[Cryptography] Blue Coat has been issued a MITM encryption certificate
Phillip Hallam-Baker
phill at hallambaker.com
Tue May 31 13:25:08 EDT 2016
On Tue, May 31, 2016 at 12:54 PM, Erwann ABALEA <erwann at abalea.com> wrote:
> Bonjour,
>
> 2016-05-31 16:34 GMT+02:00 Phillip Hallam-Baker <phill at hallambaker.com>:
>
>>
>>
>> On Sun, May 29, 2016 at 8:55 AM, Stephen Farrell <
>> stephen.farrell at cs.tcd.ie> wrote:
>>
>>>
>>>
>>> On 29/05/16 02:35, Henry Baker wrote:
>>> > FYI --
>>> >
>>> > http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
>>> >
>>> > A Controversial Surveillance Firm Was Granted a Powerful Encryption
>>> Certificate
>>> > Written by Joseph Cox, Contributor
>>>
>>> Yeah, two things strike me:
>>>
>>> 1 - yay for certificate transparency - CAs behaving oddly being spotted
>>> and outed is good
>>>
>>> 2 - what kind of "testing" would require symantec to issue a CA
>>> cert with path-len 0 and for symanetec to hold the private key? I
>>> can't figure anything that makes sense unless symantec were thinking
>>> of actively helping blue coat spoof web sites better, maybe at
>>> run-time, or on a case-by-case basis - or am I missing something?
>>>
>>> Cheers,
>>> S.
>>
>>
>> For the benefit of us who can't remember, what is the effect of path-len
>> 0?
>>
>
> A CA certificate containing a BasicConstraints with pathLenConstraint=0
> means that this CA certificate can only be used to verify an end-entity
> certificate, or a CA certificate that doesn't issue any certificate, but
> not a CA certificate that itself would issue another certificate (either CA
> or end-entity).
>
> To simplify:
> CA(BC:pathLenConstraint=0) -> end-entity : OK
> CA(BC:pathLenConstraint=0) -> CA(anything) : OK
> CA(BC:pathLenConstraint=0) -> CA(anything) -> any certificate : NOT OK
>
One of the things I learned from experimental physics was that you should
always ask the question even if you think you know the answer.
I deliberately asked what the *effect* was, not what the specification
says. The questions are not the same.
What I had forgotten is:
CA(BC:pathLenConstraint=0) -> CA(anything) : OK
Which is kinda screwed up. I am still not seeing how to turn this into an
exploit if Symantec hold the private key.
> As in, what is the effect on systems out there in the wild as opposed to
>> what does the spec say. Is there a difference and if so for what systems?
>>
>> Does 0 = infinity? Probably not in the spec but what about elsewhere?
>>
>
> 0 is not infinity. Infinity is expressed as the absence of the
> pathLenConstraint field.
>
OK so that possibility out.
> Some not so old versions of GnuTLS didn't correctly verify the
> pathLenConstraint, at least. I think it was corrected in 2014.
> OpenSSL, NSS, MSCAPI, and Opera are OK. Don't know about PolarSSL/mbedTLS
> or other smaller TLS stacks.
>
Does any browser use GnuTLS though? I don't think we need to panic if the
code is being used for STARTTLS in SMTP or the like as those aren't
typically tied to a root of trust in any case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160531/dea5b245/attachment.html>
More information about the cryptography
mailing list