On Mon, 6 Jun 2016 13:52:57 -0400 (EDT) Paul Wouters <[email protected]> wrote:
> On Mon, 6 Jun 2016, Andrew Ayer wrote: > > > This enables the following attack: > > > > 1. A CA issues a legitimate certificate for www1.example.com and > > logs a pre-certificate for ?.example.com. A monitor for > > example.com knows the pre-certificate is legitimate because it > > matches a known certificate for www1.example.com. > > > > 2. The CA misbehaves and issues an unauthorized certificate for > > www2.example.com which, except for the DNS name, has exactly the > > same details (including serial number and public key) as the > > certificate for www1.example.com. The CA does not log a > > certificate or pre-certificate. > > > > 3. An attacker serves the rogue certificate for www2.example.com > > along with the SCT for the ?.example.com pre-certificate. TLS > > clients accept it because the TBSCertificate that is reconstructed > > from the certificate matches the TBSCertificate of the > > pre-certificate. Monitors have no idea that there is a rogue > > certificate for www2.example.com. > > That means the attacker has the private key? Yes, but that only limits the attack, not eliminate it. It means that if the attacker gets the private key for one host, they can (with CA collusion) pivot to attacking other hosts whose names match the same redaction pattern. > I guess when the second certificate would be logged, this would show > up as mis-issued, and possibly both certificates would get revoked? The second certificate would never be logged. The way that logging is enforced is that clients reject certificates that aren't accompanied by a valid SCT. But since an SCT for the first certificate's pre-certificate can be used to prove that the second certificate was logged, clients can be tricked into accepting the second certificate even if it was never logged. That's basically the crux of the problem - with name redaction, SCTs do not prove that a certificate was logged, they only prove that some pre-certificate matching the name redacted pattern was logged. I argue that for monitoring to be useful, SCTs need to prove that a pre-certificate matching the exact name was logged. Regards, Andrew _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
