Here is another segment from Dan Kaminsky’s talk at Toorcon 8. You can download the high quality version here. He discovered approximately 1 in 3 deployed SSL boxes share a private key. This means that you can buy a box off of eBay and read encrypted SSL traffic from any identical box. He has also got a trick for making bank logins more secure.
Who is this guy, and why does he think this is a discovery? I’ll do him one better. Just put the entire login form in the , and then redirect the parent when the login completes.
Posted at 7:12 pm on Oct 30th, 2006 by nocotigo
I don’t get the math here perhaps..
If 90% of the keys were unique, then how can the remaining 10% make up 1/3 of the computer’s he scanned? Or is he just extrapolating the 1/3 figure based on 10% of the billions of the SSL servers out there? (I.e, it’s just a guess)?
Posted at 8:39 pm on Oct 30th, 2006 by TJ
Well, tj,
2/3 of servers have unique keys. Those use ninety percent of the keys that are out there. 1/3 of the machines share the remaining 10% of keys. Quick math says that keys that are not unique are used on average 4.5 times.
2/3 of servers have 90% of keys. (thus 1/3 has 45% of keys, 1/3 has 45% of key, 1/3 has 10% of keys) The last group reuses keys.
Am i wrong?
Posted at 9:19 pm on Oct 30th, 2006 by oddsends
Yes i am wrong, i switched the 2/3 and the 1/3 (he had them the other way around in the presentation)
just fix my math
Posted at 9:32 pm on Oct 30th, 2006 by oddsends
Not paying attention 
90% of the _keys_ were on unique machines, they make up 33% of the possible machines on the net. The other 10% of keys cover the last 66% of machines.
i.e. for every 10 keys there are 9 unique machines and 27 machines sharing a key
Posted at 12:19 am on Oct 31st, 2006 by Will
Any chance of video from this talk?
http://toorcon.org/2006/conference.html?id=13
Have heard it was very entertaining.
Posted at 7:21 am on Oct 31st, 2006 by wesley mcgrew
nocotigo: The reason that just putting the login form in the iframe would be bad is that you would then lose the performance benefit. It would mean that *every page* on your website would build an SSL connection.
And that’s what he’s trying to avoid. He wants a situation that means you get the ideal situation for:
1) Performance: never use SSL except when logging in or using the secure areas.
2) Security: always use SSL when logging in.
3) Usability: there should be a login form on every page.
The only way to avoid using SSL when surfing on regular, non-secure pages, and yet to use SSL when logging in from those same pages, is to build the SSL connection only once people have started to log in.
I’d add to his suggestion, though, that it needs to handle auto-fill-in of forms. Some browsers will automatically fill in the username and password on every page, which again destroys the performance benefit, or, if it doesn’t trigger the onfocus, destroys the security benefit.
So if the login form got filled in *really fast*, then I think there are two options:
1) blank it (if you want to force them to manually type it in every time, which I would strongly NOT recommend, since it adds nothing to security, and just alienates users), or
2) make the onfocus have a bit of a delay in, so it doesn’t start up SSL unless it is being manually filled, and then have an onsubmit that does the same thing as the onfocus if it finds that the iframe has not been made. None of which is difficult.
So long as this method degrades gracefully for browsers without javascript enabled (which it should), this is the ideal compromise. Unlike just using SSL for every page, it *would* require a “you need javascript to be completely secure” notice, though.
Posted at 12:36 pm on Oct 31st, 2006 by Dewi Morgan
w00t
Posted at 1:19 pm on Nov 1st, 2006 by DarkFader
hack a day serves up fresh hacks each day, every day from around the web and a special how-to hack each week.
powered by wordpress
interesting stuff, what a discovery. seems like someone would have found this out earlier but i guess not.
Posted at 3:44 pm on Oct 30th, 2006 by william