A mighty fortress is our PKI

David-Sarah Hopwood david-sarah at jacaranda.org
Thu Jul 22 21:07:15 EDT 2010 

Peter Gutmann wrote:
> Readers are cordially invited to go to https://edgecastcdn.net and have a look 
> at the subjectAltName extension in the certificate that it presents.  An 
> extract is shown at the end of this message, this is just one example of many 
> like it.  I'm not picking on Edgecast specifically, I just used this one 
> because it's the most Sybilly certificate I've ever seen.  You'll find that 
> this one Sybil certificate, among its hundred-and-seven hostnames, includes 
> everything from Mozilla, Experian, the French postal service, TRUSTe, and the 
> Information Systems Audit and Control Association (ISACA), through to 
> Chainlove, Bonktown, and Dickies Girl (which aren't nearly as titillating as 
> they sound, and QuiteSFW).  Still, who needs to compromise a CA when you have 
> these things floating around on multihomed hosts and CDNs.
[...]
> What a mess!  A single XSS/XSRF/XS* attack, or just a plain config problem,
> and the whole house of cards comes down.

Please don't mistake the following comment for a defence of any aspect of
current PKI practice, but:

I'm not seeing how an XSS or XSRF attack on one of the domains named in this
certificate would enable attacks on the other domains.

IIUC, if you resolve one of the domains that is a client of Edgecast, say
www.mozilla.com, then you may get an Edgecast proxy server that will serve
content over TLS on behalf of that domain.

Clearly if you compromise such a proxy, then you get the ability to spoof
any of the domains named in the certificate. But if you do some origin-based
web attack on a particular domain, then you can only spoof that domain.
And even if you have a full compromise of a server for one of the domains,
that doesn't get you the private key for the certificate, which is held only
by the proxies. Or am I missing something?

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20100723/6331a36e/attachment.pgp>

More information about the cryptography mailing list