Hey Everyone, Author here, happy to answer any questions. Wayne did a good job summarizing the two problems, MitM and DoS. Basically there should be extra caution whenever sharing a certificate between different users/organizations. And We'd like to suggest that CA's not issue certificates that live beyond their domain's current lifetime.
I'm not sure what happened with the DEFCON slides, but I've uploaded a newer version here that seems to work better (at least in Chrome) here: https://insecure.design/BygoneSSL_DEFCON.pdf The recording of the talk should be up in a few weeks. On Wednesday, August 15, 2018 at 3:36:14 AM UTC-7, Wayne Thayer wrote: > I'd like to call this presentation to everyone's attention: > > Title: Lost and Found Certificates: dealing with residual certificates for > pre-owned domains > > Slide deck: > https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Foster-and-Ayrey-Lost-and-Found-Certs-residual-certs-for-pre-owned-domains.pdf > > (NOTE: this PDF loads in Firefox, but not in Safari and not, I'm told, in > Chrome's native PDF viewer). > > Demo website: https://insecure.design/ > > The basic idea here is that domain names regularly change owners, creating > "residual certificates" controlled by the previous owner that can be used > for MITM. When a bunch of unrelated websites are thrown into the same > certificate by a service provider (e.g. CDN), then this also creates the > opportunity to DoS the sites by asking the CA to revoke the certificate. > > The deck includes some recommendations for CAs. > > What, if anything, should we do about this issue? > > - Wayne _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
