[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Creating a rogue CA certificate
From: Valdis.Kletnieks () vt ! edu
Date: 2008-12-31 18:16:36
Message-ID: 26156.1230747396 () turing-police ! cc ! vt ! edu
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Wed, 31 Dec 2008 12:57:52 EST, Elazar Broad said:
> That's true, keeping up with security is not cheap nor easy.
Meanwhile, doing nothing is *always* cheap and easy, especially when it's
very unlikely that *you* will end up paying the price...
> Tradeoff's are tradeoff's, the question is, when it comes down to
> the $$$, is more cost effective to be proactive vs reactive in this
> case. Time will tell...
The important point here is that the cost of the vulnerability is what
economists call an externality - the CA who issued the cert that got
abused isn't the one who ends up with the headache. If Certs-R-Us gives
BadGuy Inc a jiggered cert, and BadGuy Inc uses that to make a fake
Widgets-Today.com site and Joe Sixpack gets suckered, then Joe Sixpack
has a problem, Widgest-Today may have a problem - and neither victim is
very likely to blame Certs-R-Us - after all, Widgets-Today got *their*
cert from somebody else. Certs-R-Us doesn't have a problem unless they
end up on CNN - otherwise *their* potential customers won't know there's
an issue.
On the other hand, if Microsoft and Mozilla issue updates that make their
browsers reject out-of-hand any cert with an MD5, *that* will make Certs-R-Us
sit up and pay attention *immediately*, because "I bought a cert from you
and the frikking thing doesn't work" *does* impact their bottom line.
I predict that if Microsoft and Mozilla do this, there will be a lot of
ambulance-chasing, as opportunists spider the web looking for OpenSSL
connections that present a cert with MD5, and spam the site with "We have
sooper-cheap non-MD5 certs!" ads...
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic