Andrew, Your test demonstrates more problems: 1. The signed applet has been launched automatically without any security warning that asks whether to trust the signer. The browser assumes that since you trust the signer for signing the page, you also trust the signer to sign the Java applet. However, you haven't decided to trust the signer as a trusted publisher. The certificate doesn't appear in the publishers list (Tools-Internet Options-Content-Publishers) IE should have warned you that that the applet has been signed by entrusted publisher. Trusting a signer to launch mobile code on your machine is much more dangerous than trusting it for signing a web page. If IE is configured to use Sun Java Plug-In, there will be a security warning. This is actually the work around for the problem that you have raised. 2. I've configured IE to warn upon 'Changing between secure and not secure mode'. It doesn't prevent the automatic loading of the Java applet from non-HTTPS web site. Your demonstration shows the need for scanning encrypted web pages in the gateway level. Finjan Software is launching in the upcoming year a new product that enables the scanning of encrypted web pages. Finjan Software will also be launching a new product in 2004 that validates SSL certificates. Your demonstration was blocked in our lab since the CA was not trusted by the security administrator. After we've added the CA to our store, SurfinGate for Web has proactively blocked the signed applet for a network violation. Future versions of SurfinGate for Web will provide an additional line of defense and block any mobile code that is signed by a self-signed certificate. Finjan Software desktop applications proactively blocks the signed applet for a network violation. -- Regards, Menashe Eliezer Manager, Malicious Code Research Center Finjan Software http://www.finjan.com/mcrc Prevention is the best cure! -----Original Message----- From: Andrew Daviel [mailto:advax@triumf.ca] Sent: Sunday, December 14, 2003 10:23 PM To: bugtraq@securityfocus.com Subject: Self-signed certs unrestricted in Windows XP It appears that if a self-signed (test) certificate is installed under Windows XP, that it acquires all (or an unreasonable number of) privileges by default. I was testing a webserver and Java applet which I had signed with a self-signed cert (https://andrew.triumf.ca/mterm/) I notice that under Windows XP, if I elect to accept the certificate permanently, and then go to the Content tab in "Internet Options" in IE, that I see my cert is installed under "Trusted Root CAs", and if I click Advanced, that it is by default trusted for a large number of purposes such as driver verification and time stamping; I can change this (and did) under "View->Details->Edit Properties". I would have assumed that it would only be trusted for "Server Verification" (and for the Java certificate, "Code Signing") (In Netscape 4 or Mozilla on Linux, the server cert is installed only as an "SSL Server Site", while the Java cert, although installed as a CA, does not by default certify network sites, and is not used for local functions such as filesystem encryption, software package verification etc.) Since by default self-signed certs are not trusted, and generate a lot of alerts if used, I don't see this a big problem. But on occasion someone may use such a cert to provide protection against eavesdropping at zero cost, and tell users "if you install the cert you won't get the popups every time you connect", without taking the same precautions to safeguard the private key as they might otherwise have done. (It might be nice to have a mechanism to trust a certificate for only one object, but I guess things don't work like that) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security@triumf.ca
