Bugtraq mailing list archives

Re: AW: IE https certificate attack

From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: 06 Jan 2002 09:04:23 +0100

K.J.Mueller () EnBW com writes:

could it be, that the text-browsers (lynx, links, w3m) don't even
bother comparing the actual server name to the certificate's 
"issued for" entry?


Some of them don't even have a repository of Root CAs, I think.

Neither did any of them complain when accessing a https web page
with a self-made certificate.


So they can't check the validity of the certificate at all.

-- 
Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Current thread:

AW: IE https certificate attack K . J . Mueller (Jan 05)
- Re: AW: IE https certificate attack Florian Weimer (Jan 07)
- Re: IE https certificate attack Helmut Springer (Jan 07)
  - Re: IE https certificate attack Jim Knoble (Jan 08)
- Re: AW: IE https certificate attack Ben Laurie (Jan 07)
- Re: AW: IE https certificate attack George Staikos (Jan 07)