Bugtraq mailing list archives

Re: AW: IE https certificate attack

From: Ben Laurie <ben () algroup co uk>
Date: Sun, 06 Jan 2002 20:25:50 +0000

K.J.Mueller () EnBW com wrote:


Hi,

could it be, that the text-browsers (lynx, links, w3m) don't even
bother comparing the actual server name to the certificate's
"issued for" entry?

I just tested these and none complained:

- lynx 2.8.5dev.2 (with OpenSSL 0.9.6a)
- links 0.96
- w3m 0.1.11-pre
(all on Mandrake Linux 8.1)

Neither did any of them complain when accessing a https web page
with a self-made certificate.


They shouldn't complain about the server name (at least, not if its
right) with a self-made cert. However, they should complain about the
cert not using a trusted CA.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

Current thread:

AW: IE https certificate attack K . J . Mueller (Jan 05)
- Re: AW: IE https certificate attack Florian Weimer (Jan 07)
- Re: IE https certificate attack Helmut Springer (Jan 07)
  - Re: IE https certificate attack Jim Knoble (Jan 08)
- Re: AW: IE https certificate attack Ben Laurie (Jan 07)
- Re: AW: IE https certificate attack George Staikos (Jan 07)