česky | english
Here we try to compile a list of threats for CAcert´s users:
Local threats:
Man in the Browser: http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf
RSA side-channel leak: http://blog.cacert.org/2006/11/193.html
Signature forgery: http://www.openssl.org/news/secadv_20060905.txt
- Side channel attacks
- Usage of bad random numbers
- Can´t decrypt data due to lost private key
- Expiry of certificates
Collissions in hash algorithms: http://www.iaik.tugraz.at/research/krypto/collision/index.php
Network threats:
- SSL/HTTPS leaks information (Certificate transmission in plaintext)
- Traffic analysis due to plaintext communication in OCSP
- Phishing
- Reuse of secret keys due to software-distribution and other leaks
- Man in the middle by approved CA´s
CAcert´s threats:
- Issueing of wrong certificates
- Breach of root key
Browser threats:
Browser Attack Tree (is applet of Mindmap) and companion Browser Threat Model, written as suggestions for Mozo back in 2004.
Business threats:
Threats/LegalDiscovery the bombardment of legal motions