[cryptography] this house believes that user's control over the root list is a placebo

Marsh Ray marsh at extendedsubset.com
Sun Jun 26 16:31:23 EDT 2011

On 06/26/2011 01:13 PM, The Fungi wrote:
> On Sun, Jun 26, 2011 at 12:26:40PM -0500, Marsh Ray wrote: [...]
>> Now maybe it's different for ISP core router admins, but the
>> existence of this product strongly implies that at least some
>> admins are connecting to their router with their web browser over
>> HTTPS and typing in the same password that they use via SSH.
> [...]
> Valid point, but flawed example. Managing these things day in and day
> out, I can tell you this is the first thing any experienced admin
> disables when initially configuring the device.

But what about all the other admins? :-)

You're probably right today, the guys running the core routers are some
of the best. This web management thing seems to be targeted to
small/medium non-ISP businesses.

But what about after a few more rounds of IT people graduate from
courses and certification programs which now divert time from the old
command-line stuff to teach the new web management functionality?

What if functionality gets released for which there is no command-line

What about all the other datacenter gear plugging into trusted segments?

What about the other makes of routers? Well, Juniper, that is.
> http://www.juniper.net/us/en/products-services/software/network-management-software/j-web/

> http://www.redelijkheid.com/blog/2011/3/11/configure-ssl-certificate-for-juniper-j-web-interface.html
> By default, the J-Web interface (GUI for the Juniper SRX firewalls)
> has SSL enabled. Like most devices with SSL out-of-the-box, the
> protection is based on a self-signed certificate. Self-signed
> certificates are easy (they come basically out-of-the-box), but they
> tend to nag you every time you connect to the GUI. So, it's time to
> install a proper certificate.

OK, good, so this guy is going to make a cert for his router! He even 
shows you how to use the subject alternative name to make it so you can 
connect to it via the raw IP address!

Anyone else see any problems with that? :-)

> http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-intranetssl.html
> Intranet SSL Certificates allow you to secure internal servers with SSL issued to
> either a Full Server Name or a Private IP Address. [...]
> Trusted by all popular browsers.

Comodo to the rescue! I wonder how many people they'll be willing to 
sell the same IP address too.

On 06/26/2011 01:13 PM, The Fungi wrote:
> If your admin is managing your routers with a Web interface, SSL MitM
> is the *least* of your worries, honestly.


It's only the least of your worries until somebody gets around to
exploiting it, at which point it may be the greatest of your worries.

A lot of systems are set up with RADIUS/TACACS centralized
authentication. In these cases there are many admins with access to many
routers and other pieces of equipment. The bad guy only needs to
convince the high-level admin to use his password once on the
least-important piece of equipment.

A self-propagating router MitM would make for a very interesting and
scary worm. Hopefully such a thing would first start out on some small
home routers and give time to raise awareness for those with login
credentials on the big ones.

- Marsh

More information about the cryptography mailing list