COMMENTARY ON CVE-2020-0601: I have been speaking to several players on this on background and there are a few things they want to highlight / clarify based on the public discourse so far.
-
-
^
@BearSSLnews is the other cryptographer. Update on the SmartCard attack vector: It could work with right scenario, but in practice there aren’t really private roots signing with ECDSA, so there are likely no vulnerable intermediaries. And smartcards are pinned to a private rootPrikaži ovu nit -
Microsoft have built extensive alerting for CVE-2020-0601 which will definitely complicate exploitation, since there’s few in a network position to interdict your traffic, except governments. Yes I know about WiFi/Responder that’s not the main problem here https://twitter.com/amitaitechie/status/1217156973268893696?s=21 …https://twitter.com/AmitaiTechie/status/1217156973268893696 …
Prikaži ovu nit -
After FLAME abused a Microsoft certificate for malware, MSFT added large numbers of hardening solutions to WinUpdate, even for significant security break scenarios. It appears because of this, Windows Update itself is not vulnerable to CVE-2020-0601.https://twitter.com/gossithedog/status/1217242998418935809 …
Prikaži ovu nit -
This appears to show a private exploit for CVE-2020-0601 has now been developed. Saleem is a trusted researcher.https://twitter.com/saleemrash1d/status/1217495681230954506 …
Prikaži ovu nit -
Update: Chrome has also fallen to CVE-2020-0601 after a few extra constraints it imposes were met. It’s not a web browsers fault or responsibility to defeat an OS-level problem, it’s a flaw in the most basic tenets of Windows’ PKI validation.https://twitter.com/saleemrash1d/status/1217519809732259840 …
Prikaži ovu nit -
Sidenote: Intermediate CA certificate chaining and caching is an interesting problem that can happen in TLS. If you can’t figure out a validation problem, this may be the root cause. And it’s often overlooked since it “works on the developer’s machine” due to their own habits.
Prikaži ovu nit -
Update: - Chrome’s next version (Beta pending release) will detect CVE-2020-0601. - The New Edge browser Microsoft released today also defeats it. It’s not their responsibility to do this, but it is cool to go the extra mile. I don’t have a contact in Firefox about their plans.
Prikaži ovu nit -
I don’t have public documentation to prove this, you’re going to have to contact a security researcher who has an exploit and ask them to test my information.
Prikaži ovu nit -
Ah interesting! Firefox unaffected, makes sense, doh. Although Firefox has adopted parts of the Windows PKI engine for enterprise compatibility, they’re still based on their-in house NSS engine. My oversight. Thanks
@saleemrash1d, follow them for more infohttps://twitter.com/saleemrash1d/status/1217533569213640705 …Prikaži ovu nit -
Mozilla through their NSS engine and trusted certificate store program are a critical part of the global PKI system, we’re lucky to have their diversity of implementation. A very under-appreciated fact outside of small circles.
Prikaži ovu nit -
Well there we go, a public break released, after a couple of private examples provided yesterday. NSA obviously understood perfectly how fast this would happen. I did not properly gauge how that factored into their urgency.https://twitter.com/kennwhite/status/1217816643725930498 …
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
)