's trivial to set up a local DNS
> >>server that will redirect queries to the attacker's own server.
> >
> > So sign the cert. No hardware needed.
> How do you verify it's ultimately signed by the right certificate?
> You need to get the root certificate from somewhere.
And hardware solves this?!
> >>(Or to simply use the same editor to replace your URL with their
> >>own.)
> >
> > Sure, if you have access to the software. If you have access to any
> > security scheme, you can simply disable the scheme.
> The original context was Dr. Henson's well-grounded observation
> that anyone with a hex editor could easily change an embedded
> certificate. Once you have access to the software then anything
> in it, or its environment, can be changed at will.
Who cares? Anyone who can modify the software is the person the
software is
supposed to serve. If they want to compromise their own security, let them.
> > If you have that level of control over the process, you can make the
> > process do anything you want, but you could just do what you
> wanted anyway
> > with that level of control over the system. So what do you need
> the process
> > for?
> >
> > If someone wants to alter the certificate that secures
> their own machine,
> > why should I care? You can certainly break things that you are allowed
> > access to.
> Reread what you just wrote - what if the certificate is used to
> verify credentials provided by others to gain access?
Then anyone who can modify the software can control which others gain
access. That sounds right to me.
> (BTW don't
> assume it's only protecting a machine. Maybe this is part of an
> application that controls access to extremely expensive or
> sensitive material.)
If you have control over the process that controls access to the
material,
you control the material.
> Give me the ability to reset the root
> certificate and I have an unlimited pass throughout your system.
> Potentially worse I can deny access to your legitimate users.
Right, that's why I wouldn't give you that ability. I can't possibly
comprehend this hypothetical. We're assuming a person has access to the
process that controls access to the system but we're not assuming he
controls access to the system? That makes no sense.
> Another example of a certificate as a credential - license keys.
> Maybe we're talking about software that normally sells for $10k,
> but also has a $100 student version with limited functionality.
> Same software, but I think most of us can see how the company will
> make a distinction between the guy who paid nothing, the student
> who got an educational version, and the company that bought a full
> license.
Say the code that provides the advanced functionality is encrypted and
their license allows them to decrypt it. If they don't have a license, they
can't decrypt the code no matter what, changing things in the software won't
help them. If you don't want someone to get to some information, you encrypt
it and don't give them the key. Now they can't get to it (whether they use
hardware or software, no matter, they can't get to it).
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
