I remember meeting U here in the good ol' days
I would never pick the flower of my favourite protegé
Maybe if I would have
Then U would not treat me this way
U tricked me - but U will not anymore
No, no
I love you, but I don't trust U anymore
It doesn't happen very often that I can quote an appropriate Prince lyric when blogging about Information Security :-)
For the third time this year this year the internet has been broken, this time it's the fact that some Certificate Authorities failed to phase out MD5 signatures from their PKI back when MD5 collisions were proven (2004). Kudos to Mr. Appelbaum and Mr. Sotirov.
You can read all the juicy details here : http://www.phreedom.org/research/rogue-ca/
Great work.
Now where are we ? What can we do ?
Let's list the CA's that are identified as issuing MD5-based certs in 2008 and by default trusted in our browsers :
RapidSSL
FreeSSL
TrustCenter
RSA Data Security
Thawte
Verisign.co.jp
These CA's have promised to move to SHA1 as soon as possible, In the mean while it might
be better not to trust them. That means removing them from the certificate store in your favorite
browser. I did just that on my machines.
In a business environment it's a little bit more complex. Take your time to assess your risk, the game stores in China and Russia probably don't have sufficient stocks of PS3's, so we can assume it will take a while for the first real attack to take place ;-)
An interesting feature in an Active Directory environment might be to control CA certs through Group Policy. You can export root certificates from a trusted machine, or you can download them from the different CA vendors (more cumbersome, yet more secure). The following policy allows you to push out your set of trusted CA's to your install base.
Open Group Policy Management Console
Open a Policy of choice or create a new one
Goto the following policy setting :
Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
And configure as needed.
Ah, but by default, Windows will update the list of trusted CA's itself ... damn that :( Luckily Microsoft has thought about that :-) They're not all bad, you know. This article shows how
to disable this function. The same article lays out how to disable this update feature on stand alone computers. You see, if you want to, you can be in control.
Please note that Firefox keeps it's own certificate store, seperate from Windows/IE. I'm not aware of a possibility to centrally control root certificates in FF. If I stumble upon something I'll post it here in an update.
Now I'm off to go break the internet using a bench of 500 Wii consoles all controled with a Wii Fit board and my Guitar hero guitar. because after all, that is how we roll.
As some wise man said : trust, but verify.
I would never pick the flower of my favourite protegé
Maybe if I would have
Then U would not treat me this way
U tricked me - but U will not anymore
No, no
I love you, but I don't trust U anymore
It doesn't happen very often that I can quote an appropriate Prince lyric when blogging about Information Security :-)
For the third time this year this year the internet has been broken, this time it's the fact that some Certificate Authorities failed to phase out MD5 signatures from their PKI back when MD5 collisions were proven (2004). Kudos to Mr. Appelbaum and Mr. Sotirov.
You can read all the juicy details here : http://www.phreedom.org/research/rogue-ca/
Great work.
Now where are we ? What can we do ?
Let's list the CA's that are identified as issuing MD5-based certs in 2008 and by default trusted in our browsers :
RapidSSL
FreeSSL
TrustCenter
RSA Data Security
Thawte
Verisign.co.jp
These CA's have promised to move to SHA1 as soon as possible, In the mean while it might
be better not to trust them. That means removing them from the certificate store in your favorite
browser. I did just that on my machines.
In a business environment it's a little bit more complex. Take your time to assess your risk, the game stores in China and Russia probably don't have sufficient stocks of PS3's, so we can assume it will take a while for the first real attack to take place ;-)
An interesting feature in an Active Directory environment might be to control CA certs through Group Policy. You can export root certificates from a trusted machine, or you can download them from the different CA vendors (more cumbersome, yet more secure). The following policy allows you to push out your set of trusted CA's to your install base.
Open Group Policy Management Console
Open a Policy of choice or create a new one
Goto the following policy setting :
Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
And configure as needed.
Ah, but by default, Windows will update the list of trusted CA's itself ... damn that :( Luckily Microsoft has thought about that :-) They're not all bad, you know. This article shows how
to disable this function. The same article lays out how to disable this update feature on stand alone computers. You see, if you want to, you can be in control.
Please note that Firefox keeps it's own certificate store, seperate from Windows/IE. I'm not aware of a possibility to centrally control root certificates in FF. If I stumble upon something I'll post it here in an update.
Now I'm off to go break the internet using a bench of 500 Wii consoles all controled with a Wii Fit board and my Guitar hero guitar. because after all, that is how we roll.
As some wise man said : trust, but verify.
No comments:
Post a Comment