A mighty fortress is our PKI
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Jul 22 03:48:24 EDT 2010
Readers are cordially invited to go to https://edgecastcdn.net and have a look
at the subjectAltName extension in the certificate that it presents. An
extract is shown at the end of this message, this is just one example of many
like it. I'm not picking on Edgecast specifically, I just used this one
because it's the most Sybilly certificate I've ever seen. You'll find that
this one Sybil certificate, among its hundred-and-seven hostnames, includes
everything from Mozilla, Experian, the French postal service, TRUSTe, and the
Information Systems Audit and Control Association (ISACA), through to
Chainlove, Bonktown, and Dickies Girl (which aren't nearly as titillating as
they sound, and QuiteSFW). Still, who needs to compromise a CA when you have
these things floating around on multihomed hosts and CDNs.
Ian Grigg pointed out that this is also an EV certificate, I'm guessing that
CDNs and multihomed hosts run into the same system-high problem that dogged
MLS systems in the 1980s, they have to use the certificate at the highest
level of any of the constituent domains. So if you compromise (say)
inpath-static.iseatz.com (which consists of a page that says "We're sorry, but
something went wrong") or images.vrbo.com ("Directory Listing Denied") then
you have an EV-validated site. So the overall EV security becomes that of the
least secure co-hosted domain.
I've tried connecting to the above site with HTTPS and get a normal non-EV
Sybil certificate even though it's rooted in an EV CA... well, pseudo-rooted,
the "root" is then signed by an old Entrust certificate, and the certificate
itself is another multi-domain one, for Delta, Amtrak, Air France, KLM, Alaska
Air, and others. I wonder if they have some context-specific way to override
EV on a per-site basis when it's used with Sybil certificates? At the moment
it's rather hard to test because depending on where you are in the world you
get different views of servers and certificates (for example when I connect to
ISACA, which is an EV site, I get a standard non-Sybil certificate that's only
valid for ISACA), and finding a particular hostname in a Sybil certificate
doesn't mean that you'll see that particular certificate when you connect to
the server.
(Again, not wanting to pick on ISACA here, but finding a security audit
organisation sharing a certificate with Dickies Girl is kinda funny. You'd
think there'd be a security audit process to catch this :-).
What a mess! A single XSS/XSRF/XS* attack, or just a plain config problem,
and the whole house of cards comes down.
(For the TLS folks, SNI (a client-supplied Server Name Indication when it
connects) won't fix this because (a) it's not widely-enough supported yet and
(b) the server admin would have to buy 107 separate certificates to do the
job that's currently done by one Sybil certificate, and then repeat this for
every other Sybil certificate they use).
666 2633: SEQUENCE {
670 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
675 2624: OCTET STRING, encapsulates {
679 2620: SEQUENCE {
683 15: [2] 'edgecastcdn.net'
700 18: [2] 'ne.edgecastcdn.net'
720 21: [2] 'minitab.fileburst.com'
743 30: [2] 'cdn.montimbrenligne.laposte.fr'
775 27: [2] 'zeroknowledge.fileburst.com'
804 23: [2] 'images.goldstarbeta.com'
829 25: [2] 'radialpoint.fileburst.com'
856 19: [2] 'wac.edgecastcdn.net'
877 22: [2] 'ne.wac.edgecastcdn.net'
901 19: [2] 'images.goldstar.com'
922 15: [2] 'images.vrbo.com'
939 12: [2] 'cdn.vrbo.com'
953 18: [2] 'content.truste.com'
973 13: [2] 'e1.boxcdn.net'
988 13: [2] 'e2.boxcdn.net'
1003 13: [2] 'e3.boxcdn.net'
1018 25: [2] 'privacy-policy.truste.com'
1045 13: [2] 'www.sonos.com'
1060 19: [2] 'www.dickiesgirl.com'
1081 26: [2] 'static-cache.tp-global.net'
1109 29: [2] 'images.homeawayrealestate.com'
1140 14: [2] 'cdn.verint.com'
1156 13: [2] 'swf.mixpo.com'
1171 21: [2] 'cdn.traceregister.com'
1194 14: [2] 's.tmocache.com'
1210 17: [2] 's.my.tmocache.com'
1229 23: [2] 'ne1.wpc.edgecastcdn.net'
1254 23: [2] 'gp1.wpc.edgecastcdn.net'
1279 23: [2] 'gs1.wpc.edgecastcdn.net'
1304 23: [2] 'ne1.wac.edgecastcdn.net'
1329 23: [2] 'gp1.wac.edgecastcdn.net'
1354 23: [2] 'gs1.wac.edgecastcdn.net'
1379 24: [2] 'c1.socialcastcontent.com'
1405 21: [2] 'www.steepandcheap.com'
1428 22: [2] 'www.whiskeymilitia.com'
1452 17: [2] 'www.chainlove.com'
1471 16: [2] 'www.tramdock.com'
1489 16: [2] 'www.bonktown.com'
1507 16: [2] 'www.brociety.com'
1525 15: [2] 'www.mozilla.com'
1542 22: [2] 'resources.homeaway.com'
1566 21: [2] 'ssl-cdn.sometrics.com'
1589 35: [2] 'cache.vehicleassets.captivelead.com'
1626 17: [2] 'static.woopra.com'
1645 20: [2] 'images.cardstore.com'
1667 15: [2] 'images.ink2.com'
1684 32: [2] 'resources.homeawayrealestate.com'
1718 18: [2] 'cdn1.adadvisor.net'
1738 24: [2] 'www.pictureitpostage.com'
1764 26: [2] 'images.vacationrentals.com'
1792 34: [2] 'serviceportal.carestreamhealth.com'
1828 23: [2] 'assets-secure.razoo.com'
1853 29: [2] 'resources.vacationrentals.com'
1884 23: [2] 'download.entraction.com'
1909 12: [2] 'ec.pond5.com'
1923 21: [2] 'images.esellerpro.com'
1946 15: [2] 'use.typekit.com'
[etc]
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list