the internet has trust issues - nlnog• wosign and startcom are removed • continues to issue...

The internet has trust issues

Upload: others

Post on 25-Sep-2020

1 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

The internet has trust issues

About usThijs Alkemade

• Security Specialist

• [email protected] / @xnyhps

Christiaan Ottow

• Security Coach

• [email protected] / @cottow

mailto:[email protected]

Page 3: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Performance Security TestAutomation

Page 4: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

https://www.computest.nl/blog/startencrypt-considered-harmful-today/

Page 5: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Domain Validation Organization Validation

Extended Validation

Page 6: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 7: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Domain Validation

Page 8: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

How much control do you need to get a certificate?

Page 9: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 10: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

• <user>.github.io/<file>

• bit.ly/<token>

• <user>.s3.amazonaws.com/<key>

Page 11: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 12: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 13: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 14: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 15: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 16: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Client StartCom example.com

I want a cert for example.com

Okay, put abc on example.com

Put abc on attacker.com

Done, it’s on /?redir=attacker.com/abc

GET /?redir=attacker.com/abc

Location: attacker.com/abc

Good, here’s a cert

attacker.com

GET /abc

abc

Page 17: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 18: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Page 19: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Timeline of events• 23/6 report of issue

• 29/6 StartSSL confirms fix

• 30/6 Computest publishes findings

• ~2/7 StartEncrypt API offline

• 2/7 Google asks for details

• ~4/7 Product suspended

• 24/8 Mozilla opens discussion

Page 20: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Who should intervene if a CA misbehaves?

Page 21: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Mailinglist discussion

• Long list of issues at https://wiki.mozilla.org/CA:WoSign_Issues

• WoSign improvements

• Publish everything to CT, from 2015

• Always include SCT after July 5, 2016

• Central questions:

• Which incidents are CA/Bf BR violations?

• How do we punish a CA for those?

https://wiki.mozilla.org/CA:WoSign_Issues

Page 22: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Sanctions

• Remove the CA

• Actively distrust the CA

• Remove the CA, whitelisting previously issued certs

• How do we ship the whitelist? Too large

• Distrust certs without CT information.

• Distrust certs without CT information. Whitelist certs before 2016

• See above, issues with whitelist

Page 23: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Scenarios

• WoSign is removed

• Continues to issue certs because of cross-signing

• WoSign is distrusted

• Continues to issue certs under StartCom CA

• WoSign and StartCom are removed

• Continues to issue certs because of cross-signing

• WoSign is distrusted for C != CN

• Doesn’t solve security implications

• WoSign is distrusted for CN != *.cn

• All browsers need to be patched

• WoSign dramatically improves

• Difficult to prove

• WoSign and StartCom are distrusted

• Business goes bankrupt

Page 24: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

How to minimize risk

Page 25: The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Cheers

WoSign Incidents Report · WoSign Incidents Report (September 4. th. 2016) WoSign got email notice from Mozilla for 3 incidents about WoSign at August 24th 2016, and WoSign responded

IXP Automation - NLNOG...IXP AUTOMATION • “Traditional” server automation tools could not interface with network devices • Tools of the era: RANCID, SSH, bash + perl scripts

Sanctuary: ARMing TrustZone with User-space Enclaves · with User-space Enclaves. Research Problem How can we construct an ecosystem of mutually distrusted enclaves on mobile devices?

By Daniela Diaz and Monica Rubalcava. *Holland dominated the States General, the central governments of the Netherlands, but distrusted the House of Orange

Launching the New Ship of State - WolfsonAPUSH...Launching the New Ship of State 1789 – 1800. Troubled Times for US Government • Americans distrusted authority and government –

The Rise of a Mass Democracy 1830 - 1840. Jackson & the Bank Distrusted monopolistic banking (BUS) BUS chartered had to be renewed 1836 –Clay tried to

The Burden of Disclosure: Increased Compliance With Distrusted

Political Parties Distrusted political parties – many were interested in personal gain and not public good. George Washington warned it would lead to

Religion, State and Society Fethullah Gülen's Missionary … central Asia... · felt Islam must play in the emerging modern Turkey of the young Mustafa Kemal. Distrusted and disappointed

Rome & the Republic Ms. Ramos. Roman State Distrusted kings 2 groups: patrician & plebians Republic – Consuls & praetor Senate – 300 patricians: life,

