The Problem with Multiple Roots in Web Browsers - Certificate Masquerading
نویسنده
چکیده
Much work is going into securing the public key infrastructure (PKI). Various models for trust exist; Pretty Good Privacy (PGP) and the Progressive-Constraint Trust model are examples.[3] These models describe how to protect and ensure the interrelationships of their certificate based structures; however, vulnerabilities may arise when structures based on certificate authorities (CAs) are involved. The vulnerability is based upon multiple root certificate authorities. This paper examines the need for improved methods for verifying the binding of a certificate authority (root) to the source of a protocol's messages. The protection mechanisms developed for protecting and ensuring this binding within a CA hierarchy can break down in environments where multiple roots exist. This can lead to the possibility of a CA undermining the trust placed in a peer CA.
منابع مشابه
Restricting Access with Certificate Attributes in Multiple Root Environments-A Recipe for Certificate Masquerading
The issue of certificate masquerading against the SSL protocol is pointed out in [4]. In [4], various forms of server certificate masquerading are identified. It should also be noted that the attack described is a man-in-themiddle (MITM) attack that requires direct manipulation of the SSL protocol. This paper is a mirror of [4] and involves client certificate masquerading. The motivation for th...
متن کاملWhy Showing One TLS Certificate is not Enough - Towards a Browser Feedback for Multiple TLS Certificate Verifications
Content reuse on the Web 2.0 is a common “phenomenon”. However, it has now reached critical and sensitive areas, as for example online shopping’s submission forms for credit card data. Browsers lack the ability to show anything else than the outer most’s TLS certificate verification to the user. We show that there is a trend to embed security critical content from other site’s into a website. W...
متن کاملWhich Web Browsers Process SSL Certificates in a Standardized Way?
SSL is the primary technology used to secure web communications. Before setting up an SSL connection, web browsers have to validate the SSL certificate of the web server in order to ensure that users access the expected web site. We have tested the handling of the main fields in SSL certificates and found that web browsers do not process them in a homogenous way. An SSL certificate can be accep...
متن کاملTracking Certificate Misissuance in the Wild
Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certif...
متن کامل