Re: "Certification Authorities are recommended to stop using MD5 altogether"

To: debian-security@lists.debian.org
Subject: Re: "Certification Authorities are recommended to stop using MD5 altogether"
From: Russ Allbery <rra@debian.org>
Date: Thu, 01 Jan 2009 06:50:55 -0800
Message-id: <[🔎] 874p0j84hc.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 1230820291.18250.28.camel@hidalgo> (Yves-Alexis Perez's message of "Thu\, 01 Jan 2009 15\:31\:31 +0100")
References: <0812310232100.8102@somehost> <200812311052.41476.bgrpt3@toplitzer.net> <20081231191518.GC6475@pond> <[🔎] 1230820291.18250.28.camel@hidalgo>

Yves-Alexis Perez <corsac@debian.org> writes:

> I may be wrong, but I trust the CAs in ca-certificates. I've followed
> the add of French Gvt CA Certificates, and the procedure was enough
> strict to give me this trust impression.
>
> I would hope that other CA are checked to be trustworthy enough before
> adding them to ca-certificates. Not sure if the same thing applies to
> certificates in iceweasel or stuff like that, but at least in Debian we
> (as “the maintainers”) have control over this.

While this exploit is particularly interesting because it's technical
rather than social and therefore easy to wrap one's mind around, it's not
been particularly difficult to get a forged certificate since nearly the
beginning of the commercial CA concept.  Very few of the certificate
authorities do any sort of real authentication of the requester, so if
you're willing to simple things like fax them forged letterhead, you can
probably get a certificate claiming to be just about anyone who isn't
extremely high-profile.

Such a social engineering attack was successfully used on Microsoft in the
past, for instance.

We've tested this from time to time at Stanford and it's startling how
easy it is to get one of the major commercial CAs, recognized by all the
browsers and so forth, to give you a certificate with very little checking
as long as you're willing to pay them money.  The conclusion that I've
drawn from that is that SSL certificate checking from known roots provides
little meaningful authentication and shouldn't be treated as if it does.

Debian is in an awkward position with ca-certificates and with
certificates in browsers since not having a root certificate that everyone
else honors is a significant UI bug.  In practice, most organizations only
care about SSL certificates to a sufficient extent that their users aren't
getting confusing error messages, and if Debian doesn't honor the same set
of CAs that everyone else does (at least by default), Debian just becomes
a support burden rather than something that's perceived as more secure.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: "Certification Authorities are recommended to stop using MD5 altogether"
  - From: Micah Anderson <micah@riseup.net>

References:
- Re: "Certification Authorities are recommended to stop using MD5 altogether"
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Next by Date: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Previous by thread: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Next by thread: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Index(es):
- Date
- Thread