Full Disclosure mailing list archives
Re: Creating a rogue CA certificate
From: Valdis.Kletnieks () vt edu
Date: Wed, 31 Dec 2008 13:16:36 -0500
On Wed, 31 Dec 2008 12:57:52 EST, Elazar Broad said:
That's true, keeping up with security is not cheap nor easy.
Meanwhile, doing nothing is *always* cheap and easy, especially when it's very unlikely that *you* will end up paying the price...
Tradeoff's are tradeoff's, the question is, when it comes down to the $$$, is more cost effective to be proactive vs reactive in this case. Time will tell...
The important point here is that the cost of the vulnerability is what economists call an externality - the CA who issued the cert that got abused isn't the one who ends up with the headache. If Certs-R-Us gives BadGuy Inc a jiggered cert, and BadGuy Inc uses that to make a fake Widgets-Today.com site and Joe Sixpack gets suckered, then Joe Sixpack has a problem, Widgest-Today may have a problem - and neither victim is very likely to blame Certs-R-Us - after all, Widgets-Today got *their* cert from somebody else. Certs-R-Us doesn't have a problem unless they end up on CNN - otherwise *their* potential customers won't know there's an issue. On the other hand, if Microsoft and Mozilla issue updates that make their browsers reject out-of-hand any cert with an MD5, *that* will make Certs-R-Us sit up and pay attention *immediately*, because "I bought a cert from you and the frikking thing doesn't work" *does* impact their bottom line. I predict that if Microsoft and Mozilla do this, there will be a lot of ambulance-chasing, as opportunists spider the web looking for OpenSSL connections that present a cert with MD5, and spam the site with "We have sooper-cheap non-MD5 certs!" ads...
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Creating a rogue CA certificate, (continued)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate chort (Dec 30)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate chort (Dec 30)
- Re: Creating a rogue CA certificate Ureleet (Dec 31)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 30)
- Re: Creating a rogue CA certificate Valdis . Kletnieks (Dec 31)