> Group, > > I'm referring to the certificate validation issues that recently made huge > press: > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0862 > > ... > > When I was doing my research quite a while ago > (http://online.securityfocus.com/archive/1/273101) I have noticed that some > certificates do not have Basic Constraints or any other optional fields in > the X.509 certificate. One example is the certificate used on Steve Gibson's > GRC Web site (https://grc.com). Those are V1 certs. You are correct. X509v1 certificates do not have any kind of X509v3 extensions (basicConstraints, keyUsage, extKeyUsage, etc.). > The problem being, if there's no Basic Constraints or Enhanced Key Usage > field on the certificate in the middle of the certification chain, there's > no mean for the client software to verify if a web server SSL certificate > was used as a CA certificate. Therefore, all platforms are vulnerable to > identity spoofing. This last statement is not necessarily true. Only platforms that allow V1 certificates to sign other certificates would be vulnerable. At this time, I have no idea which platforms these are (I have not checked). I believe that some of the Verisign personal certificates are still issued in V1 format (I haven't checked up on this in some time though). A careless application that afforded these V1 certificates signing privileges would be vulnerable to man-in-the-middle attacks similar to the basicConstraints attack against IE. Unfortunately, since the vast majority of root CA certificates (including Verisign's) are V1 certificates, these certificates must still be tolerated. However, it would be wise to only tolerate them in a limited form. The simplest approach would be to let the root CA certificate be a V1 certificate while refusing to allow any other V1 certificates in the chain to act as signers. A quick glance through IE's certificates reveals that none of the non-root CA certificates are V1, so this shouldn't cause any interoperability problems in practice. I have not done any testing to see which applications are vulnerable to "V1-in-the-middle" attacks. I would not be at all surprised to find that many of them are. -Ivan Nestlerode
