Re: [TLS] AIA cert fetching seen as harmful

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Mike <mike-list@xxxxxxxxx> writes:

>With the addition of URL constraints embedded in CA certificates, an attacker
>would have to actively modify DNS packets or mess with routes or whatever to
>launch an attack.

This may be worth the effort though.  Someone pointed out (off-list) something
I hadn't thought about much, that internal servers are patched/updated a lot
less often than web-facing ones (after all, they're behind the firewall so
there's no need to risk breaking things with constant patching).  So you could
end up with a network full of older Red Hat machines that are out of
subscription and no longer get updates, or masses of flaky internal-use-only
web scripts and whatnot which are OK to use because they're beind the firewall
(in fact has anyone who's ever worked at any sort of sizeable organisation
*not* run into flaky hacked-together web scripts/apps for internal use only?).
So your AIA contains a location of:

  http://192.168.1.1:8080/timesheet.asp?userid=1234;DROP%20TABLE%20USERS

I'll bet there are a lot of people out there who'd be willing to poke with the
DNS for a chance to do that to <insert favourite big corporate target>.  We
know, from years of experience, that it's hard enough to
filter/whitelist/protect hardened web-facing servers, what AIA does is expose
totally vulnerable, unpatched, poorly-written apps and internal servers to the
same level of attack.

Peter.
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls