[Owasp-leaders] Cert Stealer Released

Gregory Disney gregory.disney at owasp.org
Mon Dec 30 01:58:56 UTC 2013


I believe Pinning will only go so far if Subject Key Identifier is in 
use. Looks like when this matches, the sha1/md5 fingerprint doesn't need 
to be recalculated.
On 12/29/13, 1:46 PM, Jim Manico wrote:
> Try these attacks against Twitter or Google properties in Chrome and 
> they will fail. Chrome already pins these sites - not to mention the 
> preconfigured HSTS headers. These additions significantly reduce the 
> attack surface against HTTPS, even when CA's sell or have their main 
> CA signing private cert stolen.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Dec 29, 2013, at 7:41 AM, Tobias <tobias.gondrom at owasp.org 
> <mailto:tobias.gondrom at owasp.org>> wrote:
>
>> Hi Abbas,
>> well, am not sure to which DNS pinning attacks you are referring, but 
>> it is correct key pinning is not the perfect solution and has some 
>> weaknesses, but it significantly reduces the attack surface.
>> http://www.ietf.org/id/draft-ietf-websec-key-pinning-09.txt
>> And hopefully it will be out and in all the browsers soon.
>> (we are in the last review iteration in WG last call at this moment.)
>> Cheers, Tobias
>>
>>
>> On 29/12/13 17:26, Abbas Naderi wrote:
>>> Well then it just introduces the new pinning attacks that existed on 
>>> DNS. Thats not a solution.
>>> -A
>>> On Dec 29, 2013, at 4:30 AM, Tobias <tobias.gondrom at owasp.org 
>>> <mailto:tobias.gondrom at owasp.org>> wrote:
>>>
>>>> Hi,
>>>>
>>>> just fyi: the browser vendors are in the IETF currently working on 
>>>> cert pinning, which should be released very soon and will pin the 
>>>> cert to a domain. (With that the browser will only accept your 
>>>> pinned domain cert for your domain, instead of any one from any of 
>>>> the 640s CAs worldwide.) This was developed as a response out of 
>>>> the Diginotar/Comodo incidents in 2011.
>>>>
>>>> Best regards, Tobias
>>>>
>>>>
>>>> On 26/12/13 21:05, Abbas Naderi wrote:
>>>>> They all are, the problem is, they are all trusted the same by the browser, regardless of whether you pay $5 a year for your certificate to be signed, or a thousand times that amount.
>>>>> -A
>>>>> On Dec 26, 2013, at 3:57 PM, Gregory Disney<gregory.disney at owasp.org>  wrote:
>>>>>
>>>>>> Isn't that the whole point of certificate authority to be considered a trustworthy signer?
>>>>>> On 12/26/13, 12:49 PM, Abbas Naderi wrote:
>>>>>>> There is no such thing as the legitimacy of the signer. As long as someone trusted has signed a certificate, that one is deemed trusted too.
>>>>>>> -A
>>>>>>> On Dec 26, 2013, at 3:36 PM, Gregory Disney<gregory.disney at owasp.org>  wrote:
>>>>>>>
>>>>>>>> Problem is browser should by default check the legitimacy of the signer, if it loaded into the CA-certs bundle in mozilla, majority besides akamia will show no difference. Well this trick isn't for governments anymore, it's for everybody.  :)
>>>>>>>> On 12/26/13, 12:26 PM, Abbas Naderi wrote:
>>>>>>>>> Well this is changing the signer, e.g google is signed by a Level one and you're using a Level 3.
>>>>>>>>> This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131229/ff334173/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2013-12-29 at 5.52.50 PM.png
Type: image/png
Size: 67883 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131229/ff334173/attachment-0001.png>


More information about the OWASP-Leaders mailing list