Open learningBASh opened 4 months ago
checklist in progress…
[x] I have searched open and closed issues for duplicates
ACME ANVIL BUG not found.
The ACME ANVIL BUG
is a far reaching bug and important to highlight here in my opening research of a crucial security intensive app Proton VPN.
Please complete the following checklist (by adding [x]):
DISCUSSION research into the Proton internal encryption
BUGREPORT ProtonVPN seems to rely on ISRG SSL. Proton support confirmed no need for ISRG SSL yet intermittent connection outages work after enable ISRG SSL. possibility this is MITM interference from Wi-Fi or some hop along the way Example: a wireshark desktop PC capturing all traffic and manipulating encrypted streams to attempt to open them to the wireshark user by presenting any trusted cross-signed certificate from the point of interception possibly ISRG certificate itself. This is broadly part of the broken SSL trust model ( ACME ANVIL https://upload.wikimedia.org/wikipedia/commons/f/ff/Acme_anvil.gif ) bug. Where it is possible to use ACME to generate any certificate which will be trusted by ISRG - idenTrust chain of trust. I went into this before with Proton support with vague statements that Proton encryption is all in-app not relying on the system CA. However it seems to still be affected. More research into the Proton internal encryption is needed.