Author

Topic: MtGox uses StartSSL which has been compromised. (Updated : Not a problem) (Read 2072 times)

vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)

Edit: and yes, theymos is correct - a site doesn't have to be using $CA for $CA getting hacked to put their security at risk, a user's browser merely has to trust $CA.

According to the EFF, at a talk they gave at one of the last two defcons, the state of the current list of trusted CAs for non-EV SSL is pretty much a joke, and law enforcement routinely gets valid SSL certs issued to perform MITM attacks on suspects. The talk was titled something like "observations of the SSLiverse" and can probably be googled. in other words, the risk was always there to begin with.
member
Activity: 71
Merit: 10
administrator
Activity: 5222
Merit: 13032
HTTPS prevents someone who is sitting between you and the destination on the network from reading or modifying your transmissions. For example, it prevents your ISP from seeing your MtGox password. Usually, anyone between you and the destination is pretty trustworthy, but this is not the case if you live in a non-free country or if you are using a free proxy like Tor.

This compromise means that all HTTPS connections are suspect until things are sorted out. Even sites that don't use StartSSL can have their HTTPS broken. Even if MtGox was using Verisign, they would be affected equally.

I recommend installing the Certificate Patrol and Perspectives extensions for Firefox:
http://patrol.psyced.org/
http://www.networknotary.org/firefox.html

Certificate Patrol warns you whenever a site's certificate changes. This will happen when an attacker tries to exploit a compromised certificate authority like StartSSL. It also happens occasionally for other reasons.

Perspectives asks several notary servers for information about certificates. If the notaries see a different certificate than you do, then there is probably an attack going on. In the settings, use these options:
- Percentage of notaries...: 100
- Days of continuous...: 0
- Contact notaries for all HTTPS sites: yes
- Allow Perspectives to automatically...: no (unless you want to allow Perspectives to stand in for a CA when a site is using a self-signed certificate)
sr. member
Activity: 308
Merit: 250
If you can believe StartSSL's press release, this time around the attackers didn't actually successfully make off with anything (as opposed to the Comodo hack, where they did make off with fake certificates that took time to blacklist).

So it probably doesn't mean anything at this point.

Edit: and yes, theymos is correct - a site doesn't have to be using $CA for $CA getting hacked to put their security at risk, a user's browser merely has to trust $CA.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Probably not a concern.

If StartSSL's intermediate certificates get revoked due to being stolen, browsers may throw up warnings upon connecting to MtGox.  As soon as MtGox installed a new cert from elsewhere, all would be well.

MtGox is using a regular non-EV (extended validation) certificate.  Organizations like banks who run a high risk of spoofed websites or man-in-the-middle attacks often get EV certs which turn the address bar green or similar. These provide a higher level of assurance against such attacks. So long as MtGox uses a regular cert, the fact that it comes from a provider that gets hacked means not much different than a regular cert from a provider that wasn't hacked.
member
Activity: 71
Merit: 10
MtGox's https certificate provider StartSSL have been compromised
http://news.netcraft.com/archives/2011/06/22/startssl-suspends-services-after-security-breach.html

I'm not an internet security expert, is this cause for concern? What types of attack does that open MtGox to?
Jump to: