Devil in the details

A German
mathematician called Martin von Gagern found a bug in GnuTLS , an open-source library that implements TLS, a protocol that
allows client/server applications to communicate in a way that is secure from
tampering, eavesdroping or forgery.

TLS is used by banks and e-commerce sites to secure transactions, but has other
uses as well. One of the aspects of the protocol is that the identity of a
server can be positively established via a chain of X.509 certificates. The way
this works is that a “root” server, usually belonging to a
certification authority such as Thawte, cryptographically signs certificates
for other servers (called intermediaries), which in turn can “pass
on” that trust to other servers.

Clients eventually get to see chains of certificates, something like “Bob
(we all know Bob and we know Bob is Bob because we have here his signature,
which is public and un-forgeable) signed Carol’s cert, so she’s really Carol
and Carol signed Dave’s, so he’s really Dave, so you can go ahead and establish
a secure channel to Dave”. If we know and trust Bob, we can trust everyone
else in the chain. By virtue of being such a nice person, Bob gets to sign his
own certificates, that are nevertheless trusted. This should be an honor rarely
and sparingly granted.

In fact, every client gets to choose whose signatures he trusts a priori –
usually those are signatures of public certification authorities, but some
clients may choose to also trust private CA’s, and end up generating their own
private chains of trust, usually within a company or other organisation. This
is a nice feature of the protocol, but somewhat rarely used.

A client should verify the chain of trust on each certificate received, making
sure that each server’s cert is signed by its parent and ultimately by someone
the client trusts apriorically. However, the GnuTLS client was not doing that,
not exactly. Say it asked “Are you really Dave?” and received a
certificate looking like “Bob says Carol really is Carol. Also, Alice (the
undersigned) says the guy you’re talking to really is Dave.”. The client,
instead of going “hmm… who the heck is Alice?” would think:
“Bob’s Bob, of course, and… ah, look, Alice signed her own cert so she
must be an OK girl too” and then would go ahead and establish a secure
channel with “Dave”. Yup, it’s the kind of mistake only a computer
could make.

Obviously, this is very bad news. Alice (i.e. just about anybody) can convince
the client that she’s anybody else at all, by simply intercepting and
re-routing his calls so they pass through her server and claiming her
sockpuppet is actually the intended recipient.

Alice could accomplish this, for example, by exploiting flaws in the way the domain name system works, so that Bob looks up Dave’s IP
address but gets Alice’s, who then proceeds to dupe him by the method outlined
above.

This particular bug in this particular TLS implementation has been fixed, of
course – open source projects are nice like that – but there’s no telling if
and how many times the bug was exploited before the fix. The issue of whether
we should be trusting the ‘Net with our money has been again raised, in the
starkest of manners.