[cryptography] current limits of proving MITM (Re: Gmail and SSL)

ianG iang at iang.org
Sun Dec 16 04:48:53 EST 2012

On 16/12/12 11:47 AM, Adam Back wrote:
> (note the tidy email editing, Ben, and other blind top posters to massive
> email threads :)
> See inlne.
> On Sun, Dec 16, 2012 at 10:52:37AM +0300, ianG wrote:
>> [...] we want to prove that a certificate found in an MITM was in the
>> chain
>> or not.
>> But (4) we already have that, in a non-cryptographic way.  If we find
>> a certificate that is apparently signed by say VeriSign root and was
>> found in an MITM, we can simply publish it with the facts.  Verisign
>> are then encouraged to disclose (a) it was ours, (b) it wasn't ours,
>> or (c) mmmmummm...
> Verisign cant claim it wasnt theirs because the signing CA it will be
> signed
> by one of their roots, or a sub-CA thereof.

Just to nitpick on this point, a CA certainly can claim that they or an 
agent did not sign a certificate.  And, they can provide the evidence, 
and should have the ability to do this:  CAs internally have logs as to 
what they did or did not sign, and this is part of their internal process.

This is because the real world doesn't trust the cryptographic evidence 
on the face of it, we always need to go back to an independent 
verification of some form - a further point against Ben's proposal.

As a case in point, the spear phishing attack that occurred a couple of 
years back is now thought to be a case of attacker-forged certs, with no 
signing action by the CA.  In this case, all of the implicated attacks 
involved 512 bit RSA signing, suggesting easy solutions.


As I say, just a nitpick - the main point is that we can demand facts 
and then use those fact to assemble a picture of where the risks lie. 
Which you admirably show.  If the CA declines to play, that's just 
another fact.


More information about the cryptography mailing list