13

https://lwn.net/Articles/887970/

For frigging fucking fucks sake, universe put the cactii away.

I HATE THE UNIVERSE.

I FUCKING HATE IT.

Comments
  • 1
    😒 ah fuck!
  • 1
    But I guess it's quite hard to exploit as it requires parsing certs sourced by attackers. Most setups only parse admin provided certs.
  • 2
    @hjk101

    Mutual TLS authentication should be affected...

    " - TLS clients consuming server certificates
    - TLS servers consuming client certificates
    - Hosting providers taking certificates or private keys from customers
    - Certificate authorities parsing certification requests from subscribers
    - Anything else which parses ASN.1 elliptic curve parameters
    "

    All in all it's a nasty thing, cause you can just try and bomb a server.

    Unverified: I think you can _easily_ target any TLS server, as most won't filter client certificates. You would need explicitly filter it if unneeded.

    Notice the unverified. My brain is unhappy, pissed and grumpy.
  • 1
    Well, at least this time it isn't a full private key compromise...
  • 0
    @IntrusionCM of course any hosting/ca provider has to get their shit together. I am interested in the unverified case though because that would suck. As we all know not all sites are well managed and the impact would be huge.
  • 0
    “It is thus a denial-of-service vulnerability for any application — server or client — that handles certificates from untrusted sources.”

    Already solved, then, by people who are doing things correctly.
Add Comment