You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
To clarify the Windows crypto fail: The problem isn't in signature validation. The problem is the *root store/cache*. CryptoAPI considers an (attacker-supplied) root CA to be in the trust store if its public key and serial match a cert in the root store, Ignoring curve params.
So it's not that Windows uses the wrong curve parameters or anything like that, it's that at some point the key used to index into a validated cert cache is (serial, pub) when it should be (serial, pub, params). As they say, one of the hardest problems in CS is caching.
ohhhhhh. fuck.
Finally! Thanks! This is the first time I get details on this. I was unsure how exactly the “fake cert” was able to impersonate a real root CA!
Or they could just copy the key out of the trust cache to validate instead of using the user supplied public key and assuming it is the same if some parameters match the one in the cache?
Are you tempting me? :P
That explains a lot! Thanks!
I disagree with your assessment. Yes it could've been fixed by storing cache correctly, but that's like a compiler dev saying "well what you did is UB". He's right but also wrong, crypto should be designed to be resilient. TLS and Crypto32 should've never allowed custom curves.
The bug is in not treating EC params as part of certificate identity. However, you *are* correct that supporting custom curves at all is a bug, because RFC5480 explicitly forbids that. I assume they support it because ANSI X9.62 does, because banks or something?
How difficult is it to exploit? Ie. how much processing power does it take to create the key pair with an identical public key? Or perhaos those are already for sale?
It takes the same amount of time as to generate a key normally. So microseconds. Maybe milliseconds.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
