Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance

Yoav Nir <ynir@checkpoint.com> Thu, 25 March 2010 02:22 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 64FDF3A6BEE; Wed, 24 Mar 2010 19:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[AWL=1.122, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtCzLf8r1DRP; Wed, 24 Mar 2010 19:22:52 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 1E6893A6C4F; Wed, 24 Mar 2010 19:22:36 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o2P2Mqsd016514; Thu, 25 Mar 2010 04:22:52 +0200 (IST)
X-CheckPoint: {4BAAC835-0-1211DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 25 Mar 2010 04:23:14 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Thu, 25 Mar 2010 04:22:50 +0200
Thread-Topic: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
Thread-Index: AcrLwh7Izo5b5PweSGKsMFzr4GFKWA==
Message-ID: <74B921D9-660D-47DA-99E2-2FC08FC8C14A@checkpoint.com>
References: <E1Nuc4V-0007hL-KD@login01.fos.auckland.ac.nz>
In-Reply-To: <E1Nuc4V-0007hL-KD@login01.fos.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "certid@ietf.org" <certid@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "Jeff.Hodges@KingsMountain.com" <Jeff.Hodges@KingsMountain.com>
Subject: Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2010 02:22:58 -0000

On Mar 24, 2010, at 6:41 PM, Peter Gutmann wrote:

> Yoav Nir <ynir@checkpoint.com> writes:
> 
>> 2. Section 5 is entitled "evidence", and then goes on to present the
>> evidence: a marketing brochure and something someone told him at a booth in a
>> trade show.
> 
> I've seen the same thing done with a $29 Openmesh box but without the cert
> MITM, it relies on the Hamming distance between an SSL and non-SSL site being
> so minute that users don't notice, and in practice no-one did.  Worked really
> well, I have some screenshots of it in action with a banking site and
> Verisign's site-seal in my book draft at
> http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf search for "EV
> Certificates: PKI-me-Harder" and scroll down about two pages.  No need to mess
> with SSL's PKI when it doesn't work anyway, read the surrounding text for
> details.
> 
> Peter.

Interesting stuff. 

Maybe the STS initiative could defeat those other ways well enough that you really have to mess with SSL's PKI.

http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html
or
http://en.wikipedia.org/wiki/Strict_Transport_Security