Re: Creating a rogue CA certificate

[Valdis.Kletnieks () vt edu]

On Wed, 31 Dec 2008 12:57:52 EST, Elazar Broad said:

> That's true, keeping up with security is not cheap nor easy.

Meanwhile, doing nothing is *always* cheap and easy, especially when it's
very unlikely that *you* will end up paying the price...

> Tradeoff's are tradeoff's, the question is, when it comes down to
> the $$$, is more cost effective to be proactive vs reactive in this
> case. Time will tell...

The important point here is that the cost of the vulnerability is what
economists call an externality - the CA who issued the cert that got
abused isn't the one who ends up with the headache.  If Certs-R-Us gives
BadGuy Inc a jiggered cert, and BadGuy Inc uses that to make a fake
Widgets-Today.com site and Joe Sixpack gets suckered, then Joe Sixpack
has a problem, Widgest-Today may have a problem - and neither victim is
very likely to blame Certs-R-Us - after all, Widgets-Today got *their*
cert from somebody else.  Certs-R-Us doesn't have a problem unless they
end up on CNN - otherwise *their* potential customers won't know there's
an issue.

On the other hand, if Microsoft and Mozilla issue updates that make their
browsers reject out-of-hand any cert with an MD5, *that* will make Certs-R-Us
sit up and pay attention *immediately*, because "I bought a cert from you
and the frikking thing doesn't work" *does* impact their bottom line.

I predict that if Microsoft and Mozilla do this, there will be a lot of
ambulance-chasing, as opportunists spider the web looking for OpenSSL
connections that present a cert with MD5, and spam the site with "We have
sooper-cheap non-MD5 certs!" ads...

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/