oss-sec mailing list archives

Re: Possible CVE for TLS protocol issue

From: Reed Loden <reed () reedloden com>
Date: Mon, 19 Sep 2016 13:52:45 -0700

Seems pretty old, just FYI:

Research paper published: 2015/11/08. Additional content added: 2015/14/09.

~reed

On Mon, Sep 19, 2016 at 1:39 PM, Kurt Seifried <kseifried () redhat com> wrote:

This was pointed out to me by mjc@:

https://kcitls.org/

TL;DR: if you can trick someone to install a client certificate you can
then spoof any future web site. Certainly not what we want from the people
issuing client certificates. It sounds like this is a protocol level
vulnerability affecting closed and Open Source vendors potentially, and it
is public so posting it here.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Current thread:

Possible CVE for TLS protocol issue Kurt Seifried (Sep 19)
- Re: Possible CVE for TLS protocol issue Reed Loden (Sep 19)
- Re: Possible CVE for TLS protocol issue cve-assign (Sep 20)