On Wed, Aug 15, 2018 at 6:36 AM Wayne Thayer via dev-security-policy < [email protected]> wrote:
> I'd like to call this presentation to everyone's attention: > > Title: Lost and Found Certificates: dealing with residual certificates for > pre-owned domains > > Slide deck: > > https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Foster-and-Ayrey-Lost-and-Found-Certs-residual-certs-for-pre-owned-domains.pdf > > (NOTE: this PDF loads in Firefox, but not in Safari and not, I'm told, in > Chrome's native PDF viewer). > > Demo website: https://insecure.design/ > > The basic idea here is that domain names regularly change owners, creating > "residual certificates" controlled by the previous owner that can be used > for MITM. When a bunch of unrelated websites are thrown into the same > certificate by a service provider (e.g. CDN), then this also creates the > opportunity to DoS the sites by asking the CA to revoke the certificate. > > The deck includes some recommendations for CAs. > > What, if anything, should we do about this issue? > I think this paper provides a good impetus to look at further shortening certificate lifetimes down to 13 months. That would better match the annual cadence of domain registration so that there's a smaller window of time beyond domain expiration for which a certificate would be valid, and would continue the momentum Mozilla and the CA/B Forum have been building around reducing certificate lifetimes and encouraging automation. The presentation suggests having certificates only be valid through the expiration date of the relevant registered domain, but I think that's unrealistic. Most of the time, domains are set to autorenew so that people never have to think about them, and their renewal cadence is totally disconnected from certificate renewal cadence. If a domain is 6 days from autorenew, a CA offering a 6-day-long cert and forcing someone to come back a week later for another one would be very unreasonable. I don't think the presentation points to building in stronger support for revocation. If anything, it points to revocation being a threat vector for DoS-ing sites that have nothing to do with the problem at hand, due to the long-standing (and reasonable) practice of multi-SAN certs that combine clumps of customers into individual certificates. Ryan points out that SNI is becoming something that can be relied on more universally, which would reduce the need for multi-SAN certificates, but multi-SAN certificates also provide useful operational benefits to organizations who are using CAs with rate limits, or simply for whom the ability to use 100x fewer certificates relieves an operational scaling burden. It may still be useful to deprecate multi-SAN certificates over time, but I think the single biggest thing to take away from the presentation is that long-lived certs create invisible risks during domain transfers, and that the risk is more than just theoretical when looking at the whole of the web. It's been a year and a half now since the last discussion and vote that went from a 39-month max to a 27-month max, so I think it's a great time to start talking about a 13-month maximum. -- Eric > - Wayne > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
