What Is This?

Vulnarb.com is an idea I've had for a while but only recently figured out how I might do it. The problem it solves is allowing security researchers to responsibly release vulnerabilities they find, but still publicly report that a company has a vulnerable product. Vulnarb.com will let them do this by:

  • Giving researchers tools to upload SSL public key encrypted vulnerability descriptions, which only the SSL private key holders can decrypt.
  • Consumers then can go see which companies and products have vulnerabilities, but not actually know what those vulnerabilities are until the company fixes them.
  • Once the company fixes their product, they can upload the decrypted files to prove they fixed it.
  • If they don't it's assumed they haven't fixed it.
  • If the researcher lies then they'll easily be exposed by just decrypting their lies for everyone to see.

The goal is to provide a market incentive for companies to fix security holes, rather than the current situation where they can sit on them legally for years. It's hoped that vulnarb.com will make specialized "corporation only" security mailing lists obsolete.

A secondary purpose will be to create a game for researchers or a social network or something else so that people can have fun doing this.

Today's Test

If you want to help out with this concept, then try out the following script against a site with a valid SSL key: encrypt.sh. What this script does (and look at it first) is:

  1. Download the public SSL certificate from a website
  2. Get a 96 byte random key from /dev/urandom as pass.txt
  3. Encrypt a file with the pass.txt
  4. Encrypt the pass.txt to pass.enc with the public SSL certificate
  5. Remove the pass.txt leaving only the encrypted information.

It does all of this using standard OpenSSL command line tools and nothing more.

Running encrypt.sh

You'll want to download a list of the CA root certs, and easiest (but maybe not safest) is to get it from curl:

    curl http://curl.haxx.se/ca/cacert.pem > cacert.pem

Once you have that, you run the script like this:

    sh encrypt.sh www.google.com mysecrets.txt

You can run it multiple times for different sites, and the results end up in results/ so go look at what you get.

Next Steps

The next step is to create a decrypt script similar to the above which should do the following:

  1. Take the secret certificate for a site.
  2. Use the secret to decrypt the pass.enc into pass.txt
  3. Use the pass.txt to then decrypt the message.

If you want to work on this, then tell me on twitter @zedshaw and I'll take a look at what you have.

Status

Currently this is just a quick test that anybody can review to see if the idea would even work. The purpose of using SSL certificates as the public key crypto is so a researcher can publish a vulnerability without having to beg for PGP keys and such, or similar barriers to publishing.

Other than this it's currently just a concept and feel free to bring up potential issues with it.

About Vulnarb.com

Started by Zed A. Shaw on Sun Apr 3 12:27:11 EDT 2011 and Copyright (C) All Rights since then.

Best way to talk about this is on Twitter. I'm @zedshaw there.

FAQs

Q: Isn't this vulnerable to a Martian super spy that can gain root on any machine by looking at it?!

A: At this stage it's vulnerable to everything. All criticisms and comments are more than welcome. However, code works better than fantasy attacks by imaginary super ninja hackers with infinite power.