cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Florian Lagg <info AT lagg.at>
- To: cacert-devel AT lists.cacert.org
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Ian G <iang AT iang.org>
- Subject: Re: new SSL Attacks
- Date: Fri, 31 Jul 2009 14:36:52 +0100 (GMT+01:00)
Thanks Ian for your research.
I tested something:
* I tried to create a subdomain nulltest\0.lagg.at in my bind dns server.
This was not possible "Failed to create master zone : 'nulldomain\0.lagg.at.'
is not a valid domain name"
So I continued without this domain
* i tried to add nulltest\0.lagg.at in CAcert, I got to a screen asking me
for an mail address to check my rights on the domain:
The available addresses are:
root@nulltest\\\\0.lagg.at
hostmaster@nulltest\\\\0.lagg.at
postmaster@nulltest\\\\0.lagg.at
admin@nulltest\\\\0.lagg.at
webmaster@nulltest\\\\0.lagg.at
after choosing one I got: "Die Adresse die sie angegeben haben hat keine
Befugnis für diese Domain." (the address has no rights for this domain)
* so I got to Server Certificates:
I created a private key on the server:
$ openssl genrsa -out nulltest.key 1024
...
and a csr:
$ openssl req -new -key nulltest.key -out nulltest.csr
...
Common Name (eg, YOUR name) []:nulltest\n.lagg.at
...
------
I browsed the CAcert site to get my server certificate, uploaded the CSR and
GOT MY CERTIFICATE.
So - if I have done anything right - we should fix it in our source.
I see no reason to accept \0 (null-character) inside a domain name. We should
check our code if we do so (and edit it to forbid \0 in domain names in
future).
I also found this:
"With regard to the larger problem involving the null character, Marlinspike
said since there is no legitimate reason for a null character to be in a
domain name, it’s a mystery why Certificate Authorities accept them in a
name."
Source: http://www.wired.com/threatlevel/2009/07/kaminsky/
Which just tells the same as I do above (no reason for \0 in domain name).
After that we could check if we have any subdomains registered in our system
with a \0 char in it and revoke them in an arbitration. If there are any -
these could be bad guys.
Hope I could help with these tests. I deleted my issued certificate in the
web gui.
regards,
--
Florian Lagg
-
Florian Lagg - IT-Komplettlösungen
Juch 7, 6631 Lermoos
tel +43 (676) 344 677 5
http:/www.lagg.at/ -
info AT lagg.at
-
Xing: http://www.xing.com/go/invite/7372113.3da562
-
- Re: new SSL Attacks, Ian G, 07/30/2009
- Re: new SSL Attacks, Ian G, 07/30/2009
- Re: new SSL Attacks, Ian G, 07/31/2009
- <Possible follow-up(s)>
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Kim Holburn, 07/31/2009
- Re: new SSL Attacks, Ian G, 07/30/2009
Archive powered by MHonArc 2.6.16.