Hi Patrick, > As long as the bad guy doesn't compromise your private key, he > won't be able to impersonate any of your hosts, wildcard cert or not. What happens in the case of a web farm behind a proxy or load balancer, where the forward facing host does SSL (perhaps through an accelerator)?
Jeff On Tue, Jun 8, 2010 at 6:55 AM, Eisenacher, Patrick <patrick.eisenac...@bdr.de> wrote: > Hi Jeff, > > thanks for responding, but see my comments below. > >> -----Original Message----- >> From: Jeffrey Walton >> >> Hi Patrick, >> >> >> can you please elaborate on where you see a security drawback >> >> in the attack scenario you mentioned when using wildcard >> >> certs over non-wildcard certs? >> Principle of leat privilege dictates that only a single server (or >> possibly related servers) be "authenticated". However, a wild card >> will match all hosts(some hand waiving here) - even if the host was >> put in place by a bad guy. I'm aware of a couple of tools that will >> flag it. Exchange's Security Analyzer is one of them. > > As long as the bad guy doesn't compromise your private key, he won't be able > to impersonate any of your hosts, wildcard cert or not. > > Once he compromises your key, he further needs to hack your dns to redirect > traffic to his hosts. > > With a wildcard cert he can now add his hosts without interfering with the > service of yours. Without a wildcard cert he would need to do add some logic > to redirect traffic to your host whlie keeping others for himself. No big > deal. > > But once your host is hacked, I guess it's much easier to compromise your app > to his needs. No need to hack further into dns, to setup a server of his own > and jump through more hoops, while increasing the chance of being detected. > > So security-wise, I still can't see the major drawbacks you were talking > about earlier. I think wildcard certs are a valid option for securing your > hosts. > >> A related attack from Black Hat: >> http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/Bla > ckHat-DC-09-Marlinspike-Defeating-SSL.pdf. > > But that presentation is talking about weaknesses in standard software and > the way people are using them. Whether I protect my site with a wildcard or > non-wildcard cert is of no relevance here. > > > Patrick Eisenacher > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