WoSign Certificates Policy & Practice Statement · 2020. 2. 27. · WoSign Certificates Policy & Practice Statement . Version: 1.2.19 . Status: Final Approved . Updated: 2017-09-13

Arista Universal Spine - NLNOG · Kudu, Druid, Prometheus, etc Kafka, ActiveMQ, ZeroMQ, RabbitMQ Spark, Storm, Heron, etc Kibana, Grafana Arista Telemetry HBase Kafka CloudVision

WoSign Certificates Policy & Practice Statement · WoSign have change d the company English name from “ WoSign CA Limited ” to “WoTrus CA Limited ” since August 24, 2017

Alice-LG at ECIX - Stichting NLNOG€¦ · IXP Large BGP communities Multiple IXPs have shown interest – ECIX (already implements LBGP communities, will support the standard) –

DDoS detection & mitigation - Stichting NLNOG · PDF fileDDoS detection & mitigation What is a DDoS attack? • Making the host/network unreachable by sending a lot of trafﬁc from

ROME. Roman Republic The Romans distrusted monarchy and decided it to replace it with a new form of gov’t – Republic = a form of gov’t in which the

Fukushima as “Moral Panic” - METI...Fukushima as “Moral Panic” Moral panics = blaming already distrusted members of society for things largely out of their control Reaction

THE PRESIDENCY The Roots of the Office of President of the United States American colonists distrusted the King so much so that the Articles of Confederation

Lekker Weer NLNOG Start Network automation (2) › static › lekkerweernlnog2017 › Lekker_Weer_NLNO… · Saltstack Chef NAPALM CI Puppet Ansible Git In production Evaluating Considering

WoSign Certificates Policy & Practice Statement · Add public policy ID 2.23.140.1.2.1 in Class 1 certificates, and policy ID 2.23.140.1.2.2 in Class 3 certificated. 10. Remove Code

50 years of transformative possibilities. One partnership. · tools better and cheaper to make. Yet around the world, economic disparity widens; politics remains divided and distrusted

How to s/sysadmin/netadmin/g - NLNOG · How to s/sysadmin/netadmin/g Tijn “Cybertinus” Buijs NLNOG day 2018 7 September 2018

Launching the New Ship of State Chapter 10. w Central government to be distrusted, watched, and curbed

WoSign Certificates Policy & Practice Statement › policy › WoSign-Policy-1_1.pdf · 2020-02-27 · WoSign eCommerce Services Limited 502#, Block A, Technology Building 2, No

Policies of JFK - timbeckclassroom.com · In 1959, Fidel Castro came to power in an armed revolt that overthrew Cuban dictator Fulgencio Batista. The US government distrusted Castro

WoSign Certificates Policy & Practice StatementAdd Class 2 SSL certificate and Class 2 Code Signing certificate 5. Add Class 4 EV Code Signing certificate 6. Update the IP address

The Presidency. The Roots of the Office of President American colonists distrusted the King to the point that their Articles of Confederation largely

Jacksonian Democracy - Administrationpebblebrookhigh.typepad.com/files/the-age-of-jackson-4.pdf · Jackson’s Bank War •States’ rights supporter Jackson distrusted the power

Niels Raijer, Fusix Networks BV NLNOG Day 2015. * Owner & chief architect @ Fusix Networks * Providing networking services to those companies that need

Chapter 12. Nero – Emperor of Rome Used Christians as scapegoats for Roman problems Romans distrusted Christians b/c they were different Christains refused

2018-09-07 NLNOG Nat64check v2 · 2018. 9. 7. · This website has an overall moderate rating. It is experiencing some problems with NAT64 and IPv6. The following report details some

What are Data? What are Statistics? Why ... - MacOdrum Library · discovered that 68% of Trump supporters distrusted the economic data published by the federal government. In the

WoSign Certificates Policy & Practice Statement · 2021. 6. 3. · WoSign Certificates Policy & Practice Statement . Version: 1.2.4 . Status: Final Approved . Updated: 2014-02-14

ansible - Stichting NLNOG · Ansible Systems conﬁguration doesn't have to be complicated Jan-Piet Mens September 2016 @jpmens

Experiences with Building High-Performance Distrusted