Bugtraq mailing list archives
Re: AW: IE https certificate attack
From: Ben Laurie <ben () algroup co uk>
Date: Sun, 06 Jan 2002 20:25:50 +0000
K.J.Mueller () EnBW com wrote:
Hi, could it be, that the text-browsers (lynx, links, w3m) don't even bother comparing the actual server name to the certificate's "issued for" entry? I just tested these and none complained: - lynx 2.8.5dev.2 (with OpenSSL 0.9.6a) - links 0.96 - w3m 0.1.11-pre (all on Mandrake Linux 8.1) Neither did any of them complain when accessing a https web page with a self-made certificate.
They shouldn't complain about the server name (at least, not if its right) with a self-made cert. However, they should complain about the cert not using a trusted CA. Cheers, Ben. -- http://www.apache-ssl.org/ben.html
Current thread:
- AW: IE https certificate attack K . J . Mueller (Jan 05)
- Re: AW: IE https certificate attack Florian Weimer (Jan 07)
- Re: IE https certificate attack Helmut Springer (Jan 07)
- Re: IE https certificate attack Jim Knoble (Jan 08)
- Re: AW: IE https certificate attack Ben Laurie (Jan 07)
- Re: AW: IE https certificate attack George Staikos (Jan 07)