[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: cert caching touch-ups

From: Joe Orton <joe_at_manyfish.co.uk>
Date: 2003-09-23 01:35:26 CEST

I'm worried that the implications of caching certs by fingerprint
aren't well understood. I haven't reviewed the code but this is
how I understand it is designed to work.

The only (difficult) thing the attacker has to do to subvert this
scheme is to persuade the user to "accept permanently" an SSL cert
for a site of the attacker's choosing. Once that is achieved, the
attacker can perform an undetected MITM attack against the user
for other sites they use, just by controlling the DNS.

e.g. I log in to IRC and someone persuades me to checkout some
funky new code from https://funkycode.org/repos/, and I naively
hit the "accept permanently" button on my SVN client when prompted
for this new cert.

To arrange the MITM, the attacker had placed a subjectAltName
extension on the funkycode.org cert naming svn.webdav.org, and
then subverts the DNS for svn.webdav.org to point to a server
hosting trojaned neon code. Then when I "svn co" to make a new
neon release, I get trojaned code without knowing it.

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Sep 23 01:39:51 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.