<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"\@NSimSun";
panose-1:2 1 6 9 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText">Responding both the Ryan and Gerv.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Ryan -- you are correct that concerns (1) and (2) are related -- (1) relates to accidental clashes that give different customers the same domain. Gerv -- you are right, the change is extremely small -- but giving the same domain to
different customers is something not allowed today, so it would be quite a change to allow it.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">This link has some information on the subject, but I really don’t understand the explanation of why clashes aren’t a concern.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><a href="https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames">https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames</a> <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On (2) – this concern is of an intentional clash created by a hacker for evil purpose – a much more serious issue. I notice that in Facebook’s existing .onion cert, they managed to get the following .onion domain:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">*.m.facebookcorewwwi.onion<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">See screen shot below or attached.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I’m sure that didn’t happen randomly, so there must have been some very serious computing that happened to get that particular 16 digit “random” hash of a Facebook public key,
<u>facebookcorewwwi</u>. If Facebook can reverse engineer to get that .onion domain, couldn’t a hacker (or googlegoogle.onion, for another example) do the same and get a duplicate cert with the same domain?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><img border="0" width="419" height="521" id="Picture_x0020_1" src="cid:image001.png@01D046CE.C86B58F0"><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Gervase Markham [mailto:gerv@mozilla.org] <br>
Sent: Thursday, February 12, 2015 1:41 PM<br>
To: Kirk Hall (RD-US); Jeremy Rowley (jeremy.rowley@digicert.com); Ben Wilson (Ben.Wilson@digicert.com)<br>
Cc: CABFPub (public@cabforum.org)<br>
Subject: Re: [cabfpub] Ballot 144 -.onion domains</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 12/02/15 20:43, <a href="mailto:kirk_hall@trendmicro.com">
<span style="color:windowtext;text-decoration:none">kirk_hall@trendmicro.com</span></a> wrote:<o:p></o:p></p>
<p class="MsoPlainText">> For example, Evil Corp. and Angel Corp. could each submit a request
<o:p></o:p></p>
<p class="MsoPlainText">> for a .onion cert and get the same domain: _[same 16 digit hash of
<o:p></o:p></p>
<p class="MsoPlainText">> their public keys].onion_ if their public keys hash to the same value.
<o:p></o:p></p>
<p class="MsoPlainText">> One cert would say O=Evil Corp. the other would say O=Angel Corp., so
<o:p></o:p></p>
<p class="MsoPlainText">> that a .onion domain would not be uniquely identified with one
<o:p></o:p></p>
<p class="MsoPlainText">> subject. While unlikely, it could happen.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Have you been able to put a figure on the likelihood of this occurrence?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I think I could calculate it, but I'm interested in what figure you came up with that led to your concern.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> (2) Does this also create an opportunity for a hacker? For example,
<o:p></o:p></p>
<p class="MsoPlainText">> one of the .onion domains in the SANs field of the Facebook cert you
<o:p></o:p></p>
<p class="MsoPlainText">> created is _*.xx.fbcdn23dssr3jqnq.onion_ – could a hacker create a
<o:p></o:p></p>
<p class="MsoPlainText">> public key that would hash to the same value in order to get a cert
<o:p></o:p></p>
<p class="MsoPlainText">> with the same .onion domain and imitate the Facebook cert? (This is
<o:p></o:p></p>
<p class="MsoPlainText">> maybe the more serious case.)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Being able to create some text which hashes to a specific, defined value that you are targetting would be what's called a Preimage attack:<o:p></o:p></p>
<p class="MsoPlainText"><a href="http://en.wikipedia.org/wiki/Preimage_attack"><span style="color:windowtext;text-decoration:none">http://en.wikipedia.org/wiki/Preimage_attack</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">SHA-1 has no known preimage attacks.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Tor .onion names use 80 bits of the SHA-1 hash, which is not the full hash, so it's possible that they might be slightly easier to attack.<o:p></o:p></p>
<p class="MsoPlainText">While there are no known attacks, my understanding is that the Tor people are looking at moving to SHA-256 as a precautionary measure.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> (3) Another concern is there is no central registry to identify the
<o:p></o:p></p>
<p class="MsoPlainText">> owner of a .onion domain (of course, there could be multiple owners of
<o:p></o:p></p>
<p class="MsoPlainText">> the domain under the scenario above). If there is no Subject info in
<o:p></o:p></p>
<p class="MsoPlainText">> the O field, etc., with no registry there is no real way to contact
<o:p></o:p></p>
<p class="MsoPlainText">> the domain (or cert owner).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">.onion certs are going to be EV, right? So they would have Subject info in the O field.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Gerv<o:p></o:p></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>