[Cryptography] Threatwatch: CIN - Corruptor-Injector Network
ianG
iang at iang.org
Mon Aug 10 06:55:36 EDT 2015
On 10/08/2015 05:24 am, Bertrand Mollinier Toublet wrote:
> Mmh… they’re off to a bad start: "This certificate identifies itself (via CN field) as *.google.com despite being served during a putative session with google.fr (again, this kind of obvious certificate misconfiguration is all but impossible to imagine google doing in production systems):”
>
> The certificate served for https://www.google.fr/ *does* have a CN of *.google.com. It does also, correctly, have a SubjectAltName extension including, correctly, *.google.fr. So, no misconfiguration here, nor cause to call it as such. With the rest of the “there’s stuff going on, but we don’t want to talk about it here” general tone of the document, my bullshit detector is ringing loudly.
>
> And they continue "However, it's notable that the connection does not appear to represent an EV-class certificate. In other words, there's no 'green lock' as we see in any of google's other services.” Ah, nope, it’s not notable. Google does not use EV.
>
>
> Huh. Apparently (surprise!), I’m not the first one to _not_ be convinced by this: https://news.ycombinator.com/item?id=10030820. Happy reads!
Yep. Plenty of skepticism there.
Let's step back from the situation and ask what's really happening here?
Let's say the guys are mostly pretty competent. They've gone down the
rabbit hole. Come out hyperventilating. Can't see what's what and
what's not.
They could have just made a mistake and a better team would have figured
it out. But actually ... likely not. If you take a random team across
the world and try and figure it out, my guess is you would come up with
the same situation: "don't know."
Imagine a Security Certified Engineer's exam.
Or, contrast this to your vehicle, where you drop it into the mechanic
for a checkup. He's supposed to come back and say it's safe and
operating fine. The brakes work and will continue to work. The engine
won't blow up, the tires are safe. All these things.
Even with the snafus of recent Jeep rides - that's still pretty much true.
Whereas here - if a customer had been mostly infected, we've got a
situation where a mostly competent mechanic (an assumption, I grant)
cannot figure out what's happening. Can't even point at the correct path.
Now, granted, everyone knows their favourite lab that can handle this
question, but at what cost?
And, here's the clanger - your car mechanic will issue a certificate
that it's safe to drive (does so every year for registration) - but
those labs aren't going to issue a certificate that the network is clean
for any reasonable cost.
Google isn't going to declare formally that "everything is clear, it's
good." Note how they are fixing a few misconceptions about certs, but
to go further than that is probably out of reach. Google is not saying
there is no injection. There isn't a CA in sight that is going to put
its nose above the parapet.
I think we've hit and passed the peak of complexity that is tractable
for security.
We know that attacks and breaches have been rising rapidly in the last 5
years or so; complexity has been rising since the web was invented.
Have we created a situation where only very large players can muster the
ability to defend themselves, large attackers can do what they want, and
the rest are sheep for slaughter?
iang
More information about the cryptography
mailing list