Any TLS server key compromises?

2004-08-13 Thread Marc Branchaud 
I've been wondering, has a TLS server (or client, for that matter) key 
ever actually been compromised?  I don't think I've ever heard of one.

I'm thinking of two possible avenues for compromise, and ignoring 
insider attacks.  One is through defects in the protocol itself or its 
implementation.  The other would be through a compromise of the server 
host (e.g. a buffer overflow in Apache) that allows the attacker to copy 
the TLS server's private key from the file system.

It seems to me that in-the-wild attacks on the protocol or its 
implementation are unheard of.

OTOH, we hear about server break-ins all the time.  However, one never 
hears about these break-ins leading to a compromise of the server's key.

Perhaps the server's private key isn't a really useful target?  Although 
posession of the key makes it easy to spoof a secure server, actually 
doing that spoofing requires a secondary attack, like phishing or an 
active attack on the Internet, to redirect a user to the false server.

So have there ever been any actual TLS private key compromises (through 
any non-insider attack)?

If TLS private keys aren't attractive enough a target for them to be 
compromised even when the opportunity presents itself (as I'm assuming 
it has), then to what extent do these keys really need to be protected?

		M.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Mozilla tool to self-verify HTTPS site

2003-06-30 Thread Marc Branchaud 
Ian Grigg wrote:
Tying the certificate into the core crypto protocol seems to be a
poor design choice;  outsourcing any certification to a higher layer
seems to work much better out in the field.
I'll reserve judgement about the significance of SSLBar, but I couldn't 
agree more with the above point.  The only way to use non-X.509 certs 
with TLS 1.0 is by rather clunkily extending the ciphersuites to also 
identify some kind of certificate type.

IMO, this fact has significantly contributed to the lack of adoption of 
PGP, SPKI, and alternative PKIs on the Internet.

TLS's new extension mechanism can help address this (see 
draft-ietf-tls-openpgp-keys), but it'll be a while before extension 
support is common.

		M.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]