<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">This is the second time in about three years that a IdP has had to revoke a certificate that was valid for there claimed_id, because it was compromised.<div><br></div><div>It points out some of the limitations of relying on TLS security. We should at least get people to take certificate revocation seriously to reduce the risk. For that we need to get the attention of library authors.</div><div><br></div><div>I was taking the browser vendors claims of immediately blacklisting the certificates in new releases of Chrome, FF, and IE to prevent all sorts of other Phishing attacks as being something that could mitigate against man-in-the-middle involving the browser.</div><div><br></div><div>Though you will probably point out the significant number of people who don't upgrade there browser for every security vulnerability or just prefer IE6 for some reason.</div><div><br></div><div>I will attempt to bot be overly pessimistic and say that given that most of the non Google IdP default to non SSL, Google is now no worse off then them. I feel better already:)<br><div><br></div><div>I am not particularly afraid of the ISP's themselves, but rather the security of there networks. </div><div>This particular group of attackers was relatively competent. If I were them I would probably hack a router that my target RP connected to and redirect the traffic for <a href="https://www.google.com">https://www.google.com</a> to a server of my choosing.</div><div><br></div><div>Now it is highly likely that they will be more interested in attacking unpatched browsers and impersonating the login servers for these domains:</div><div><br></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://mail.google.com">mail.google.com</a> [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://www.google.com/" style="color: blue; text-decoration: underline; ">www.google.com</a> [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 00F5C86AF36162F13A64F54F6DC9587C06</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://login.yahoo.com">login.yahoo.com</a> [Seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 00D7558FDAF5F1105BB213282B707729A3</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://login.yahoo.com">login.yahoo.com</a> [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 392A434F0E07DF1F8AA305DE34E0C229</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://login.yahoo.com">login.yahoo.com</a> [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 3E75CED46B693021218830AE86A82A71</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://login.skype.com">login.skype.com</a> [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 00E9028B9578E415DC1A710A2B88154447</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://addons.mozilla.org">addons.mozilla.org</a> [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 009239D5348F40D1695A745470E1F23F43</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: <a href="http://login.live.com">login.live.com</a> [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0</div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "> </p><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Domain: global trustee [NOT seen live on the internet]</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">Serial: 00D8F35F4EB7872B2DAB0692E315382FB0</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "><br></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">I will also point out that this is not the only incident of issuing certificates to the wrong people that Comodo has been involved in.</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "><br></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">So the one thing we can do from a openID point of view is atleast take revocation seriously because I am willing to bet this will not be the last time something like this happens.</div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; "><br></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0cm; margin-bottom: 0.0001pt; ">John B.</div><div><br></div><div><div>On 2011-03-25, at 6:29 AM, Ben Laurie wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>On 24 March 2011 17:19, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>> wrote:<br><blockquote type="cite">The obvious vulnerability would be an attacker that knew some number of<br></blockquote><blockquote type="cite">openId at a given RP, by spoofing DNS and SSL they could cain access to<br></blockquote><blockquote type="cite">those accounts by setting up a Rogue IdP with the fraudulent SSL cert.<br></blockquote><blockquote type="cite">This requires a DNS or routing venerability at the RP to be successful.<br></blockquote><br>Or a man-in-the-middle.<br><br><blockquote type="cite">Not an easy attack.<br></blockquote><br>Rather depends who you are :-) Pretty easy for ISPs, for example.<br><br><blockquote type="cite">However no attack is good.<br></blockquote><blockquote type="cite">For the FICAM openID profile we required OCSP or CRL checking for RP to<br></blockquote><blockquote type="cite">mitigate this risk.<br></blockquote><blockquote type="cite">John B.<br></blockquote><blockquote type="cite">On 2011-03-24, at 1:08 PM, Mike Hanson wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks for the clarification, Phillip.<br></blockquote><blockquote type="cite">m<br></blockquote><blockquote type="cite">On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">No login servers were affected.<br></blockquote><blockquote type="cite">Several domains on which the servers are deployed were affected but not the<br></blockquote><blockquote type="cite">login servers.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <<a href="mailto:mhanson@mozilla.com">mhanson@mozilla.com</a>> wrote:<br></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Comodo has posted a detail incident report here:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html">http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Several login servers were affected.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">-MH<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">On Mar 24, 2011, at 7:09 AM, John Bradley wrote:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular">http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The browser venders blocking those certificates is nice, however there<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">are attacks on RP that could be done with those certificates that are still<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">open.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">In testing something like 0% of RP check OCSP or CRL, the libs don't<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">force openSSL to so those checks (I think DNOA will do them in FICAM mode)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">So perhaps encouraging people to perform those checks would be a good<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">idea.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">We can only hope that none of the 9 certificates cover openID OP,<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">otherwise user accounts at RP could theoretically be compromised.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">John B.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">security mailing list<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:security@lists.openid.net">security@lists.openid.net</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openid.net/mailman/listinfo/openid-security">http://lists.openid.net/mailman/listinfo/openid-security</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">security mailing list<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="mailto:security@lists.openid.net">security@lists.openid.net</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openid.net/mailman/listinfo/openid-security">http://lists.openid.net/mailman/listinfo/openid-security</a><br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">--<br></blockquote><blockquote type="cite">Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">security mailing list<br></blockquote><blockquote type="cite"><a href="mailto:security@lists.openid.net">security@lists.openid.net</a><br></blockquote><blockquote type="cite"><a href="http://lists.openid.net/mailman/listinfo/openid-security">http://lists.openid.net/mailman/listinfo/openid-security</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote></div></blockquote></div><br></div></div></body></html>