1 / 8

Prolog to Lecture 7 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 7 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher. Certificates and Web Browsers. As mentioned in last lecture, web browsers trust many certificates Defined by the browser manufacturer Since the browser trusts them, you trust them

bernie
Download Presentation

Prolog to Lecture 7 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Prolog to Lecture 7CS 236On-Line MS ProgramNetworks and Systems Security Peter Reiher

  2. Certificates and Web Browsers • As mentioned in last lecture, web browsers trust many certificates • Defined by the browser manufacturer • Since the browser trusts them, you trust them • And allow them to do various things

  3. Is This a Good Idea? • You are essentially using transitive trust • Mozilla or Microsoft or Google trusts someone • So I will too • At best, you’re assuming things about the browser manufacturer

  4. An Example of a Problem • In March 2011, hackers in Iran compromised a partner of Comodo • One of the major certificate issuers • Obtained bogus certificates for Google, Yahoo, Microsoft, others • Which browsers would have treated as authentic • Allowing hackers to pose as these entities

  5. Revoking the Certificates • Comodo quickly noticed the problems and put the certificates on their revocation list • Did that solve the problem?

  6. Browsers and CRLs • Recall revocation issues with capabilities • Certificate revocations have the same issues • Browsers check CRLs before trusting a certificate • But . . .

  7. A Hole in the System • What if the browser can’t access the CRL? • By default, browsers assume uncheckable certificate isn’t revoked • What if attacker can cause CRL request packets to be dropped? • As, say, a state entity could, within its borders

  8. Problems That This Incident Pointed Out • Anyone on the browser’s list of trusted certificate authorities can issue any certificate • Certificate authorities delegate their abilities to others • Certificate revocation doesn’t work, in important cases

More Related