[Cryptography] Threatwatch: CIN - Corruptor-Injector Network

ianG iang at iang.org
Mon Aug 10 06:55:36 EDT 2015 

On 10/08/2015 05:24 am, Bertrand Mollinier Toublet wrote:
> Mmh… they’re off to a bad start: "This certificate identifies itself (via CN field) as *.google.com despite being served during a putative session with google.fr (again, this kind of obvious certificate misconfiguration is all but impossible to imagine google doing in production systems):”
>
> The certificate served for https://www.google.fr/ *does* have a CN of *.google.com. It does also, correctly, have a SubjectAltName extension including, correctly, *.google.fr. So, no misconfiguration here, nor cause to call it as such. With the rest of the “there’s stuff going on, but we don’t want to talk about it here” general tone of the document, my bullshit detector is ringing loudly.
>
> And they continue "However, it's notable that the connection does not appear to represent an EV-class certificate. In other words, there's no 'green lock' as we see in any of google's other services.” Ah, nope, it’s not notable. Google does not use EV.
>
>
> Huh. Apparently (surprise!), I’m not the first one to _not_ be convinced by this: https://news.ycombinator.com/item?id=10030820. Happy reads!


Yep.  Plenty of skepticism there.

Let's step back from the situation and ask what's really happening here? 
  Let's say the guys are mostly pretty competent.  They've gone down the 
rabbit hole.  Come out hyperventilating.  Can't see what's what and 
what's not.

They could have just made a mistake and a better team would have figured 
it out.  But actually ... likely not.  If you take a random team across 
the world and try and figure it out, my guess is you would come up with 
the same situation:  "don't know."

Imagine a Security Certified Engineer's exam.

Or, contrast this to your vehicle, where you drop it into the mechanic 
for a checkup.  He's supposed to come back and say it's safe and 
operating fine.  The brakes work and will continue to work.  The engine 
won't blow up, the tires are safe.  All these things.

Even with the snafus of recent Jeep rides - that's still pretty much true.

Whereas here - if a customer had been mostly infected, we've got a 
situation where a mostly competent mechanic (an assumption, I grant) 
cannot figure out what's happening.  Can't even point at the correct path.

Now, granted, everyone knows their favourite lab that can handle this 
question, but at what cost?

And, here's the clanger - your car mechanic will issue a certificate 
that it's safe to drive (does so every year for registration) - but 
those labs aren't going to issue a certificate that the network is clean 
for any reasonable cost.

Google isn't going to declare formally that "everything is clear, it's 
good."  Note how they are fixing a few misconceptions about certs, but 
to go further than that is probably out of reach.  Google is not saying 
there is no injection.  There isn't a CA in sight that is going to put 
its nose above the parapet.



I think we've hit and passed the peak of complexity that is tractable 
for security.

We know that attacks and breaches have been rising rapidly in the last 5 
years or so;  complexity has been rising since the web was invented. 
Have we created a situation where only very large players can muster the 
ability to defend themselves, large attackers can do what they want, and 
the rest are sheep for slaughter?



iang

More information about the cryptography mailing list