[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Expired certificate

To: bk <chort0@xxxxxxxxx>
Subject: Re: [Full-disclosure] Expired certificate
From: Junk Meat <junkmeat@xxxxxxxxxxx>
Date: Fri, 16 Jul 2010 15:49:08 -0400

chort or whatever your name is, some of us know what we're doing and 
don't need to wait 2 weeks for a lousy ssl cert update much less a 
daemon restart... give me a break.

Quit defending the State of California, if they were so up on security 
they shouldn't have passed SB1386 or any other legislation for that 
matter.  Certificate authorities notify their customers well in advance 
of expiring certs, multiple times in fact, there's no excuse for that 
and then expecting your clients to violate best practice afterward.  As 
far as change control and system complexity, wise organizations keep 
things simple not overly complex.

Shawn Dermenjian

On 7/16/2010 3:11 PM, bk wrote:
> Maybe you should know what you're talking about before you speculate.  Most 
> daemons require a restart when you change their cert.  When you're talking 
> about a service that has guaranteed up-time, it can only be taken down for 
> scheduled maintenance.  Changing production systems on a whim totally fails 
> the 'A' in 'CIA' (and possibly the 'I' too).  Wise organizations implement 
> change-control policies to keep their critical systems from being run-amok by 
> ad-hoc changes.
>
> I'm familiar with the software State of California is using for a lot of 
> their secure file transfers and changing the certificate is not as simple as 
> you think (although the software is extremely secure).  There are several 
> cross-certification trust relationships that need to be established for the 
> software to continue working after replacing certs.
>
> The risk of connecting to a machine with an expired cert is that the cert may 
> have been revoked.  That's why there are expiration dates on certs.  Even if 
> you're using a CRL, you cannot have the CRL contain every cert that was 
> revoked for all of eternity.  The CRL only contains certs from when they were 
> revoked until when they expire.  That keeps CRLs slightly manageable 
> (although OCSP is a much better solution).
>
> If you're still connecting to the same IP and getting the same cert (check 
> the serial number and/or fingerprint), then at least you're sending data to 
> where you always have in the past.  What you want to be weary of is if the 
> serial number and/or fingerprint change and the cert is still invalid (those 
> will probably both change when the cert is re-issued, but then the cert chain 
> and not-before/not-after dates should be legit).
>
> --
> chort
>
> On Jul 16, 2010, at 11:31 AM, Junk Meat wrote:
>
>    
>> Your right Dan, encryption still does take place.  However, its hard to
>> understand why renewing
>> a certificate would take so long.  It should take no longer then 1/2
>> hour to receive a renewed
>> ssl cert from a certificate authority in my opinion and maybe a few
>> minutes to push it out depending
>> on the device that is publishing the cert.
>>
>> You should tell them that your security policy prevents you from making
>> a secure ftp transfer to a third
>> party with an expired certificate that contains non-public information
>> and see how fast they renew
>> their certificate.
>>
>> Basically you are now taking responsibility for any breach in the slight
>> chance that anything does
>> happen (man-in-the-middle, or otherwise) because you now know about the
>> problem.  Have them
>> acknowledge the expired ssl certificate on their end and sign-off on any
>> potential litigation that may
>> result if a breach does happen to occur.
>>
>> -Shawn Dermenjian
>>
>>
>> On 7/16/2010 1:10 PM, Daniel Sichel wrote:
>>      
>>> OK, I am in the Golden state (California) where things are not so golden
>>> at the moment.
>>> I deal with a state agency and use their "secure" ftp site.
>>> Their certificate has expired and won't be renewed for a few weeks, but
>>> they want me to continue to ftp stuff
>>> Using their expired cert.
>>>
>>> So, as a relative n00b,  what are the risks?
>>>
>>> Does it still encrypt even though, obviously, it can't be verified?
>>>
>>> My guess is that this still encrypts, but there is no authentication,
>>> possibly creating a man in the middle opportunity for some
>>> Nefarious person with evil intent (nobody I know, or who is on this
>>> list, of course).
>>>
>>>
>>> Anyway, any info would be welcome from the cognoscenti who subscribe
>>> here.
>>>
>>> Thanks,
>>> Dan Sichel
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>>        
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>      
>
>
>    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Expired certificate
  - From: bk

References:
- [Full-disclosure] Expired certificate
  - From: Daniel Sichel
- Re: [Full-disclosure] Expired certificate
  - From: Junk Meat
- Re: [Full-disclosure] Expired certificate
  - From: bk

Prev by Date: Re: [Full-disclosure] Expired certificate
Next by Date: Re: [Full-disclosure] Patent Absurdity - How software patents broke the system
Previous by thread: Re: [Full-disclosure] Expired certificate
Next by thread: Re: [Full-disclosure] Expired certificate
Index(es):
- Date
- Thread