[Cryptography] Blue Coat has been issued a MITM encryption certificate

Erwann Abalea eabalea at gmail.com
Tue May 31 14:47:11 EDT 2016 

Bonsoir,

2016-05-31 19:25 GMT+02:00 Phillip Hallam-Baker <phill at hallambaker.com>:

>
>
> On Tue, May 31, 2016 at 12:54 PM, Erwann ABALEA <erwann at abalea.com> wrote:
>
>> Bonjour,
>>
>> 2016-05-31 16:34 GMT+02:00 Phillip Hallam-Baker <phill at hallambaker.com>:
>>
>>>
>>>
>>> On Sun, May 29, 2016 at 8:55 AM, Stephen Farrell <
>>> stephen.farrell at cs.tcd.ie> wrote:
>>>
>>>>
>>>>
>>>> On 29/05/16 02:35, Henry Baker wrote:
>>>> > FYI --
>>>> >
>>>> > http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
>>>> >
>>>> > A Controversial Surveillance Firm Was Granted a Powerful Encryption
>>>> Certificate
>>>> > Written by Joseph Cox, Contributor
>>>>
>>>> Yeah, two things strike me:
>>>>
>>>> 1 - yay for certificate transparency - CAs behaving oddly being spotted
>>>>     and outed is good
>>>>
>>>> 2 - what kind of "testing" would require symantec to issue a CA
>>>>     cert with path-len 0 and for symanetec to hold the private key? I
>>>>     can't figure anything that makes sense unless symantec were thinking
>>>>     of actively helping blue coat spoof web sites better, maybe at
>>>>     run-time, or on a case-by-case basis  - or am I missing something?
>>>>
>>>> Cheers,
>>>> S.
>>>
>>>
>>> For the benefit of us who can't remember, what is the effect of path-len
>>> 0?
>>>
>>
>> A CA certificate containing a BasicConstraints with pathLenConstraint=0
>> means that this CA certificate can only be used to verify an end-entity
>> certificate, or a CA certificate that doesn't issue any certificate, but
>> not a CA certificate that itself would issue another certificate (either CA
>> or end-entity).
>>
>> To simplify:
>>  CA(BC:pathLenConstraint=0) -> end-entity : OK
>>  CA(BC:pathLenConstraint=0) -> CA(anything) : OK
>>  CA(BC:pathLenConstraint=0) -> CA(anything) -> any certificate : NOT OK
>>
>
> One of the things I learned from experimental physics was that you should
> always ask the question even if you think you know the answer.
>
> I deliberately asked what the *effect* was, not what the specification
> says. The questions are not the same.
>
> What I had forgotten is:
>
>     CA(BC:pathLenConstraint=0) -> CA(anything) : OK
>
> Which is kinda screwed up. I am still not seeing how to turn this into an
> exploit if Symantec hold the private key.
>

The normative path validation algorithm takes as input a prospective
certification path, and this certification path can end with a CA
certificate. Which can be seen as useless, but may raise some specific
implementation quirks. This CA certificate could be an X.509v1 cert,
raising other potential quirks.

Another behavior dictated by the norm is this:
 CA(BC:pathLenConstraint=0) -> self-issued CA(anything) -> end-entity : OK
That is, they could issue another CA certificate named the same (C=US,
O/OU..., CN=Blue Coat Public Services Intermediate CA) for which they have
the private key, and then issue end-entity certificates. It works because
the pathLength is decremented for each non self-issued CA certificate. I
haven't tested implementations on this point.

As in, what is the effect on systems out there in the wild as opposed to
>>> what does the spec say. Is there a difference and if so for what systems?
>>>
>>> Does 0 = infinity? Probably not in the spec but what about elsewhere?
>>>
>>
>> 0 is not infinity. Infinity is expressed as the absence of the
>> pathLenConstraint field.
>>
>
> OK so that possibility out.
>
>
>
>> Some not so old versions of GnuTLS didn't correctly verify the
>> pathLenConstraint, at least. I think it was corrected in 2014.
>> OpenSSL, NSS, MSCAPI, and Opera are OK. Don't know about PolarSSL/mbedTLS
>> or other smaller TLS stacks.
>>
>
> Does any browser use GnuTLS though? I don't think we need to panic if the
> code is being used for STARTTLS in SMTP or the like as those aren't
> typically tied to a root of trust in any case.
>

Browser, maybe none. But some Linux distributions compile and link some
software with GnuTLS (I've seen some OpenLDAP in Debian/Ubuntu, for
example). Some cli tools such as curl/wget, or proxies can be compiled with
GnuTLS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160531/d3aca398/attachment.html>

More information about the cryptography mailing list