← Back to context

Comment by gouggoug

3 years ago

Bold claim lacking substantiation. Care to share? Maybe it will get traction this time.

It's really not that bold. Ask anyone who works for a CA, or an ISP, or a registrar, or a mail hoster, or a browser manufacturer, or DNS provider... If you just read up on how PKI works, on how certificates get issued, how the network protocols work, etc, it's all just right there. The holes are very well known and understood and not fixed because they're in the design. Every so often somebody comes up with another mitigation, which of course you have to opt into, and still doesn't solve all the holes.

It's like SS7, or SWIFT. It's not bold to claim that all public phone networks and bank transfers are insecure, it's just a fact. People who know what they are know they're vulnerable.

As an aside to the design issues, social engineering any of the thousands of organizations involved with issuing certs (not just CAs) is trivial. A bored teenager could get certs issued for most domains by using nothing more than a telephone or e-mail. But that's cheating, so I don't count it.

If you are your hoster and can reroute requests, you can get all kinds of valid SSL certs for any domains that you host.

Just grab these IP packets when CA comes to validate that you own that domain. Perhaps EV could solve that to some extent but it is never mandated.

Even if you tried to put any stuff into WHOIS to mitigate this, your hoster can serve any bullshit on this channel too.

It does look very bad and SSH approach to certificates is just infinitely better. If Jabber used SSL keys instead, they will be alerted immediately.

Come to think of it, your hoster can also find ways to steal keys directly from hardware, though.