Skip to Content.
Sympa Menu

cacert-sysadm - Re: new SSL Attacks

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: new SSL Attacks


Chronological Thread 
  • From: Florian Lagg <info AT lagg.at>
  • To: cacert-devel AT lists.cacert.org, tg AT futureware.at
  • Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Ian G <iang AT iang.org>
  • Subject: Re: new SSL Attacks
  • Date: Fri, 31 Jul 2009 15:34:35 +0100 (GMT+01:00)

Hi, 
I was asked providing the cert file - here it is...

-----BEGIN CERTIFICATE-----
MIIEMjCCAhqgAwIBAgIDAIYOMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMDkwNzMxMTMyNzU2WhcNMTEwNzMx
MTMyNzU2WjAcMRowGAYDVQQDExFudWxsdGVzdG4ubGFnZy5hdDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA9D/qaxhD+b1PhsdWIXF//rcjo+8iVpxdRqEZqjjs
JJrddWuqCfA1Qbh0LVhYFv7ii8IDJtGNaQVV+dh6f3YQ+4FgasNFzYfs5wBJxkYo
xW3lMVwX2WDetk1WQNAjAixnZqSPkE2y6MWop3s0rLenLvOjO8Sjyc4NSR4eF5Gb
TR8CAwEAAaOByDCBxTAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMC
BggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAz
BggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5v
cmcvMD0GA1UdEQQ2MDSCEW51bGx0ZXN0bi5sYWdnLmF0oB8GCCsGAQUFBwgFoBMM
EW51bGx0ZXN0bi5sYWdnLmF0MA0GCSqGSIb3DQEBBQUAA4ICAQAykpLWSrRgRvZg
uSOf3Zxp0H/h5QSjhZalNNr71aJkr+aIquM7gi6RZuDd1GugqA140Qeh0RpInmKw
esnngW9v3kXaNsbOZhGfAgjWbdk2Atw2KwVDdbHfDVjkoWUTbbyfRiplrOaE/QVr
pzKx4R1yuS4t70E7hxLoVw8xBdjaQ6vGhs2Xmgr+Q/sbY6OF5MrQgdIBKoFx/t+s
S+dZhEfHbZc0toOjMkyjBj10YiBx2TKbA/URDYO9ZELoCkw6MaFeOPtV6HIDbmly
ZGAykUle/rBQyO5OxhteDZ/uuh2IlffNRr9PvkJ5SVOIrdg5F21WLtVLiC/EiW7a
G9GuBQn1tm/RNJDdmj2by0T/Wyj36Uwc0s36W5G9VTbZPafDeKOZ2DTfB2IPskWg
ssH9EuRFj4TDnJIdPOk0F1JtIrQVERF9VodzkIWzsszeVPHxOrXVbfhnaUTAcIhh
RGhKgwpWeQ17LRL5OxoYVQpgGL4r8RNVEgMt8A7iLqk9DZ0sJr5Yvbt1Ca3nUejh
0UWizFUymrPV/R/X0WEeUo7ksZq+c5oqrCxB1t1osohwdrIZ5rSD1HoOT8AhJHXj
DotAqMV3TzB765ZW7Dj0QDF3xBP7MixW2ZqZS2IibhyKejBaxv6pEFueGoB8SNsz
2teumhEd9qg6VGkpSNkq3WR0CtYaJQ==
-----END CERTIFICATE-----


----- Ursprüngliche Mail -----
Von: "Florian Lagg" 
<info AT lagg.at>
An: 
cacert-devel AT lists.cacert.org
CC: "CAcert System Administrators" 
<cacert-sysadm AT lists.cacert.org>,
 "Ian G" 
<iang AT iang.org>
Gesendet: Freitag, 31. Juli 2009 15:36:52 GMT +01:00 
Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: new SSL Attacks

Thanks Ian for your research.

I tested something:
* I tried to create a subdomain nulltest\0.lagg.at in my bind dns server.
This was not possible "Failed to create master zone : 'nulldomain\0.lagg.at.' 
is not a valid domain name"
So I continued without this domain

* i tried to add nulltest\0.lagg.at in CAcert, I got to a screen asking me 
for an mail address to check my rights on the domain:
The available addresses are: 
        
root@nulltest\\\\0.lagg.at
        
hostmaster@nulltest\\\\0.lagg.at
        
postmaster@nulltest\\\\0.lagg.at
        
admin@nulltest\\\\0.lagg.at
        
webmaster@nulltest\\\\0.lagg.at
after choosing one I got: "Die Adresse die sie angegeben haben hat keine 
Befugnis für diese Domain." (the address has no rights for this domain)

* so I got to Server Certificates:
I created a private key on the server:
$ openssl genrsa -out nulltest.key 1024
...
and a csr:
$ openssl req -new -key nulltest.key -out nulltest.csr
...
Common Name (eg, YOUR name) []:nulltest\n.lagg.at
...
------
I browsed the CAcert site to get my server certificate, uploaded the CSR and 
GOT MY CERTIFICATE.
So - if I have done anything right - we should fix it in our source.

I see no reason to accept \0 (null-character) inside a domain name. We should 
check our code if we do so (and edit it to forbid \0 in domain names in 
future).

I also found this:
"With regard to the larger problem involving the null character, Marlinspike 
said since there is no legitimate reason for a null character to be in a 
domain name, it’s a mystery why Certificate Authorities accept them in a 
name."
Source: http://www.wired.com/threatlevel/2009/07/kaminsky/

Which just tells the same as I do above (no reason for \0 in domain name).
After that we could check if we have any subdomains registered in our system 
with a \0 char in it and revoke them in an arbitration. If there are any - 
these could be bad guys.

Hope I could help with these tests. I deleted my issued certificate in the 
web gui.

regards,

-- 
Florian Lagg
-
Florian Lagg - IT-Komplettlösungen
Juch 7, 6631 Lermoos
tel +43 (676) 344 677 5
http:/www.lagg.at/ - 
info AT lagg.at
-
Xing: http://www.xing.com/go/invite/7372113.3da562
-



Archive powered by MHonArc 2.6.16.

Top of Page