Re: [TLS] Proposal for detecting fraudulent certificates

Max Pritikin <> Mon, 26 September 2011 16:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D6C81F0C41 for <>; Mon, 26 Sep 2011 09:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tlu1UI4oGqdH for <>; Mon, 26 Sep 2011 09:30:06 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6CF211F0C3C for <>; Mon, 26 Sep 2011 09:30:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3449; q=dns/txt; s=iport; t=1317054770; x=1318264370; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=P06aXEC6Dc6zAPzBBxzoaojeojJTFBSxdctBbngRMME=; b=fh6sXKzwTfw0m2VHJw898duZSQ847iGMfkjtLbJSfcykeucsgdAEaZh+ /t/23i89ls2Go7MPD94Ttg1E67ndntoktQINeiEY6UfiihxRnE1sA5PKN JJmyvgbw1KTH7gZWMSLYYnrHPcXBO4TnjZIYEVO3Miu/iMNujvwK8PEJd A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAP2ogE6tJV2Y/2dsb2JhbABCqBF4gVMBAQEBAgEBAQEPAScfFQsFCwsYLicwGSKHVgacYAGOKo9whitgBIdyi2CRUQ
X-IronPort-AV: E=Sophos;i="4.68,445,1312156800"; d="scan'208";a="24088515"
Received: from ([]) by with ESMTP; 26 Sep 2011 16:32:49 +0000
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id p8QGWlg0022617; Mon, 26 Sep 2011 16:32:47 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Max Pritikin <>
In-Reply-To: <>
Date: Mon, 26 Sep 2011 11:21:53 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
X-Mailer: Apple Mail (2.1084)
Subject: Re: [TLS] Proposal for detecting fraudulent certificates
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Sep 2011 16:30:07 -0000

In the extreme case an invalid sub-CA certificate would be missed by this method unless clients send the entire chain, so I understand the author's motivation for completeness. 

The intention of this idea is to give web server administrators a tool for discovering fraudulent certificates in the wild. The concern isn't so much that a few individuals, perhaps even ones on a several week trip through evil country YYY, get MitM'd but rather that the web site administrator receives a clue within some "reasonable" timeframe. 

What defines "reasonable" and if it is sufficient to drive implementations toward supporting this extension is a harder question. 

- max

On Sep 26, 2011, at 11:05 AM, Martin Rex wrote:

> Florian Weimer wrote:
>> I have submitted draft-weimer-tls-previous-certificate-00, which intents
>> to facilitate detection of fraudulent certificates used in the wild:
>> <>
>> The basic idea is to use leaks from mobile clients moving between
>> networks with and without a clear path to the server.  The previous
>> server certificate chain is included in the client hello, so the server
>> receives it when the client transitions to a network with a clear path.
>> This draft prompted my previous question about extension size limits.
>> Unfortunately, that issue makes this very simple idea somewhat
>> complicated, but I tried to add a fairly straightforward workaround.
> Having the client send _only_ the servers certificate and not the
> entire certificate path should IMO be sufficient for the purpose you
> outline.
> I don't know why you think the 64 KByte TLS extension size limit would
> be a problem.
> A non-marginal fraction of the installed base of TLS will puke when
> encountering a TLS handshake message that is split/fragmented across
> TLS record boundaries (which have a limit of 16 KByte).  The currently
> most likely situation where this occurs (and the only one that
> I've seen in the wild so far) are the CertificateRequest handshake
> message contains a large number (60+) of certification_authorities.
> Usually, the server tries to stuff the server response
> (ServerHello,Certificate, CertificateRequest,ServerHelloDone)
> into one single 16 KByte SSL Record, so even fitting the Server's
> certificate chain alone should not normally be a problem.
> But I don't see how this extension could realistically work in a
> sane fashion.  The TLS implementation in TLS servers is not normally
> keeping a history of previous TLS Server certificates which it ever
> used (and might not have a persistence of its own for such a purpose),
> usually not even across process restarts, and having TLS backends of
> a Web-Server-Farm or hot-backups keep such a history in a consistent
> fashion is even more unlikely.
> And end users would probably prefer their TLS clients to tell them right
> away when a server credential changes unexpectedly, rather than
> a TLS server telling them, after they come home from a several weeks
> trip through some contry YYY, that their last several week of connect(s)
> had all been MITMd...
> -Martin
> _______________________________________________
> TLS mailing list