Full Disclosure mailing list archives
Re: Five Ways to Screw Up SSL
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Tue, 23 May 2006 14:14:03 -0400
On 5/23/06, Brian Eaton <eaton.lists () gmail com> wrote:
On 5/23/06, Dude VanWinkle <dudevanwinkle () gmail com> wrote: > I guess you would hijack their machines with a bug that would edit the > local cache, refresh the cache, then report to you about the websites > the victim's machine had visited, and you could request an ssl cert > for those sites. If you can get this far, why not just trojan IE and be done with it? http://isc.sans.org/presentations/banking_malware.pdf
Agreed. If you get to this point, you might as well just install a keylogger and be done with it.
> The only problem I see with this scenario from a freessl perspective > is that they require verification in the form of an email sent to > admin () domain com or from an email sent to the admin from the upstream > DNS provider. This would be a little tricky to get around as you would > have to munge freessl's DNS records. This implies that you trust every server that relays the e-mail.
I dont trust any server that relays email ;-) -JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Five Ways to Screw Up SSL, (continued)
- Re: Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 21)
- Re[2]: Five Ways to Screw Up SSL Thierry Zoller (May 21)
- Re: Re[2]: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Valdis . Kletnieks (May 22)
- Re: Five Ways to Screw Up SSL Brian Dessent (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Brian Eaton (May 23)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)