Just asking a laymen question. We hear about man in middle problem in computer networks. In Telco when we dial a number of a person, we always get the number of that person with no possibility of anyone faking to be that person's number. Can computer networks learn this from Telco so that when i enter the web address i always get the page from the right site. Can this problem will be solved if every machine in world have a unique IP just like there are unique mobile numbers?
To: pakgrid@yahoogroups.com
From: ishtiaq.ahmad@gmail.com
Date: Fri, 9 Sep 2011 12:20:13 +0200
Subject: Re: [pakgrid] Security Breach Analysis - Your Input Required
To: pakgrid@yahoogroups.com
From: ishtiaq.ahmad@gmail.com
Date: Fri, 9 Sep 2011 12:20:13 +0200
Subject: Re: [pakgrid] Security Breach Analysis - Your Input Required
Dear Ahmed,
Its not only domain control problem, its Man in the Middle (MITM). The main problem about Root certificate is user have to put his trust on someone else or even his sub-provider under a certificate chain. If one of them is compromised your security is compromised.
To make things worse, for same domain certificate can be issued from two or more issuing authorities, which is a valid certificate under the chain system provided the Root is valid. see this (http://goo.gl/Vs3WO), If we tack the case of *.google.com fake certificate (http://goo.gl/LYwE1), google never uses Diginotar as their CA, Google's CA is some one else. But even then certificate issued from Diginotar was a valid certificate for google.com.
The most dangerous one is if hacker is able to get certificate of update.microsoft.com (which they did actually), they might have pushed a sophisticated backdoor as a windows update.
There is already an alternative available DNS Certificates, no one is moving in this direction yet, because of Early Exploration cost but still even this system alone is not sufficient, for example you have control over .PK domain which mean you will manage DNS certificate as well. At a Govt. level you still can stand between user and service provider.
DNS certificate and convergence.io together can give you little better security but current Root Certificate System will not go over night.
Its not only domain control problem, its Man in the Middle (MITM). The main problem about Root certificate is user have to put his trust on someone else or even his sub-provider under a certificate chain. If one of them is compromised your security is compromised.
To make things worse, for same domain certificate can be issued from two or more issuing authorities, which is a valid certificate under the chain system provided the Root is valid. see this (http://goo.gl/Vs3WO), If we tack the case of *.google.com fake certificate (http://goo.gl/LYwE1), google never uses Diginotar as their CA, Google's CA is some one else. But even then certificate issued from Diginotar was a valid certificate for google.com.
The most dangerous one is if hacker is able to get certificate of update.microsoft.com (which they did actually), they might have pushed a sophisticated backdoor as a windows update.
There is already an alternative available DNS Certificates, no one is moving in this direction yet, because of Early Exploration cost but still even this system alone is not sufficient, for example you have control over .PK domain which mean you will manage DNS certificate as well. At a Govt. level you still can stand between user and service provider.
DNS certificate and convergence.io together can give you little better security but current Root Certificate System will not go over night.
Regards,
ISHTIAQ AHMAD
ISHTIAQ AHMAD
On Thu, Sep 8, 2011 at 3:05 PM, qureshi ahmed <saffafali@gmail.com> wrote:
HI!I am analysing security breach, and trying to figure out the severe flaw. below is the link where you can find the incident report( it is not very detailed) . Section 4.4 describes the network infrastructure and some design flaws.From my understanding, the severe security flaw could be the poor authentication mechanism with week password (which actually allows the hacker to gain full control of the domain) , beside other design flaws. I will really appreciate your inputs inorder to understand and conclude my analysis.Best RegardsSyed Affaf Ahmed Qureshi
__._,_.___
MARKETPLACE
.
__,_._,___
No comments:
Post a Comment