2

Ref: How do I report a security vulnerability about a trusted certificate authority?

This question involved a serious security vulnerability at WoSign.

Here's the finder's blog: http://webcache.googleusercontent.com/search?q=cache%3Ahttps%3A%2F%2Fwww.schrauger.com%2Fthe-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com&oq=cache%3Ahttps%3A%2F%2Fwww.schrauger.com%2Fthe-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com

Quoting a part:

GitHub is used to store programming projects. It is a code repository. But it also gives each GitHub user their own subdomain to have a main webpage for their code. The users can do whatever they want with the page.

Thus, I naturally had full control of the subdomain schrauger.github.com and (schrauger.github.io). After verifying I owned these domains to WoSign by uploading their text file, I was allowed to generate a certificate for these two subdomains. Perfectly fine.

He said that he got valid TLS certificate signed by trusted CA to the domain schrauger.github.com as he was able to upload file and verified ownership via HTTP verification methods.

So my question is, if I can get valid certificate for some xxxxx.github.com, can't I MITM those sites and read *.github.com's cookies?

As parent domain cookies are sent to subdomains too, what prevents me from MITMing .github.com website authentication cookies?

1 Answers1

3

If you have a valid (i.e. accepted by clients) certificate for a domain and you can redirect the traffic to the domain to your own system, then you can be in most cases a man in the middle and read and modify SSL encrypted traffic for the domain. This also includes reading cookies, usernames, passwords ... - i.e. everything which TLS was supposed to protect. But if you can actually read a cookie for example.com if you have a certificate for subdomain.example.com only depends on the domain attribute set on the cookie. By default a cookie will only be send to the exact domain which it was issued for, i.e. a cookie set on example.com will by default not be sent on subdomain.example.com.

As a "normal" user you typically can only control traffic inside the local network, i.e. redirect it using ARP spoofing or DNS spoofing or intercept the traffic by having full control over the gateway (router) used by the users in the network. If you are an ISP you could redirect/intercept the traffic for more users and some government agencies have this kind of ability too - in some countries for example all internet traffic goes trough government controlled systems.

Protection against this kind of attacks is done with methods like certificate pinning, certificate transparency or similar - see also Can a nation-state adversary perform a MITM attack by compelling a CA to issue them with fake certs?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Thanks for the answer. I have added extra details about my exact question. Can you please clarify that too? – Arul Anand M Nov 26 '18 at 19:07
  • @ArulAnandM: Please stick with your original question and don't use your question as a moving target. What you asked in your edit is a completely different problem - it is not what you can do with a fake certificate but how you can get one. I've rolled back your edit. Please create a new question if necessary. – Steffen Ullrich Nov 26 '18 at 19:18
  • I think you misunderstood my follow up question. My core concern is that, if a server, say target.com have auth cookies set to *.target.com and also allow users to upload files under target's subdomain but not exactly to /.well-known/acme-challenge/, is this situation vulnerable? Or, should the server be considered safe? I'm more concerned that other CA may have different http file upload verification methods that could put such servers at risk. – Arul Anand M Nov 26 '18 at 19:24
  • I've asked this as a separate question: https://security.stackexchange.com/questions/198458/if-i-have-a-valid-certificate-for-xxxxx-target-com-cant-i-read-target-coms – Arul Anand M Nov 26 '18 at 19:31