[Owasp-leaders] Cert Stealer Released

Tobias tobias.gondrom at owasp.org
Sun Dec 29 17:39:23 UTC 2013


Hi Abbas,
well, am not sure to which DNS pinning attacks you are referring, but it
is correct key pinning is not the perfect solution and has some
weaknesses, but it significantly reduces the attack surface.
http://www.ietf.org/id/draft-ietf-websec-key-pinning-09.txt
And hopefully it will be out and in all the browsers soon.
(we are in the last review iteration in WG last call at this moment.)
Cheers, Tobias


On 29/12/13 17:26, Abbas Naderi wrote:
> Well then it just introduces the new pinning attacks that existed on
> DNS. Thats not a solution.
> -A
> On Dec 29, 2013, at 4:30 AM, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
>
>> Hi,
>>
>> just fyi: the browser vendors are in the IETF currently working on
>> cert pinning, which should be released very soon and will pin the
>> cert to a domain. (With that the browser will only accept your pinned
>> domain cert for your domain, instead of any one from any of the 640s
>> CAs worldwide.) This was developed as a response out of the
>> Diginotar/Comodo incidents in 2011.
>>
>> Best regards, Tobias
>>
>>
>> On 26/12/13 21:05, Abbas Naderi wrote:
>>> They all are, the problem is, they are all trusted the same by the browser, regardless of whether you pay $5 a year for your certificate to be signed, or a thousand times that amount.
>>> -A
>>> On Dec 26, 2013, at 3:57 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>>>
>>>> Isn't that the whole point of certificate authority to be considered a trustworthy signer?
>>>> On 12/26/13, 12:49 PM, Abbas Naderi wrote:
>>>>> There is no such thing as the legitimacy of the signer. As long as someone trusted has signed a certificate, that one is deemed trusted too.
>>>>> -A
>>>>> On Dec 26, 2013, at 3:36 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>>>>>
>>>>>> Problem is browser should by default check the legitimacy of the signer, if it loaded into the CA-certs bundle in mozilla, majority besides akamia will show no difference. Well this trick isn't for governments anymore, it's for everybody.  :)
>>>>>> On 12/26/13, 12:26 PM, Abbas Naderi wrote:
>>>>>>> Well this is changing the signer, e.g google is signed by a Level one and you’re using a Level 3.
>>>>>>> This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131229/ad7109a7/attachment.html>


More information about the OWASP-Leaders mailing list