The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,915 other followers

Archive for January 5th, 2013

TURKTRUST Incident Raises Renewed Questions About CA System | threatpost

Posted by jpluimers on 2013/01/05

A small quote from the very interesting  TURKTRUST Incident Raises Renewed Questions About CA System | threatpost article:

“Subordinate certificates have long been identified as a point of weakness in the CA system. They are typically granted unconstrained power to issue certificates for any domain name. Thus, a leak of one subordinate certificate is seen as equivalent to a leak of authority equivalent to all CAs combined. Worse, subordinate certificates need not be explicitly trusted by the software that authenticates encrypted SSL connections typically your web browser. They inherit their trust from the explicitly trusted CAs that have been vetted by your browser vendor,” Steve Schultze, associate director of the Center for Information Technology Policy at Princeton University, wrote in an analysis of the TURKTRUST incident.

A CA (Certificate Authority) issues certificates, most of which are used for domain validation by web-browsers, email and applications. This allows you to make sure when you communicate with your bank (through a web browser or banking app on your phone) to verify the server of the bank is in fact the server of your bank. Or your email program really talks to the server of your email provider and not some intermediate that spoofs your mails.

If fraudulent certificates get issued for certain domains (sometimes specific like, sometimes generic like *, or *.*.com), then you cannot trust those domains any more, nor your communication with them. So communication with your bank could be intercepted and changed, thereby loosing money.

That’s exactly what happened in 2011 and late 2012:

The heart of the problem is twofold:

  1. if a CA somehow (by mistake, hacking or whatever) issues a rogue certificate, it takes a relatively long time to find out it is rogue. In the mean time, everyone trust the rogue certificate, and a lot of damage can be done.
  2. it takes a relatively long time for people to patch their systems making the window of opportunity even bigger (heck, I regularly see systems that have not been patched for months or years).

While a IETF proposal to log all intermediate and end-entity certificates tries to fix 1., make sure you fix 2. by keeping your systems patched.


via TURKTRUST Incident Raises Renewed Questions About CA System | threatpost.

Posted in Opinions | Tagged: , , , , , , , , , , , , | Leave a Comment »

%d bloggers like this: