Full Disclosure mailing list archives
Re: Five Ways to Screw Up SSL
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Mon, 22 May 2006 09:28:56 -0400
I was referring to the CA that signs it. It was implied that freessl.com, who gives out trial certificates, is an unreliable CA. I do not understand why their certs would be any less valid than anothers.
Not less valid, less trusted. SSL is a heirarchical "web of trust".
As long as the website listed on the cert is the website you are visiting, why should it matter who issued the cert?
Because how can I know that a certificate issued to "A" is really entity "A", unless I trust a central authority to do the homework.
Phishing attacks love this trick. If anybody could get a cert for "www.chase.com" that was valid to the browser, then anybody that could do DNS foo to the client could spoof the real Chase.
/mike. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Michal Zalewski (May 21)
- Re: Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 21)
- Re[2]: Five Ways to Screw Up SSL Thierry Zoller (May 21)
- Re: Re[2]: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Valdis . Kletnieks (May 22)
- Re: Five Ways to Screw Up SSL Brian Dessent (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Brian Eaton (May 23)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Michal Zalewski (May 21)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)