Why is the SHA-1 hash of certificate sent in TLS “Client Certificate URL” extension?

From my understanding your problem is that an active man in the middle can make a server S access a URL at host U and this URL is specified by the attacker. And the problem with this is not that the attacker might get to the contents behind this URL (he can’t) but that just accessing this URL might trigger a bug at the server U.

Thus to make this attack working the following conditions must apply:

  • There must be a bug in server U which can be triggered just by accessing the specific URL.
  • The attacker can do an active man in the middle attack.
  • The attacker is either not willing or not able to access server U directly so it needs to use server S to access this URL.
  • Server S does implement the feature to get the clients certificate from a URL.
  • Server S does no filtering which kind of URL’s it can access or server U is allowed by this filter.

If all this applies it can be used to attack server U. But in most cases there are far easier ways to make somebody access URL, like accessing the URL directly, including it in some <img src…> tag at some web site to be accessed by somebody else or similar.

Then, why is 20-byte SHA1 hash of URL included with this message?

While I do not find any explicit explanation in the RFC my guess is that it is only to make sure that the server U actually provided the expected content and not something else which makes a bit sense in cases where the client itself has no real control over changes done at server U. This is not to prohibit attacks against server U.

Of course if the content served by U does not contain the expected client certificate it will be noticed during the handshake anyway because the private key used by the client does not match the client certificate. Thus it is questionable if this hash is really helpful or if it is just another useless feature which nevertheless made in in the standard: Remember the TLS heartbeat extension where the server for no real reason had to send the contents of the clients request payload back?

Leave a Reply

Your email address will not be published. Required fields are marked *