Ubuntu
evolution package

Bug #232340
Comment #66

Comment 66 for bug 232340

Revision history for this message

In Mozilla Bugzilla #215243, Kk-kjernsmo (kk-kjernsmo) wrote on 2004-07-09:

#66

> 1: It should be possible for end users to easily add a arbitrary
> certificate authority to their setup.

Actually, no.... :-)

Adding a root certificate is a serious matter, and if a user can easily
be fooled into accepting a bogus certificate it would be disastrous. If
you make it easy to add a root certificate, you open up for all kinds
of social engineering attacks, as well as virus attacks. I'm really
surprised that we're not hearing about viruses trying to add root
certificates allready...

Once a bogus root certificate is accepted, you open up for all kinds of
man-in-the-middle attacks. Someone can, for example, easily replace a
bank's website, and make it look legit, no popups warning about bogus
site certificates, the lock is in place and so on. Say for example that
you (you're now Evil) control the information flow between a customer
and a bank, and between the bank and the supplier. Since you've been
able to insert a root certificate at some point in the browser of the
customer and supplier, and through phishing, you've got them to use
your website rather than the true bank's. When they log in, everything
looks normal, but they are actually encrypting their information with
your certificate. So, you grab that, and use their session
authentication to transfer the customer's money to yourself, but at the
same time, you send a notification to the supplier that payment has
been received through his trusted encrypted channel from what he thinks is
his bank. So, the customer gets his goods, the supplier thinks he has
his money, but you have them. Everybody's happy, until the supplier makes an
audit based on data from a source you don't control. It could be never,
or next month. Either way, you're on a beach somewhere by then...

I've detailed this type of attack to my bank, there are easy ways to
protect against it (publish the fingerprints of the banks key in the
physical banks), but there's no way you're going to convince anybody to
take this extra precaution. They rely 100% on root certificates being
valid, trusted, irreplaceable, immune to viruses, socially
unengineerable and whatnot... :-/

The whole thing is built on sand as it is, and making it easier to add
root certificates is IMHO not the way to go. Root certificates should
only ever be added by somebody with a clue, and for them, it is easy
enough as it is.

But that is not to say CACert shouldn't be added, I think it should,
after due process.

Now, really, this bug isn't the real forum for discussing it, the
newsgroups are. Sorry, couldn't resist... :-)

Kjetil

> 1: It should be possible for end users to easily add a arbitrary
> certificate authority to their setup.

Actually, no.... :-)

Adding a root certificate is a serious matter, and if a user can easily 
be fooled into accepting a bogus certificate it would be disastrous. If 
you make it easy to add a root certificate, you open up for all kinds 
of social engineering attacks, as well as virus attacks. I'm really 
surprised that we're not hearing about viruses trying to add root 
certificates allready...

Once a bogus root certificate is accepted, you open up for all kinds of 
man-in-the-middle attacks. Someone can, for example, easily replace a 
bank's website, and make it look legit, no popups warning about bogus 
site certificates, the lock is in place and so on. Say for example that 
you (you're now Evil) control the information flow between a customer 
and a bank, and between the bank and the supplier. Since you've been 
able to insert a root certificate at some point in the browser of the 
customer and supplier, and through phishing, you've got them to use 
your website rather than the true bank's. When they log in, everything 
looks normal, but they are actually encrypting their information with 
your certificate. So, you grab that, and use their session 
authentication to transfer the customer's money to yourself, but at the 
same time, you send a notification to the supplier that payment has 
been received through his trusted encrypted channel from what he thinks is 
his bank. So, the customer gets his goods, the supplier thinks he has 
his money, but you have them. Everybody's happy, until the supplier makes an
audit based on data from a source you don't control. It could be never, 
or next month. Either way, you're on a beach somewhere by then...

I've detailed this type of attack to my bank, there are easy ways to 
protect against it (publish the fingerprints of the banks key in the 
physical banks), but there's no way you're going to convince anybody to 
take this extra precaution. They rely 100% on root certificates being 
valid, trusted, irreplaceable, immune to viruses, socially 
unengineerable and whatnot... :-/

The whole thing is built on sand as it is, and making it easier to add 
root certificates is IMHO not the way to go. Root certificates should 
only ever be added by somebody with a clue, and for them, it is easy 
enough as it is.

But that is not to say CACert shouldn't be added, I think it should, 
after due process.

Now, really, this bug isn't the real forum for discussing it, the 
newsgroups are. Sorry, couldn't resist... :-)

Kjetil

Ubuntuevolution package

Comment 66 for bug 232340

Ubuntu
evolution package