[Owasp-leaders] Cert Stealer Released

Jim Manico jim.manico at owasp.org
Sun Dec 29 21:46:26 UTC 2013


Try these attacks against Twitter or Google properties in Chrome and they
will fail. Chrome already pins these sites - not to mention the
preconfigured HSTS headers. These additions significantly reduce the attack
surface against HTTPS, even when CA's sell or have their main CA signing
private cert stolen.

--
Jim Manico
@Manicode
(808) 652-3805

On Dec 29, 2013, at 7:41 AM, Tobias <tobias.gondrom at owasp.org> wrote:

 Hi Abbas,
well, am not sure to which DNS pinning attacks you are referring, but it is
correct key pinning is not the perfect solution and has some weaknesses,
but it significantly reduces the attack surface.
http://www.ietf.org/id/draft-ietf-websec-key-pinning-09.txt
And hopefully it will be out and in all the browsers soon.
(we are in the last review iteration in WG last call at this moment.)
Cheers, Tobias


On 29/12/13 17:26, Abbas Naderi wrote:

 Well then it just introduces the new pinning attacks that existed on DNS.
Thats not a solution.
-A
 On Dec 29, 2013, at 4:30 AM, Tobias <tobias.gondrom at owasp.org> wrote:

  Hi,

just fyi: the browser vendors are in the IETF currently working on cert
pinning, which should be released very soon and will pin the cert to a
domain. (With that the browser will only accept your pinned domain cert for
your domain, instead of any one from any of the 640s CAs worldwide.) This
was developed as a response out of the Diginotar/Comodo incidents in 2011.

Best regards, Tobias


On 26/12/13 21:05, Abbas Naderi wrote:

They all are, the problem is, they are all trusted the same by the
browser, regardless of whether you pay $5 a year for your certificate
to be signed, or a thousand times that amount.
-A
On Dec 26, 2013, at 3:57 PM, Gregory Disney <gregory.disney at owasp.org>
<gregory.disney at owasp.org> wrote:


 Isn't that the whole point of certificate authority to be considered
a trustworthy signer?
On 12/26/13, 12:49 PM, Abbas Naderi wrote:

 There is no such thing as the legitimacy of the signer. As long as
someone trusted has signed a certificate, that one is deemed trusted
too.
-A
On Dec 26, 2013, at 3:36 PM, Gregory Disney <gregory.disney at owasp.org>
<gregory.disney at owasp.org> wrote:


 Problem is browser should by default check the legitimacy of the
signer, if it loaded into the CA-certs bundle in mozilla, majority
besides akamia will show no difference. Well this trick isn't for
governments anymore, it's for everybody.  :)
On 12/26/13, 12:26 PM, Abbas Naderi wrote:

 Well this is changing the signer, e.g google is signed by a Level one
and you’re using a Level 3.
This is an old trick though, many countries already used this to sniff
on their people. The simplest way to stop it is to store fingerprints
and check them later.



_______________________________________________
OWASP-Leaders mailing
listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders




_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131229/c8a195b7/attachment.html>


More information about the OWASP-Leaders mailing list