RE: Self-signed certs unrestricted in Windows XP

From: Menashe Eliezer (menashe_at_finjan.com)
Date: 12/16/03

  • Next message: JeiAr: "Re:Re: SQL Injection Vuln In osCommerce 2.2-MS1" 
    Date: Wed, 17 Dec 2003 00:07:45 +0200
To: <bugtraq@securityfocus.com>

    Andrew,
    Your test demonstrates more problems:
    1. The signed applet has been launched automatically without any security warning that asks whether to trust the signer.
    The browser assumes that since you trust the signer for signing the page, you also trust the signer to sign the Java applet.
    However, you haven't decided to trust the signer as a trusted publisher.
    The certificate doesn't appear in the publishers list (Tools-Internet Options-Content-Publishers)
    IE should have warned you that that the applet has been signed by entrusted publisher.
    Trusting a signer to launch mobile code on your machine is much more dangerous than trusting it for signing a web page.
    If IE is configured to use Sun Java Plug-In, there will be a security warning. This is actually the work around for the problem that you have raised.
    2. I've configured IE to warn upon 'Changing between secure and not secure mode'. It doesn't prevent the automatic loading of the Java applet from non-HTTPS web site.

    Your demonstration shows the need for scanning encrypted web pages in the gateway level.
    Finjan Software is launching in the upcoming year a new product that enables the scanning of encrypted web pages.
    Finjan Software will also be launching a new product in 2004 that validates SSL certificates.
    Your demonstration was blocked in our lab since the CA was not trusted by the security administrator.
    After we've added the CA to our store, SurfinGate for Web has proactively blocked the signed applet for a network violation.
    Future versions of SurfinGate for Web will provide an additional line of defense and block any mobile code that is signed by a self-signed certificate.
    Finjan Software desktop applications proactively blocks the signed applet for a network violation. 

    --
Regards,
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software
http://www.finjan.com/mcrc
 
Prevention is the best cure!
-----Original Message-----
From: Andrew Daviel [mailto:advax@triumf.ca]
Sent: Sunday, December 14, 2003 10:23 PM
To: bugtraq@securityfocus.com
Subject: Self-signed certs unrestricted in Windows XP
It appears that if a self-signed (test) certificate is installed under
Windows XP, that it acquires all (or an unreasonable number of) privileges
by default.
I was testing a webserver and Java applet which I had signed with
a self-signed cert (https://andrew.triumf.ca/mterm/)
I notice that under Windows XP, if I elect to accept the certificate
permanently, and then go to the Content tab in "Internet Options" in IE,
that I see my cert is installed under "Trusted Root CAs", and if I click
Advanced, that it is by default trusted for a large number of purposes
such as driver verification and time stamping; I can change this (and did)
under "View->Details->Edit Properties".
I would have assumed that it would only be trusted for "Server
Verification" (and for the Java certificate, "Code Signing")
(In Netscape 4 or Mozilla on Linux, the server cert is installed only as
an "SSL Server Site", while the Java cert, although installed as a CA,
does not by default certify network sites, and is not used for local
functions such as filesystem encryption, software package verification
etc.)
Since by default self-signed certs are not trusted, and generate a lot
of alerts if used, I don't see this a big problem. But on occasion
someone may use such a cert to provide protection against eavesdropping at
zero cost, and tell users "if you install the cert you won't get the
popups every time you connect", without taking the same precautions to
safeguard the private key as they might otherwise have done.
(It might be nice to have a mechanism to trust a certificate for
only one object, but I guess things don't work like that)
-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@triumf.ca
  • Next message: JeiAr: "Re:Re: SQL Injection Vuln In osCommerce 2.2-MS1"

    Relevant Pages

    • Applet Question
      ... I am trying to build a web-base application using Java Applet for my ... Is it possible to give it full trust like a local application? ... Do I really need a signed applet in this case? ...
      (comp.lang.java.help)
    • Help - scared by Java certificate question
      ... Java applet to allow you to drag-n-drop files from your finder onto ... "Click Trust to run this applet and allow it unrestricted access to your ... Click Don't trust to run this applet with standard Java ... That phrase "unrestricted access" is what scares me. ...
      (comp.sys.mac.comm)
    • Adding certificate to trusted certificates using an applet?
      ... I have a question about using a signed applet. ... so I'm using a self signed certificate. ... java API to add a trusted certificate to the store that the browser ...
      (comp.lang.java.security)
    • Re: Applets, JAXB and security policy
      ... When the code is running with a security manager and ... Attempting things that require full trust. ... OK - how exactly is the applet attempting to read the JAXBContext? ... it invoked by other code over which you have no control? ...
      (comp.lang.java.programmer)
    • Re: signed applet - resetting once REFUSED?
      ... I have a signed applet, and if the user accepts it, ... I assume this varies from browser to browser ... Once accepted always, the certificate appears in the user's keychain, ...
      (comp.lang.java.programmer)
    Loading