Reply to post: Re: Grab the private key?

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

mj.jam

Re: Grab the private key?

Looks like they try connecting back to localhost, but via a somewhat circuitous route.

1. Look up DNS record

2. Get back 127.0.0.1

3. Connect to 127.0.0.1 with server name as above

4. Get presented certificate for that server name. So connection is all ok. (Plus since it is a trusted certificate you avoid all warnings. Just connecting to 127.0.0.1 won't work)

For localhost to be able to use that certificate, it must have the key, i.e. you have the key inside the connector. But not just you, everybody with the app has it.

So if instead you

1. Look up DNS record

2. Get back evil hacker's IP

3. Connect to evil hacker's IP with server name as above

4. Get presented certificate for that server name. So connection is all ok. Isn't it?

Far better for your localhost to have its own certificate, and have the client trust just that. However that takes more work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020