Full Disclosure mailing list archives
Re: Five Ways to Screw Up SSL
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Mon, 22 May 2006 12:02:23 -0400
On 5/22/06, Michael Holstein <michael.holstein () csuohio edu> wrote:
> I was referring to the CA that signs it. It was implied that > freessl.com, who gives out trial certificates, is an unreliable CA. I > do not understand why their certs would be any less valid than > anothers. Not less valid, less trusted. SSL is a heirarchical "web of trust". > As long as the website listed on the cert is the website you are > visiting, why should it matter who issued the cert? Because how can I know that a certificate issued to "A" is really entity "A", unless I trust a central authority to do the homework. Phishing attacks love this trick. If anybody could get a cert for "www.chase.com" that was valid to the browser, then anybody that could do DNS foo to the client could spoof the real Chase.
DNS foo to the client, how easy is that? Would you have to get the upstream DNS server to cache your bogus entry? -JP<the confused> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Michal Zalewski (May 21)
- Re: Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 21)
- Re[2]: Five Ways to Screw Up SSL Thierry Zoller (May 21)
- Re: Re[2]: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Valdis . Kletnieks (May 22)
- Re: Five Ways to Screw Up SSL Brian Dessent (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Brian Eaton (May 23)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Ginsu Rabbit (May 21)
- Re: Five Ways to Screw Up SSL Michal Zalewski (May 21)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)