## 20160328 AK
----
 [[ThreatList/CZ|česky]] | '''english'''
----
Here we try to compile a list of threats for CAcert´s users:

Local threats:
 *Man in the Browser: http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf
 *RSA side-channel leak: http://blog.cacert.org/2006/11/193.html
 *Signature forgery: http://www.openssl.org/news/secadv_20060905.txt
 *Side channel attacks
 *Usage of bad random numbers
 *Can´t decrypt data due to lost private key
 *Expiry of certificates 
 *Collissions in hash algorithms: http://www.iaik.tugraz.at/research/krypto/collision/index.php

Network threats:
 *SSL/HTTPS leaks information (Certificate transmission in plaintext)
 *Traffic analysis due to plaintext communication in OCSP
 *Phishing
 *Reuse of secret keys due to software-distribution and other leaks
 *Man in the middle by approved CA´s

CAcert´s threats:
 *Issueing of wrong certificates
 *Breach of root key

Browser threats:
 * [[http://iang.org/maps/browser_attack_tree.html|Browser Attack Tree]] (is applet of Mindmap) and companion [[http://iang.org/ssl/browser_threat_model.html|Browser Threat Model]], written as suggestions for Mozo back in 2004.

Business threats:
 * [[Threats/LegalDiscovery]] the bombardment of legal motions

== Also ==

 * RiskAssessment
 * http://svn.cacert.org/CAcert/SecurityManual/
 * SecurityManual