There is much news lately about the Null-Stuffing attack to SSL presented at BlackHat by Dan Kaminsky, Len Sassaman and Moxie Marlinspike. Quick answer: Our current assessment is that we were “probably not” vulnerable to this particular attack.

Bug: there is a theoretical possibility to create a certificate for example:

myspace.comNULLmy.cheapdomain.com

A CA might check the domain, and end up accepting a POSITIVE on the second part only. Meanwhile, a browser might show the first part, because it is written to stop processing when it sees the NULL . This is because NULLs are special characters that might be interpreted as the end of string, or might not be, and a browser might mistake it one way while a CA another way.

Analysis: At one level this is “just” input validation, and both browsers and CAs should reject immediately. At another level, the code that manages this input is very complicated, because of the way certificates are built. Too many standards, layouts, encodings. Hence the comments by many that this bug is actually indicative of systemic weaknesses in SSL. Technically, implementing SSL properly means this isn’t possible, but the system is so complex that it isn’t easy to rule out these sorts of issues. But, we don’t win anything if we pass the blame onto someone else, because we’ve still got the bug. Basic technical conclusion is that we need to check our inputs carefully, and hope that others do the same.

CAcert. So where are we at? Is CAcert vulnerable? This boils down to whether CAcert can issue a certificate with a NULL stuffed into a domain name. Which is in two parts: adding a domain name to your account, and sending in a request for a certificate (CSR). Investigations are on-going, but here is a status update:

• Adding domain names is now covered with a quick fix that was patched in Friday.
• CSRs were already being filtered on NULLs, so someone was alert back in the earlier years!

What is outstanding is checking that the database copy of the domain name is used instead of the CSR, and scanning the database for any NULLs. It’s still not entirely clear if there was a way to sneak a NULL through before that patch in, but it’s covered now. This work is ongoing, and updates will be reported here.

The CAcert Email System went down Friday fornoon 31th of July 2009. This problem caused that no emails could be transferred. The systems team works on it to solve the problem.

update:
After a reboot of the server, the Email system is working again. Multiple non-critical services were affected to a more or less extent. The cause was a problem with NFS.

CAcert Inc, the association within the Community, held an SGM or special general meeting on Saturday 21:00 UTC. Which makes it evening in Europe, afternoon in the Americas, and tomorrow morning in Australia.

Between 38 and 42 members were present. 4 business items were duly filed (21 days in advance) and were dealt with in the meeting.

#1, that pending applications for joining the association be accepted was passed with no vote, because all applications had already been dealt with.

#2 is a comprehensive rule change that (among other things) asked to do this:

• made the status of Assurer the only requirement for membership of the Association,
• increased the size of the board to 10,
• rewrote and fixed up lots of other bugs in the rules.

It was voted and achieved 24 AYES against 14 Nayes. As this is a rule change, it required 75% and therefore failed. But, a good showing.

Item #3 was the controversial one. The first resolution said we association members were “disenheartened at the breakdown of working relationship.” It passed with 35 AYES to 5 Nayes. The second resolution said “the committee no longer enjoys the confidence, of the members, and [they] are removed.” It was duly voted and passed with 20 AYEs to 16 Nayes. With that resolution the board was relieved and opened for the next item.

The final business of the day was to elect a new board of 7 seats for an interim period of 4 months, until the next AGM. This was conducted on a person-by-person basis, and the 7 top-voted candidates were chosen:

Name	Position
Nick Bebout	President
Mark Lipscombe	Vice-President
Ernestine Schwob	Secretary
Philipp Dunkel	Treasurer
Guillaume Romagny	Ordinary Member
Andreas Buerki	Ordinary Member
Ian Grigg	Ordinary Member

This is the new committee of the association, or board. Please note:

• the committee will adjust the positions somewhat, and
• this committee is interim only, in place for 4 months. At the AGM, traditionally in November, they will stand down and face re-election.

Postscript: By means of m20090728.1 the committee agreed that Ernestine Schwob is now Treasurer and that Philipp Dunkel is now Secretary. No other changes are envisaged.

The CAcert signing server went down at 16:00 UTC 27th June 2009. It is expected that this event is similar as what happened on the 18th of June. So it is expected that the certificate signing will be on service again at 19:00 UTC.

The CAcert signing server is needed to issue signed certificates so this part of the CAcert services is halted now to say about 19:00 UTC.

As this is the second time the hardware went down for unclear reasons, Oophaga will be asked to replace the hardware (the hardware is “dated”). If someone wants to donate a reliable rack PC (hardware requirements are small: today Intel processor, 1-2 Gb mem, today 2 disks of say 200 Gb and usb) that would help.

Der LinuxTag 2009 findet vom 24. – 27.Juni in Berlin auf dem Messegelände statt.
CAcert wird auch dieses Jahr mit einem Stand (siehe Liste der Aussteller; am Übergang von Halle 7.2a zu 7.2b) am LinuxTag vertreten sein.
Darüberhinaus wird am Freitag, den 26.6. um 11:00 Uhr im Vortragsraum “Berlin 1” der Vortrag “CAcert – was war, was ist, was sein wird” stattfinden.

Mehr dazu unter http://www.linuxtag.org/2009/de/program/freies-vortragsprogramm/mittwoch/vortragsdetails.html?talkid=523

Interessenten und Besucher können sich einen Account bei http://www.CAcert.org anlegen; notwendig sind Name, Passwort und eine gültige E-Mail-Adresse. Am Stand kann nun die Person verifiziert (assured) werden. Bei der “Assurance” ist die Vorlage mindestens eines gültigen Lichtbildausweises (z.B. Führerschein, Personalausweis oder Reisepass) notwendig, die dann am Stand von den “Assurern” überprüft und verifiziert werden. Bei erfolgter Überprüfung erhält der Benutzer Punkte, die seine Vertrauenswürdigkeit widerspiegeln. Ein assurter Benutzer kann auf der CAcert-Website selbst Zertifikate ausstellen, und zusätzlich über ein “Web of Trust” Punkte an andere Benutzer vergeben. Weitere Fragen hierzu werden durch unsere zertifizierten Assurer am Stand gerne beantwortet.
Wir freuen uns auf Ihren Besuch!

The computer signing the CAcert certificates went down Friday evening 12th of June 2009. This problem caused that no certificates could be issued. Saturday 13th of June the problem has been fixed and the machine was rebooted at about 12 am.