oss-sec mailing list archives
Re: Possible CVE for TLS protocol issue
From: Reed Loden <reed () reedloden com>
Date: Mon, 19 Sep 2016 13:52:45 -0700
Seems pretty old, just FYI: Research paper published: 2015/11/08. Additional content added: 2015/14/09. ~reed On Mon, Sep 19, 2016 at 1:39 PM, Kurt Seifried <kseifried () redhat com> wrote:
This was pointed out to me by mjc@: https://kcitls.org/ TL;DR: if you can trick someone to install a client certificate you can then spoof any future web site. Certainly not what we want from the people issuing client certificates. It sounds like this is a protocol level vulnerability affecting closed and Open Source vendors potentially, and it is public so posting it here. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- Possible CVE for TLS protocol issue Kurt Seifried (Sep 19)
- Re: Possible CVE for TLS protocol issue Reed Loden (Sep 19)
- Re: Possible CVE for TLS protocol issue cve-assign (Sep 20)