Just to be clear - "mississued" in this case doesn't mean they were issued to someone who doesn't control the domain. The issue is they were issued using a 63-bit serial number instead of the minimum 64 bits. (The software these CAs were all using was generating 64 random bits, but setting the first bit to zero to produce a positive integer.)<p>The reason CAs are required to use 64-bit serial numbers is to make the content of a certificate hard to guess, which provides better protection against hash collisions. IIRC this policy was introduced when certs were still signed using MD5 hashes. (That or shortly after it was retired.) Since all publicly-trusted certs use SHA256 today, the actual security impact of this incident is practically nil.
This article really annoys me.<p>It's "Rage Culture" or maybe just front-page seeking by the author. The problem with that is that it makes people desensitized because if everyone is screaming all the time, one should just shut their ears. We have real issues to discuss and this isn't one of them by a long shot.<p>Reducing the search space from 64bits to 63bits is of no consequence because if an attack on 63bits was feasible, it would mean the <i>same attack</i> would work 50% of the time on 64bit (or take twice as long for 100%). That wouldn't be acceptable at all.<p>Sure, 64>63, but at the very least it's not "A world of hurt"
> <i>Adam Caudill, the security researcher who blogged about the mass misissuance last weekend, pointed out that it’s easy to think that a difference of 1 single bit would be largely inconsequential when considering numbers this big. In fact, he said, the difference between 2^63 and 2^64 is more than 9 quintillion.</i><p>Okay, but, that's because 2^63 itself is more than 9 quintillion. Where the search space was previously 18 quintillion, it's now 9 quintillion. Both of those are "big". The attack is 50% easier than "theoretically impossible before certificate expiration," which should still mean that it's impossible.
What an incredible non-story burying an actual real and terrifying story.<p>The crux of this entire issue is a company known as Dark Matter, which is essentially a UAE state sponsored company, potentially getting a root CA trusted by Mozilla.<p>It's highly suspected that Dark Matter is working on behalf of the UAE to get a root trusted certificate in order to spy on encrypted traffic at their will. Everyone involved in this decision is at least suspect of this if not actively seeking a way to thwart Dark Matter.<p>Mozilla threw the book at them by giving them this technical hurdle about their 63-bit generated serial numbers - which turned out to be something that a lot of other (far more reputable) vendors also happened to have this issue.<p>Should it get fixed? Ya, absolutely.<p>Is it nearly as big of a deal as giving a company like Dark Matter, who works on behalf of the UAE, the ability to decrypt HTTPS communication? Not even close - this is far more scarier, and much more of a security threat to you and me. It's pretty disappointing that this is the story that arstechnica runs with instead of the far more critical one.<p>The measure of what makes a trustworthy CA are things like organizational competency and technical procedures. These are things that state level actors easily succeed in. There is no real measure in place for motives and morals for state level actors. That should be the terrifying part of this story - anyone arguing about the entropy of 63 or 64 bit is simply missing the forest for the trees in this argument.
Presumably 64 bits were originally chosen because it still permitted simple or naive ASN.1 decoders to return the parsed value as a native 64-bit type. But ASN.1 INTEGERs are always signed, so theses serials would now have to be 65 bits. But any ASN.1 decoder interface that permitted directly storing a 65-bit value into a 64-bit type--even an unsigned type--is dangerous if not broken. I'm guessing that most X.509 management software (much like my own) simply maintains the parsed serial as a bignum object.<p>Serials were originally intended for... well, for multiple purposes. But if they only function today as a random nonce, and if they're <i>already</i> 65 bits, then they may as well be 128 bits or larger.<p>A randomly generated 64-bit nonce has a 50% chance of repeating after 2^32 iterations. That <i>can</i> be acceptable, especially if you can rely on other certificate data (e.g. issued and expire timestamps) changing. But such expectations have a poor track record which you don't want to rely on unless your back is against the wall (e.g. as in AES GCM). Because certificates are already so large, absent some dubious backwards compatibility arguments I'm surprised they just didn't require 128-bit serials.
Seems like a lot of hand wringing over nothing, security is done with huge factors of safety (moving to 256 bit keys when no one had ever broken a 128 or even 96 bit key). It's hard to imagine that 1,2, or even a quarter of the bits couldn't be zero-ed.<p>> it’s easy to think that a difference of 1 single bit would be largely inconsequential when considering numbers this big. In fact, he said, the difference between 263 and 264 is more than 9 quintillion.
Given that there seems to be no security impact (and none expected in the next year or two)...<p>Curious why everyone doesn’t agree to use 64 bits in future and just let the mis-issued certs live out their natural life?<p>Seems to create a lot of busywork for lots of people for no discernible benefit?
