0

Say, an attacker fakes an original server certificate by a trusted CA using a another certificate from the same CA in a Man-in-the-middle attack. Why can this be detected using subject verification on the client-side?

(I'm not asking about the general workings of the protocol, all it's mechanisms, but, in the framework of those mechanisms, and assuming a general knowledge of TLS, how subject verification specifically prevents a MitM attack, without the need to explain extraneous mechanics of TLS.)

ig-dev
  • 1,118
  • 6
  • 13
  • 1
    If the attacker has the private key of the certificate of a website, they are 100% indistinguishable from the real website. –  Oct 22 '19 at 12:18
  • I'm assuming of course that the compromised certificate is not exactly the servers. Reworded for clarity. – ig-dev Oct 22 '19 at 12:22
  • Then it would be useless. If you have a cert from "SecureCA" for `ig.dev`, then I can just go and buy a cert from SecureCA for `not-ig.dev`. It would not get me any closer to being able to impersonate you. What I would need is your certificate (which is public anyways) and your private key (which is the really hard part). –  Oct 22 '19 at 12:25
  • Oh, if that's the case I might have to remove this question. Based on your description I can't see how subject verification is of any value then, since you can impersonate either fully, or not at all, it seems. – ig-dev Oct 22 '19 at 12:29
  • No, but there is a question here that accurately describes how TLS works. Once you really understand it (it's not trivial), you can see attack vectors. –  Oct 22 '19 at 12:30
  • Well, my question is really a small subset of "How does SSL/TLS work" – ig-dev Oct 22 '19 at 12:33
  • Not really. Ensuring that who you are connected to is really who they claim to be is **one of the essential points of TLS**. –  Oct 22 '19 at 12:37
  • Agreed, but I'm asking about subject verification in particular, not the protocol as a whole – ig-dev Oct 22 '19 at 12:38
  • I've read the whole linked answer and it did not address my question. You are basically telling me "study TLS yourself until you know" – ig-dev Oct 22 '19 at 12:46
  • @ig-dev: could you please explain what you exactly mean by *"attacker fakes an original server certificate"*, i.e. what part is like the original one and what part is different? Since the attacker cannot proof that he owns the specific domain name he should not be able to get a certificate for this domain name, i.e. the subject would be different - which gets detected when verifying the subject. – Steffen Ullrich Oct 22 '19 at 13:16
  • Thanks Steffen. What's the same is the trusted CA. I think in asking your question you basically answer mine, at least to some degree. "the attacker cannot proof that he owns the specific domain" – ig-dev Oct 22 '19 at 13:24
  • Since this has already falsely been labeled as a duplicate of the above, I have tried to answer the question myself. I would appreciate if you could confirm if this understanding is correct – ig-dev Oct 22 '19 at 13:35

1 Answers1

1

Here is my attempt to answer the question, based on my research in the meantime.

The attacker may obtain another certificate from a trusted CA, but he is unable to alter this certificate in any way. The assumption is that the CA will not issue a certificate for the subject under attack to the attacker, since he cannot prove that he owns the subject (domain name).

When the attacker tries to mediate the traffic between the client and server in a MitM attack, he has to present his own certificate to the client, instead of the servers, to be able to eavesdrop on the traffic. If the client performs subject verification, he will see that the attackers certificate does not contain the correct subject, even though his certificate is coming from a trusted CA. This way subject verification can detect MitM attacks.

ig-dev
  • 1,118
  • 6
  • 13
  • The answer is correct. But the question is essentially a duplicate of [Perfoming a MITM to intercept SSL/TLS with valid certificate](https://security.stackexchange.com/questions/130988/perfoming-a-mitm-to-intercept-ssl-tls-with-valid-certificate), at least once it was more clear what you mean with "fake the original certificate". – Steffen Ullrich Oct 22 '19 at 14:15
  • Great, thanks. And yes, it's essentially a duplicate of that question. – ig-dev Oct 22 '19 at 14:18