Penetration Testing mailing list archives
RE: Can you impersonate a client side cert??
From: "L Williams" <eldub () pobox com>
Date: Mon, 28 Jan 2002 11:03:58 -0800
Darren, This needs a certificate-usage context to be relevant. For example, SSL had some "man and the middle" attacks that were addressed in later versions of the protocol and in all versions of TLS. Sometimes web-based applications use the DN to pass user context from the web server to the application. If a person does not clear out the trusted certificates from the web server (meaning removing any unused trusted root), you could get a cert from Verisign and I could get a cert from Thawte that have the same DN, both would be accepted during the SSL session and the application would receive the same DN as the user context. For this to work, it requires: - The use of the DN as a way of passing user context (which is stupid and not generally done) - Misconfiguration of the web server -Laudon eldub (at) pobox (dot) com eldub (at) securityarchitects (dot) net -----Original Message----- From: Darren Craig [mailto:darren.craig () celare co uk] Sent: Monday, January 28, 2002 4:00 AM To: pen-test () securityfocus com Subject: Can you impersonate a client side cert?? Hi All, I have been reading a paper which was published back in Feb 2001 by a company call Sensepost which says that there is a way to impersonate a users client side cert by using the same common name. Does anybody have any experience of doing this or is it even possible considering that the users public part of the cert would be installed on the web server? Darren ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 28)
- <Possible follow-ups>
- RE: Can you impersonate a client side cert?? Jason Brvenik (Jan 28)
- RE: Can you impersonate a client side cert?? charl van der walt (Jan 28)
- Can you impersonate a client side cert?? Darren Craig (Jan 28)
- RE: Can you impersonate a client side cert?? Bryan Allerdice (Jan 28)
- RE: Can you impersonate a client side cert?? L Williams (Jan 28)
- RE: Can you impersonate a client side cert?? pmawson (Jan 28)
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 29)
- RE: Can you impersonate a client side cert?? Cushing, David (Jan 30)
- RE: Can you impersonate a client side cert?? Michael Howard (Jan 30)