On Tue, Sep 23, 2003 at 10:15:41AM +0200, Tobias Ringstrom wrote:
> Joe Orton wrote:
> >e.g. I log in to IRC and someone persuades me to checkout some
> >funky new code from https://funkycode.org/repos/, and I naively
> >hit the "accept permanently" button on my SVN client when prompted
> >for this new cert.
> >
> >To arrange the MITM, the attacker had placed a subjectAltName
> >extension on the funkycode.org cert naming svn.webdav.org, and
> >then subverts the DNS for svn.webdav.org to point to a server
> >hosting trojaned neon code. Then when I "svn co" to make a new
> >neon release, I get trojaned code without knowing it.
>
> Fortunately this attack does not work with the current implementation
> becuase we do not consider any alternative hostnames for non-CA
> trusted certs. If you choose to permanently trust the cert above, you
> will get a question when you connect to svn.webdav.org because the
> hostname will not match the DN. You can only temporarily accept that
> error.
After looking at the code, I do believe the attack will work.
The only place that the hostname is checked is in neon, and neon does
check the subjectAltName extension. neon will *not* give an
NE_SSL_IDMISMATCH failure for the attempt to connect to the server
masquerading as svn.webdav.org above, only an NE_SSL_UNTRUSTED failure.
(BTW ra_dav seems to be assuming that the values of NE_SSL_* will match
the values of SVN_AUTH_SSL_* which is a bit dubious)
> This could be changed. We could consider the altname as well, but than
> we would have to show all names in the prompt so that the user will
> understand what hosts this cert will be acceptable for. I suspect that
> some people will think that this will make it too easy for the user to
> create a security problem. Users never read prompts properly. :-)
Yes, quite. On the day that svn.webdav.org presents the funkycode.org
certificate, I don't want a prompt, I want a big nasty error message. :)
The only way to achieve this is to cache by hostname/port.
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Sep 23 11:58:58 2003