Hack SSL Certificates & CA's 0Day PoC

[snowshell]

And this stops you because? Firefox preferences, advanced tab validation, validate a certificate if it specifies on OCSP server.

If you own your own cyber-cafe getting everyone to use your invalid certificate or if they must proxy through you to get to paypal the validation chain is not a problem. It's perfectly valid if your the server handling the request.

The only thing that make's a SSL certificate you've crafted yourself different from one signed by a CA is that your using your own CA for the signing request.

So what stops you from calling yourself, GeoTrust or VeriSign?

An what stops you from authorizing the request via your own OCSP responder?

Nothing...

Of course they may realize later on that they've been had, when they try to access the genuine article elsewhere and get an OCSP Error.

It's a perfectly valid point but one that is mute if your doing a Man-in-the-Middle.
The request has to go through you first before it makes it to the intended target.

Lets have a little topology graph...

Customer(0) ----> Paypal(1) <---->CA_Cert(Request)

What we're attempting to do...

Customer(0) <----> Attacker(1) <----> Paypal(0) <----CA_Cert(Request)

To be perfectly honest all this jumping in the way to decrypt what they're sending to resend it on afterwards and then send the response back to them whilst lulling them into a false sense of security with the words Verified by ..whoever.. is just a long winded proof of concept that it's easier than people think, but in truth you could just install a key-logger in some scenarios and not waste time on the whole idea and that would be done with it.

A man-in-the-middle is kind of an extreme length to goto to obtain some obscure bit of information, I mean do I really give a sh** if someone opens and read's my mail? I can generate my own SSL Certificates and use them for mail signing and then for added extra security I can add PGP to the mix but in truth I do neither because, nearly everyone I know has no idea what PGP is and in truth nothing I ever send by e-Mail is that earth shattering anyway. If it was I would use word of mouth and a thing invented by Alexander Bell called a phone!

Look on the plus side, at least there's maybe now over a handful of people out there that have downloaded these tools and are now expressing an interest in how it would work, so when you've generated your own Generic CA Certificate with RSA @ 2048bit you can go exploring things like the security options in Thunderbird or Outlook Express where you have the option of using your Certificates to enhance your own security on your e-Mail and who knows maybe some of you might like the idea of added security on-top of your PGP/MIME or using them to enforce security on your own Web-Server without having to pay VeriSign or Comodo a small fortune every year to acquire those certificates.. Now @ least your learning how to make them for yourself!

Validity Period Price
1-year £259 excl. VAT
2-year £399 excl. VAT
Save over £115
3-year £525 excl. VAT

Thats VeriSigns price quota on up to 256-bit encryption.

So 4068-bit RSA with a minimum of 512 with an unlimited shelf-life must really make them ecstatic.