馃懡 krixano

Hm, this is interesting:

https://www.f5.com/labs/articles/threat-intelligence/the-2021-tls-telemetry-report#:~:text=In%20total%2C%20well%20over%2095,of%20sites%20(Figure%203).

Regardless of the type of certificate in use, certificate revocation methods are almost entirely broken. That鈥檚 why desire is growing across the certificate authorities (CAs) and browser industry to move toward extremely short-term certificates. Revoking a stolen certificate becomes much less of an issue if it will expire in just a few weeks.

Are there any security experts here (@acidus ?) that can explain if this affects Geminispace, and what should be done about it? Many people on gemini have been creating long certs.

2 years ago 路 馃憤 acidus

Links

[1] https://www.f5.com/labs/articles/threat-intelligence/the-2021-tls-telemetry-report#:~:text=In%20total%2C%20well%20over%2095,of%20sites%20(Figure%203)

Actions

馃憢 Join Station

8 Replies

馃懡 krixano

@acidus Also, the way you describe it sounds like a MitM attack, so how is MitM different from Renegotiation attacks? 路 2 years ago

馃懡 krixano

@acidus Well I was really just talking about *any* renegotiation attacks, since I hardly know what the general concept means. 路 2 years ago

馃懡 acidus

@krixano, can you be more specific. there have been a number of renogtiation vulnerabilities over the last decade or so. I'm not aware of any recents ones. Usually these work by an attacker being able to intercept or modify traffic between an client and server. Sometimes thats to trick the server into using a less security cipher/protocol with the client, so the attacker can break it, or to do DoS attacks on the client. I don' see Gemini as a big enough target for this, extremely small amount of gemini traffic, and low value of reading some arbitraty client's traffic 路 2 years ago

馃懡 krixano

@acidus Ah, interesting. What about this SSL renegotiation vulnerability. Do you know anything about that? 路 2 years ago

馃懡 acidus

Certificate revocation as a concept is rooted in a much quainter time, but in practice fails. Attackers can just DDoS The revocation checking channel, and other forms of revocation checking are massive privacy issues. Basically the idea of reducing the blast radius of a compromised cert via revocation is impractical and fast very short-lived Certs is a better approach 路 2 years ago

馃懡 krixano

Oh, and another one I wanted to know about was renegotiation. The report talks about how there was an SSL renegotiation vulnerability and 0.2% of web servers were prone to it in 2021, iirc. 路 2 years ago

馃懡 krixano

@haze That makes sense. I didn't know what revocation was, so I looked it up afterwards and came to a similar conclusion that because Gemini doesn't necessarily use CAs, there isn't necessarily a problem. Some of the other things in the report I linked might be worth looking into on Geminispace though, especially the encryption key lengths and cipher suits and such. 路 2 years ago

馃懡 haze

Not security export. So my 2 cent. This doesn't effect Geminispace as Gemini runs on TOFU and no revocation machinism. Our cert structure doesn't attempt to address.

Gemini does not run on CA signed certs. Thus, withour a CA, it's impossible to safely revoke a certificate. There were attempts from improving this situation while keeping CA-lsss. But the resulting scheme is just prposial and is too complicated. 路 2 years ago