Dear Ahmed,
Its not only domain control problem, its Man in the Middle (MITM). The main problem about Root certificate is user have to put his trust on someone else or even his sub-provider under a certificate chain. If one of them is compromised your security is compromised.
To make things worse, for same domain certificate can be issued from two or more issuing authorities, which is a valid certificate under the chain system provided the Root is valid. see this (http://goo.gl/Vs3WO), If we tack the case of *.google.com fake certificate (http://goo.gl/LYwE1), google never uses Diginotar as their CA, Google's CA is some one else. But even then certificate issued from Diginotar was a valid certificate for google.com.
The most dangerous one is if hacker is able to get certificate of update.microsoft.com (which they did actually), they might have pushed a sophisticated backdoor as a windows update.
There is already an alternative available DNS Certificates, no one is moving in this direction yet, because of Early Exploration cost but still even this system alone is not sufficient, for example you have control over .PK domain which mean you will manage DNS certificate as well. At a Govt. level you still can stand between user and service provider.
DNS certificate and convergence.io together can give you little better security but current Root Certificate System will not go over night.
Its not only domain control problem, its Man in the Middle (MITM). The main problem about Root certificate is user have to put his trust on someone else or even his sub-provider under a certificate chain. If one of them is compromised your security is compromised.
To make things worse, for same domain certificate can be issued from two or more issuing authorities, which is a valid certificate under the chain system provided the Root is valid. see this (http://goo.gl/Vs3WO), If we tack the case of *.google.com fake certificate (http://goo.gl/LYwE1), google never uses Diginotar as their CA, Google's CA is some one else. But even then certificate issued from Diginotar was a valid certificate for google.com.
The most dangerous one is if hacker is able to get certificate of update.microsoft.com (which they did actually), they might have pushed a sophisticated backdoor as a windows update.
There is already an alternative available DNS Certificates, no one is moving in this direction yet, because of Early Exploration cost but still even this system alone is not sufficient, for example you have control over .PK domain which mean you will manage DNS certificate as well. At a Govt. level you still can stand between user and service provider.
DNS certificate and convergence.io together can give you little better security but current Root Certificate System will not go over night.
Regards,
ISHTIAQ AHMAD
ISHTIAQ AHMAD
On Thu, Sep 8, 2011 at 3:05 PM, qureshi ahmed <saffafali@gmail.com> wrote:
HI!I am analysing security breach, and trying to figure out the severe flaw. below is the link where you can find the incident report( it is not very detailed) . Section 4.4 describes the network infrastructure and some design flaws.From my understanding, the severe security flaw could be the poor authentication mechanism with week password (which actually allows the hacker to gain full control of the domain) , beside other design flaws. I will really appreciate your inputs inorder to understand and conclude my analysis.Best RegardsSyed Affaf Ahmed Qureshi
__._,_.___
MARKETPLACE
.
__,_._,___
No comments:
Post a Comment