[blfs-support] CA certificates

Paul Rogers paulgrogers at fastmail.fm
Sun Mar 22 16:26:01 PDT 2015

I'm not knowledgable enough to engineer a phony-certificate attack; just
enough to worry about it.  I imagine a user accepting a fraudulent
certificate could lead to malware being accepted.  Once the user's
account is compromised, I've got a much bigger problem than I want to
handle.  I don't think I'd rather make it any easier for a user to play
with certificates.  I'm not aware of a real good reason to do that.  I'm
asking if anyone legitimately has had to, given what BLFS installs.

For example, reading about the CA attacks of 2011, I run into this sort
of thing, and there's lots more:

"These attacks began with a SQL injection attack against Comodo’s
GlobalTrust and InstantSSL databases resulting in the issuance of rogue
certificates for addons.mozilla.org, login.skype.com, login.live.com,
mail.google.com, google.com, and login.yahoo.com.  This was followed by
an attack on DigiNotar where over 500 rogue certificates were issued
including some wildcard certificates such as *.google.com which allowed
the certificate to be used for any google.com site. ...

Rogue certificates allow attackers to create illegitimate sites that are
indistinguishable from real sites like eBay, Google or PNC because their
certificate hierarchy can be validated.  Users then will be redirected
to such sites through phishing or 'man in the middle' attacks where a
compromised host in-between the user and a legitimate site sends traffic
to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem
legitimate.  For example, fake AV, some Zeus variants, Conficker and
more recently, Stuxnet and Duqu have used rogue certificates."

"NIST's new 'Preparing for and Responding to Certification Authority
Compromise and Fraudulent Certificate Issuance' guidelines bulletin,
which was co-authored by Venafi, is a direct response to concerns about
how a CA breach could affect agencies and businesses.

NIST's guidance bulletin highlights some very specific tasks that
IT managers should perform to reduce compromises and how to prepare
for a breach, which may be an inevitability, especially in light of
past attacks.

One of the first recommendations from NIST is to make sure that IT
managers fully inventory and track all of the certificates in use,
including what authority provided the certificates, what systems use
certificates and the issuance and expiration dates of those digital

For many businesses, that simple advice could prevent a tsunami of
certificate related failures. Today, most businesses have very poor
inventory control over certificates, ..."
Paul Rogers
paulgrogers at fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)


http://www.fastmail.com - Does exactly what it says on the tin

More information about the blfs-support mailing list