The Sky is only partially falling today


So for everyone concerned, the sky is only partially falling today.  If you’ve been reading the security news, you’ve probably seen the links to


http://www.win.tue.nl/hashclash/rogue-ca/ and to http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt and to http://www.microsoft.com/technet/security/advisory/961509.mspx and to http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx and finally to http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx


So what’s the best mitigations?  Firstly normal godaddy certs are indeed based on Sha1 and not MD5



Next train folks to stop and bad or broken SSL certs.  Yes that means buying third party certs for your SBS boxes and not using self signed.


On a related note one of my pet peeves (and one of Darryl Roberts) is when you install an update to the root certificates on your server and then it throws off a Event 36885 Schannel error in your event logs.  The ‘fix’ is to tell you to remove those certificates you don’t need.  Okay..but…. which ones?  There are 219 of ‘em, which ones do I not need?



Interestingly enough certs number 5 and 6 in that view are based on MD5, and given that I live in Fresno, not France, so me thinks I’ll back those up and export them out since they are based on MD5 anyway.


But if you are seeing the Schannel issue…


Windows Event ID 36885 from Schannel:
http://www.eventid.net/display.asp?eventid=36885&eventno=8846&source=Schannel&phase=1


Darryl reported that this hotfix (which isn’t just for IAS servers but any server) will allow that repository to increase as it should to hold the proper root certs.


Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;933430

2 Thoughts on “The Sky is only partially falling today

  1. “Yes that means buying third party certs for your SBS boxes and not using self signed.”

    Today’s vuln proves the opposite.

    Trusted CAs aren’t the epitome of web safety. In fact, they are LESS safe than one of those “Invalid” (to use Mozilla’s or Microsoft’s ill-chosen words) self-signed certificates under some circumstances.

  2. Thanks for exploring this Susan. I have blogged about some ways to help mitigate the risk of this complex man-in-the-middle rogue SSL cert attack.

    Cheers,
    Dan

Post Navigation