1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Sennheiser users hit by root certificate flaw

Discussion in 'Article Discussion' started by bit-tech, 29 Nov 2018.

  1. bit-tech

    bit-tech Supreme Overlord Lover of bit-tech Administrator

    Joined:
    12 Mar 2001
    Posts:
    3,676
    Likes Received:
    138
    Read more
     
  2. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    3,909
    Likes Received:
    591
    "We don't need to have a cert authority sign our cert, we can just self-sign and install it as a root cert. We're installing it ourselves, after all, so we know it's us! What could possibly go wrong?"
     
  3. Omnislip

    Omnislip Minimodder

    Joined:
    31 May 2011
    Posts:
    629
    Likes Received:
    155
    I'm glad to see the awesome 2010 headphones as the go-to Sennheiser placeholder image! Mine are still going strong today.
     
  4. koaschten

    koaschten What's a Dremel?

    Joined:
    24 Mar 2011
    Posts:
    29
    Likes Received:
    2
    Was thinking the same Omnislip, I even have a sealed spare set somewhere in a shelf ;)
     
    Omnislip likes this.
  5. Chicken76

    Chicken76 Minimodder

    Joined:
    10 Nov 2009
    Posts:
    952
    Likes Received:
    32
    How does Microsoft remove the certificate with an update? I mean how do they know to remove that specific certificate? Has Sennheiser asked them to do it? What if I create a certificate of my own and put it in trusted root certificates, are they going to remove it too?
     
  6. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    Every certificate has a fingerprint, most commonly software identifies certificates via SHA256 hash.

    For example bit-tech.net has the following chain :
    • SSL certificate :
      Fingerprint SHA256: 51f9e18d37b8b7eba0bd0dec6cb2c7b210d1fc1277273bece04213ce24698b47
      Pin SHA256: yqshVW4YoJ3k7a0Aqs1sCe0kwQJuueqK1RKT9Q2Pa1c=
    • COMODO RSA Domain Validation Secure Server CA
      Fingerprint SHA256: 02ab57e4e67a0cb48dd2ff34830e8ac40f4476fb08ca6be3f5cd846f646840f0
      Pin SHA256: klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=
    • COMODO RSA Certification Authority
      Fingerprint SHA256: 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
      Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=
    So if MS decided that they want to remove that COMODO root CA, they could just iterate over the root CA list on the computer, identify the CA with specific SHA256 hash and if it matches the hash of the offending certificate, remove it.

    (Source of the hashes: https://www.ssllabs.com/ssltest/analyze.html?d=bit-tech.net )

    Edit: And before you say "what about a possible conflict" - the number of unique hashes SHA256 can have is 2^256. That is :
    115 792 089 237 316 195 423 570 985 008 687 907 853 269 984 665 640 564 039 457 584 007 913 129 639 936. That is a number so big, a whole IPv6 range can be put in it in same amount of times as big as the IPv6 range itself is.
     
    Last edited: 30 Nov 2018
  7. jb0

    jb0 Minimodder

    Joined:
    8 Apr 2012
    Posts:
    555
    Likes Received:
    93
    Can I just point out how insane it is that we have security issues in our goddamn HEADPHONES now? What did this even need a security certificate for in the first place?
     
  8. Anfield

    Anfield Multimodder

    Joined:
    15 Jan 2010
    Posts:
    7,058
    Likes Received:
    969
    It is all the extra software that comes with stuff these days.

    Pointless audio software that duplicates functionality Realtek and MS have covered already, 300 different RGB control apps, infinity +1 update managers etc... all developed with minimal effort so security issues are inevitable.
     
    Fingers66 likes this.
  9. MLyons

    MLyons 70% Dev, 30% Doge. DevDoge. Software Dev @ Corsair Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    3 Mar 2017
    Posts:
    4,174
    Likes Received:
    2,732
    When will companies learn to stop doing this
     
  10. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    15,395
    Likes Received:
    2,992
    Never, probably.
     
    Corky42 likes this.
  11. oribunoki

    oribunoki What's a Dremel?

    Joined:
    2 Dec 2018
    Posts:
    2
    Likes Received:
    0
    That ain't got fo the shizzle, y'all.
     
  12. MLyons

    MLyons 70% Dev, 30% Doge. DevDoge. Software Dev @ Corsair Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    3 Mar 2017
    Posts:
    4,174
    Likes Received:
    2,732
    Wonder if any other companies are doing this?
     
  13. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,066
    Likes Received:
    6,610
  14. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    3,909
    Likes Received:
    591
    Then there was eDellRoot, an even worse issue (unlike Superfish, eDellRoot was deployed to the workstation lines, not just the consumer ones).
     
Tags: Add Tags

Share This Page