A mighty fortress is our PKI, Part III

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Sep 15 11:39:47 EDT 2010

Some more amusing anecdotes from the world of PKI:

- A standard type of fraud that's been around for awhile is for scammers to
  set up an online presence for a legit offline business, which appears to
  check out when someone tries to verify it.  A more recent variation on this
  is to buy certs for legit businesses.  One of these certs was traced back by
  a security researcher who found that the scammers had obtained it through
  the incredibly devious trick of shopping round commercial CAs until they
  found one that was prepared to sell them a certificate.

- In a repeat of the original race to the bottom with non-EV certs, CA's have
  issued EV certs for RFC 1918 addresses (!!!).  What makes this particularly
  entertaining is that in combination with a router warkitting attack and
  Moxie Marlinspike's OCSP faking it allows an attacker to spoof any EV-cert

- The list of people who have bought certificates for Apple from commercial
  CAs keeps on growing (I guess Microsoft is just so five minutes ago :-).
  For example one SMTP admin needed a cert for his server and wondered what
  would happen if he asked for one for *.apple.com instead of his actual
  domain name.  $100 and a cursory check later he had a wildcard cert for
  Apple.  At least two more users have reported buying certificates for Apple,
  and there are probably even more lurking out there - if you too have a
  certificate from a certificate vending machine saying that you're Apple, do
  get in touch

- There's malware out there that pokes fake Verisign certificates into the
  Windows trusted cert store, allowing the malware authors to be their own

- CAs have issued certs to cybercrime web sites like
  https://www.pay-per-install.com (an affiliate program for malware
  installers), because hey, the Russian mafia's money is as good as anyone

- One of the most important things a CA needs to manage is certificate serial
  numbers, because the combination { CA name, cert serial number } is a unique
  identifier used in lots of security protocols to identify certs.  Without
  this uniqueness, you can't tell who signed something, you can't revoke a
  cert, you can't... well, you get the idea.  Not only have commercial CAs
  issued certs with duplicate serial numbers, they've issued *CA certs* with
  duplicate serial numbers.  Ouch!

  (When this was pointed out to the CA who did this - "oops, my bad, we'll get
  those re-issued for you" - someone else pointed out that their OCSP
  responder certs had expired, which none of the CA's clients appeared to have
  noticed until then.  "Yeah, we'll look into fixing those too.  Anything else
  while we're at it?").

If anyone has any further amusing PKI stories, please get in touch, I'd love
to add a Part IV to this series.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list