Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The End of SSL and SSH?"

From: Darren Reed <avalon () COOMBS ANU EDU AU>
Date: Fri, 22 Dec 2000 08:59:05 +1100
In some mail from Martin Rex, sie said:
[...]

(1) the significance of a secure key storage.

  SSL:  All Web-Browsers that I know keep Root-CA certificates in software
        and it is quite possible for software to modify Root-CA certs
      or to add new Root-CA certs, which subverts the whole
        PKI trust model.


No, it just subverts the implementation whereby the browser doesn't
bother you if it can find a path back to a root-CA for a X.509 cert
associated with whatever cert it has been given.

For Netscape there is a builtin MIME type that cannot be disabled
which invokes the root CA installation code.  10:1 most people would
click "ok" to install a root CA if so prompted from a random web site.
Now that's without even doing anything nasty.

[...]

  SSL:  Web-Browsers area shipped with >100 preconfigured CA certs
        these days.  Most Browsers can be downloaded via the Internet,
        but many of the distributions are still not signed --
        how do you know they haven't been backdoored with additional
        Root-Certs?


How do you know there is any integrity at all in those preconfigured ?
What's to say that 10 of them aren't controlled by some mafia ?  I'll
let the conspiracy theorists goto town on that note.

Darren
Previous By Date Next
Previous By Thread Next

Current thread: