|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: "The End of SSL and SSH?"
From: Klaus Moeller (moeller
CERT.DFN.DE)Date: Fri Dec 22 2000 - 05:29:48 CST
- Next message: Jeffry Dwight: "Response to Xato Command-line Mailer Security Advisory"
- Previous message: Darren Moffat: "Re: Solaris patchadd(1) (3) symlink vulnerabilty"
- In reply to: Martin Rex: "Re: "The End of SSL and SSH?""
- Next in thread: Adam Shostack: "Re: "The End of SSL and SSH?""
- Reply: Klaus Moeller: "Re: "The End of SSL and SSH?""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hi Martin,
Martin Rex writes:
> (1) the significance of a secure key storage.
>
> SSL: All Web-Browsers that I know keep Root-CA certificates in software
> and it is quite possible for software to modify Root-CA certs
> or to add new Root-CA certs, which subverts the whole
> PKI trust model. Modifying this storage is not that difficult,
> given the doors and bugs in Javascript, Java, ActiveX and
> Browser plugins. And the more application vendors move over
> to using Web-Browsers as frontends, the more (signed)
> general-purpose lauch pads will be installed and used.
True, the storage itself isn't protected at all (except the root
certificates in Win2K). Everbody who knows Berkeley DBM and has write
access to $HOME/.netscape/cert7.db can modify the Netscape 4.x
certificate DB. Same goes for IE for those who know the registry calls
and have write access to HKEY_CURRENT_USER\Software\Microsoft\
SystemCertificates\Root\Certificates\* or (on Solaris, etc.) write
access to $HOME/.microsoft/registry5.
Win2K at least protects writing to the branch containing the root
certificates of the registry to administrator or SYSTEM and gives a
notification if a self signed certificate is inserted into the
certificate branch.
There's a DFN-CERT security bulletin about this (in German only :( at
http://www.cert.dfn.de/infoserv/dsb/dsb-2000-02.html
Klaus Moeller, DFN-CERT
- --
Klaus Moeller | mailto:moellercert.dfn.de
DFN-CERT GmbH | http://www.cert.dfn.de/team/moeller/
Vogt-Koelln-Str. 30 | Phone: +49(40)42883-2262
D-22527 Hamburg | FAX: +49(40)42883-2241
Germany | PGP-Key: finger moellerftp.cert.dfn.de
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface
iQEVAwUBOkM7KIrEggYLt8j5AQEVXQgAk3v8EA8Urlo4giKY8KOtONONoRNJ9gtj
nYKYNKPyKErrdtGCr4GPOollpfc+1t4jJLMt0QISFrO2oi3HPQYXH0sVdimEcOCr
Fh4uNUUqH5XthT9nzJ93RNrEg4kj6YPo7gvuYXN9TohKQOphrgaXznHChIqjXcS4
B7cxjypZeHuBO3eEgRQc23/+iLDjPshLcecsOlBxAbXrtfDXiVdvBOenW8zi8SAL
0yMI891oAn//ymZhAS4lyzjipH6YNZqi8TIkFevBJuEltmvDPJjWp1gNzFTf2Nt+
1ZiU+nxRE2ARW4L29C24kaBWaTbWS8iCzhFVFWDlPf/FtktIj6VIqw==
=Hiod
-----END PGP SIGNATURE-----
- Next message: Jeffry Dwight: "Response to Xato Command-line Mailer Security Advisory"
- Previous message: Darren Moffat: "Re: Solaris patchadd(1) (3) symlink vulnerabilty"
- In reply to: Martin Rex: "Re: "The End of SSL and SSH?""
- Next in thread: Adam Shostack: "Re: "The End of SSL and SSH?""
- Reply: Klaus Moeller: "Re: "The End of SSL and SSH?""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]