Full Disclosure mailing list archives
Re: VerySign Class 1 Authority - bogus SSL certificate?
From: Valdis.Kletnieks () vt edu
Date: Wed, 02 Jun 2004 12:45:09 -0400
On Wed, 02 Jun 2004 07:39:31 +0930, Chris van der Pennen <chris () sw gotdns org> said:
I've been getting SSL certificates from various websites recently that are apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign. The certificate expired 6 December 2002.
The data in Issued To and Issued By are identical.
This smells very much like an SSL hijack attempt - can anyone shed some light on the situation?
Or some webserver package that builds a self-signed certificate so SSL works without having to pay Verisign, and does so in a "cute" manner that users are likely to accept the cert without thinking about it. It's probably NOT a hijack attempt unless you have *OTHER* evidence of that (phishy-looking redirect javascript on the page, etc....) Given how little *real* security a signed cert creates, it's probably not worth worrying about.
Attachment:
_bin
Description:
Current thread:
- VerySign Class 1 Authority - bogus SSL certificate? Chris van der Pennen (Jun 01)
- Re: VerySign Class 1 Authority - bogus SSL certificate? Sebastian Krahmer (Jun 02)
- RE: VerySign Class 1 Authority - bogus SSL certificate? Aditya, ALD [Aditya Lalit Deshmukh] (Jun 02)
- Re: VerySign Class 1 Authority - bogus SSL certificate? Valdis . Kletnieks (Jun 02)
- Re: VerySign Class 1 Authority - bogus SSL certificate? Nicola Del Vacchio (Jun 02)