I'm worried that the implications of caching certs by fingerprint
aren't well understood. I haven't reviewed the code but this is
how I understand it is designed to work.
The only (difficult) thing the attacker has to do to subvert this
scheme is to persuade the user to "accept permanently" an SSL cert
for a site of the attacker's choosing. Once that is achieved, the
attacker can perform an undetected MITM attack against the user
for other sites they use, just by controlling the DNS.
e.g. I log in to IRC and someone persuades me to checkout some
funky new code from https://funkycode.org/repos/, and I naively
hit the "accept permanently" button on my SVN client when prompted
for this new cert.
To arrange the MITM, the attacker had placed a subjectAltName
extension on the funkycode.org cert naming svn.webdav.org, and
then subverts the DNS for svn.webdav.org to point to a server
hosting trojaned neon code. Then when I "svn co" to make a new
neon release, I get trojaned code without knowing it.
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Sep 23 01:39:51 2003