Full Disclosure mailing list archives

Re: VerySign Class 1 Authority - bogus SSL certificate?

From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 2 Jun 2004 10:26:06 +0200 (CEST)

On Wed, 2 Jun 2004, Chris van der Pennen wrote:

Hi,

Depending on your trusted-CA package for your SSL client, this
should not verify. There are various ways to confuse SSL clients.
Especially GUI based web-browsers allow to play tricks where
you cant decide whether you are prompted a correct certificate.
Some do not check the signature at all. If in doubt, if there
is any popup on a HTTPS site, theres someone playing games.
I am going to release slides from a speach regarding that topic soon.
(in german unfortunally)

Sebastian

I've been getting SSL certificates from various websites recently that are
apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign.
The certificate expired 6 December 2002.

The data in Issued To and Issued By are identical.

This smells very much like an SSL hijack attempt - can anyone shed some
light on the situation?

Chris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

VerySign Class 1 Authority - bogus SSL certificate? Chris van der Pennen (Jun 01)
- Re: VerySign Class 1 Authority - bogus SSL certificate? Sebastian Krahmer (Jun 02)
- RE: VerySign Class 1 Authority - bogus SSL certificate? Aditya, ALD [Aditya Lalit Deshmukh] (Jun 02)
- Re: VerySign Class 1 Authority - bogus SSL certificate? Valdis . Kletnieks (Jun 02)
  - Re: VerySign Class 1 Authority - bogus SSL certificate? Nicola Del Vacchio (Jun 02)