Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Phillip Hallam-Baker <hallam@gmail.com> Thu, 02 January 2014 20:25 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED4D1ADF59 for <therightkey@ietfa.amsl.com>; Thu, 2 Jan 2014 12:25:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQ4Mp80b4ZDr for <therightkey@ietfa.amsl.com>; Thu, 2 Jan 2014 12:25:12 -0800 (PST)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 2DC391ADF7A for <therightkey@ietf.org>; Thu, 2 Jan 2014 12:25:11 -0800 (PST)
Received: by mail-la0-f42.google.com with SMTP id ec20so7736486lab.29 for <therightkey@ietf.org>; Thu, 02 Jan 2014 12:25:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LJUJSkLgePGm+mjdsLiaBJAnfzOpzlfIkP2/8hc06eY=; b=LPLvspUllxo28AnKB6KK1iu7nbON4yU3vDoJlTCw68APazZytRYQqwoi2Oh0lRh/zy kgPimUyGJ007v7CzYvUHruaxf2+0ISUsBBQ2KSl3rg7ubekk84bNaMKwwd99zLSme5ZI qmVdiBv0aN+lcqi+GIY1T5mXZIuztXoUaAKnEHVuBBKRrbnMoiNA6Ul3g32HzO31bTyJ AWyL43cErrMSW5jRtyOz4Q4YnTvMOOCi7GoRBv4DGSlrMasmE6V/pGD7bTTHcrikSjB7 pT+dvE7AWs01Nc98aeXITS+uFzE0yQ1AZSSdtfh+ZMyv1uyIcQNjFpKtw0yNJhO9Cf9x 5+6A==
MIME-Version: 1.0
X-Received: by 10.112.168.66 with SMTP id zu2mr3388275lbb.60.1388694304397; Thu, 02 Jan 2014 12:25:04 -0800 (PST)
Received: by 10.112.37.172 with HTTP; Thu, 2 Jan 2014 12:25:04 -0800 (PST)
In-Reply-To: <52C5B67D.4050301@appelbaum.net>
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net>
Date: Thu, 2 Jan 2014 15:25:04 -0500
Message-ID: <CAMm+LwjMGOTueS_hu+xPTtXkjfEXqUbPeGR=WYP+t48CJdn_3w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Jacob Appelbaum <jacob@appelbaum.net>
Content-Type: multipart/alternative; boundary=001a11c33d6eb71f7b04ef02962b
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jan 2014 20:25:15 -0000

On Thu, Jan 2, 2014 at 1:57 PM, Jacob Appelbaum <jacob@appelbaum.net> wrote:

> Paul Hoffman:
> > On Jan 1, 2014, at 10:22 AM, Jacob Appelbaum <jacob@appelbaum.net>
> > wrote:
> >
> >> I do control the private key for the aforementioned intermediate
> >> certificate[0] authority. :)
> >
> > No, you really do not.
>


> Unless one explicitly distrusts (all) MD5 signed certificates, pre-loads
> our certificate to mark it as untrusted, or a few other things relating
> to time constraints - it will probably still work for MITM attacks. Many
> applications fail to do proper constraint checking.


Anyone who trusts MD5 for signing any form of keying material is vulnerable
to this type of attack. It does not matter whether there is a CA involved
or not or the number of sub CAs. A variation of the attack could be
performed on PGP or DNSSEC.

The fix here is to disable MD5 completely in the browser or for CAs to not
use MD5 in any certificate. The industry has chosen to do the second since
we can't actually recall legacy browsers. However, Microsoft's recent
decision to end of life SHA-1 will have the effect of rendering most of the
legacy browsers unusable in any case.



> Please don't overstate the results of
> > the excellent research that you did; doing so diminishes the
> > research.
>
> I'm not overstating anything. I think you don't understand what we
> actually did if you think that later, patching things will somehow
> magically stop previously successful attacks...
>

You are confusing people by using a valid attack against the algorithm to
argue against the trust model. PKIX is designed on the assumption that the
digest algorithm chosen is secure against a second preimage attack.

We have a lot of security issues to deal with right now and we want to make
sure we are paying attention to the ones that matter most. This is really
not helping.

-- 
Website: http://hallambaker.com/