Re: [TLS] Root certificates in server certificate chains
Marsh Ray <marsh@extendedsubset.com> Wed, 01 September 2010 05:57 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 568F73A68F5 for <tls@core3.amsl.com>; Tue, 31 Aug 2010 22:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.122
X-Spam-Level:
X-Spam-Status: No, score=-2.122 tagged_above=-999 required=5 tests=[AWL=0.477, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEpvbnDp1p-D for <tls@core3.amsl.com>; Tue, 31 Aug 2010 22:57:24 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 410473A6A79 for <tls@ietf.org>; Tue, 31 Aug 2010 22:57:24 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OqgKQ-00048V-Bn; Wed, 01 Sep 2010 05:57:46 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id C070B608D; Wed, 1 Sep 2010 05:57:44 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18X64lRbKbgZgVjDfBOhXPGZSarabR0sDQ=
Message-ID: <4C7DEB59.3020108@extendedsubset.com>
Date: Wed, 01 Sep 2010 00:57:45 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: Matt McCutchen <matt@mattmccutchen.net>
References: <90e6ba1818805af088048f262265@google.com> <1283299784.1923.145.camel@mattlaptop2.local> <4C7DB2E5.6030307@extendedsubset.com> <1283307359.1923.195.camel@mattlaptop2.local> <4C7DBF2E.8010100@extendedsubset.com> <1283316888.2175.14.camel@mattlaptop2.local>
In-Reply-To: <1283316888.2175.14.camel@mattlaptop2.local>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 05:57:33 -0000
On 08/31/2010 11:54 PM, Matt McCutchen wrote: > On Tue, 2010-08-31 at 21:49 -0500, Marsh Ray wrote: >> >> My guess is that an attacker could tell whether or not the client was >> "taking the bait" and so he wouldn't pass the Finished messages at all >> unless they were expected to validate at one or both ends. >> >> An aborted attack might not look much different to the legitimate client >> and server than ordinary packet loss. > > What attack are you describing? If the attacker replaces the entire > Certificate message with one containing his public key chained to a > bogus root certificate, that is just a MITM attack. Yes, at times a very effective one. > If the attacker > does some tampering but does not replace the server's public key with > his own, he has no way to generate valid Finished messages. Why would he do something like that? Why even bring it up? I don't know if this is what you had in mind, but on example might be that he only cares about a valid Finished message in one direction. For non-resumption handshakes, the client is forced to transmit his valid Finished message before he has a chance to validate much of anything about the server's identity or the handshake. Under certain conditions, certain servers will perform some "highly non idempotent" actions upon the receipt of the clients valid Finished verify_data. - Marsh
- [TLS] Root certificates in server certificate cha… 1.41421
- Re: [TLS] Root certificates in server certificate… Peter Sylvester
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Ryan Sleevi
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Martin Rex
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Peter Gutmann
- Re: [TLS] Root certificates in server certificate… Kyle Hamilton