1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Sennheiser users hit by root certificate flaw

Discussion in 'Article Discussion' started by bit-tech, 29 Nov 2018.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    1,607
    Likes Received:
    30
    Read more
     
  2. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,755
    Likes Received:
    174
    "We don't need to have a cert authority sign our cert, we can just self-sign and install it as a root cert. We're installing it ourselves, after all, so we know it's us! What could possibly go wrong?"
     
  3. Omnislip

    Omnislip Member

    Joined:
    31 May 2011
    Posts:
    212
    Likes Received:
    11
    I'm glad to see the awesome 2010 headphones as the go-to Sennheiser placeholder image! Mine are still going strong today.
     
  4. koaschten

    koaschten New Member

    Joined:
    24 Mar 2011
    Posts:
    25
    Likes Received:
    1
    Was thinking the same Omnislip, I even have a sealed spare set somewhere in a shelf ;)
     
    Omnislip likes this.
  5. Chicken76

    Chicken76 Member

    Joined:
    10 Nov 2009
    Posts:
    893
    Likes Received:
    21
    How does Microsoft remove the certificate with an update? I mean how do they know to remove that specific certificate? Has Sennheiser asked them to do it? What if I create a certificate of my own and put it in trusted root certificates, are they going to remove it too?
     
  6. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,821
    Likes Received:
    243
    Every certificate has a fingerprint, most commonly software identifies certificates via SHA256 hash.

    For example bit-tech.net has the following chain :
    • SSL certificate :
      Fingerprint SHA256: 51f9e18d37b8b7eba0bd0dec6cb2c7b210d1fc1277273bece04213ce24698b47
      Pin SHA256: yqshVW4YoJ3k7a0Aqs1sCe0kwQJuueqK1RKT9Q2Pa1c=
    • COMODO RSA Domain Validation Secure Server CA
      Fingerprint SHA256: 02ab57e4e67a0cb48dd2ff34830e8ac40f4476fb08ca6be3f5cd846f646840f0
      Pin SHA256: klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=
    • COMODO RSA Certification Authority
      Fingerprint SHA256: 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
      Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=
    So if MS decided that they want to remove that COMODO root CA, they could just iterate over the root CA list on the computer, identify the CA with specific SHA256 hash and if it matches the hash of the offending certificate, remove it.

    (Source of the hashes: https://www.ssllabs.com/ssltest/analyze.html?d=bit-tech.net )

    Edit: And before you say "what about a possible conflict" - the number of unique hashes SHA256 can have is 2^256. That is :
    115 792 089 237 316 195 423 570 985 008 687 907 853 269 984 665 640 564 039 457 584 007 913 129 639 936. That is a number so big, a whole IPv6 range can be put in it in same amount of times as big as the IPv6 range itself is.
     
    Last edited: 30 Nov 2018
  7. jb0

    jb0 Active Member

    Joined:
    8 Apr 2012
    Posts:
    360
    Likes Received:
    32
    Can I just point out how insane it is that we have security issues in our goddamn HEADPHONES now? What did this even need a security certificate for in the first place?
     
  8. Anfield

    Anfield Well-Known Member

    Joined:
    15 Jan 2010
    Posts:
    4,187
    Likes Received:
    243
    It is all the extra software that comes with stuff these days.

    Pointless audio software that duplicates functionality Realtek and MS have covered already, 300 different RGB control apps, infinity +1 update managers etc... all developed with minimal effort so security issues are inevitable.
     
    Fingers66 likes this.
  9. MLyons

    MLyons Half dev, Half doge. Staff Administrator Super Moderator Moderator

    Joined:
    3 Mar 2017
    Posts:
    2,266
    Likes Received:
    650
    When will companies learn to stop doing this
     
  10. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    10,023
    Likes Received:
    941
    Never, probably.
     
    Corky42 likes this.
  11. oribunoki

    oribunoki New Member

    Joined:
    2 Dec 2018
    Posts:
    2
    Likes Received:
    0
    That ain't got fo the shizzle, y'all.
     
  12. MLyons

    MLyons Half dev, Half doge. Staff Administrator Super Moderator Moderator

    Joined:
    3 Mar 2017
    Posts:
    2,266
    Likes Received:
    650
    Wonder if any other companies are doing this?
     
  13. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,182
    Likes Received:
    1,149
  14. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,755
    Likes Received:
    174
    Then there was eDellRoot, an even worse issue (unlike Superfish, eDellRoot was deployed to the workstation lines, not just the consumer ones).
     
Tags: Add Tags

Share This Page