This is the CAB Forum rationale for serial number entropy[1]:<p>> As demonstrated in <a href="https://events.ccc.de/congress/2008/Fahrplan/attachments/1251_md5-collisions-1.0.pdf" rel="nofollow">https://events.ccc.de/congress/2008/Fahrplan/attachments/125...</a>, hash collisions can allow an attacker to forge a signature on the certificate of their choosing. The birthday paradox means that, in the absence of random bits, the security level of a hash function is half what it should be. Adding random bits to issued certificates mitigates collision attacks and means that an attacker must be capable of a much harder preimage attack. For a long time the Baseline Requirements have encouraged adding random bits to the serial number of a certificate, and it is now common practice. This ballot makes that best practice required, which will make the Web PKI much more robust against all future weaknesses in hash functions. Additionally, it replaces “entropy” with “CSPRNG” to make the requirement clearer and easier to audit, and clarifies that the serial number must be positive.<p>[1]: <a href="https://cabforum.org/2016/03/31/ballot-164/" rel="nofollow">https://cabforum.org/2016/03/31/ballot-164/</a>
Theoretical possibilities and minimal security impacts aside, I'm not seeing comments along the lines of the brown M&M clause [0]. Yeah, brown M&M's weren't going to ruin the day of David Lee Roth, but that wasn't the point: when dealing with heavy and high-amperage equipment of a stage show, what <i>else</i> did you forget or ignore?<p>64 bits, 63 bits, what's the difference? The difference is that we now have to go through everything you might have forgotten that <i>will</i> make a difference. In other words, we apparently can't trust you to follow instructions, and certificates are all about trust.<p>[0] <a href="https://www.snopes.com/fact-check/brown-out/" rel="nofollow">https://www.snopes.com/fact-check/brown-out/</a>
Ok, I’m all for strong security and better SSL infrastructure, but the response to this issue was just totally overboard. The issue - one fixed bit in a 64-bit randomized serial field - does not compromise the security of these certs in any meaningful way, especially not before their natural expiry dates anyway.<p>The disruption caused by reissuing everything surely exceeded the disruption of this theoretical issue. I guess, on the plus side, we get to find out whether the PKI infrastructure is ready for a mass revocation/replacement event...
Personally I hate EJBCA.<p>Recently they stopped releasing new updates for the community edition (blocker at 6.10, while the 7.0.1 is out) because they are a really greedy company.<p>Building by yourself is half a nightmare and the installation process as well, relying on ant tasks for it and that fail 5 out of 10 times.<p>Considering the UI, most of the settings can be really misused and even their evangelist can get fooled by it (especially with their Enterprise Hardware Instance, whose synchronization across the nodes is also faulty)
For background, earlier this month, DarkMatter applied for Mozilla root CA inclusion. There was an email thread [1], with concerns about DarkMatter, and one of the emails[2] was concerned that DarkMatter was generating serial numbers in this exact same fashion using EJBCA. There was a pretty long-winded discussion in the thread about whether flipping the MSB constituted a loss of 1-bit of entropy and an EJBCA dev chimed in[3] saying basically that they are pushing a fix to solve this. This seems to have kicked off this issue. (there's a lot more to it, with DarkMatter's CTO saying that the method did not constitute a loss of a bit, etc, but this thread seems to be where the issue was discovered at least.)<p>[1] <a href="https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/nnLVNfqgz7g" rel="nofollow">https://groups.google.com/forum/#!topic/mozilla.dev.security...</a><p>[2] <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VAdQotoiBQAJ" rel="nofollow">https://groups.google.com/d/msg/mozilla.dev.security.policy/...</a><p>[3] <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/OVKywVZIBgAJ" rel="nofollow">https://groups.google.com/d/msg/mozilla.dev.security.policy/...</a>
CT principles would surely demand they do some public facing declaration?<p>The 'pull the certificates from the browsers' thing demands people from these companies maybe recuse themselves from conversations?<p>(this is public trust process stuff, not technology per se)
from that write-up, I'd call that a bug in EJBCA more than a "misconfiguration". If it was working as designed, then it's design was buggy. :)
The interesting aspect that a lot of people are overlooking is that, for a theoretical attack within certain timeframes, this difference can be make-it or break it!<p>Imagine a collision attack that takes about a 1 year with 64bit serial numbers, so with 63bit serial number it should take about half, at 6 months.<p>The average certificate is issued for about 1 year, so being able to mount a collision attack that took 1 year in 6 months can make the difference from generally-not-useful to very practical and dangerous.